Skip Navigation

When do I actually need a firewall?

I've spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:

  1. "It's just good security practice."
  2. "You need it if you are running a server."
  3. "You need it if you don't trust the other devices on the network."
  4. "You need it if you are not behind a NAT."
  5. "You need it if you don't trust the software running on your computer."

The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you're doing it -- it is essentially a non-answer. #2 is strange -- why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router's NAT at port 80 to open that server's port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one -- what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there's nothing to access. #4 feels like an extension of #3 -- only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don't know how it works), you don't want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device's actions.

If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it's acting like the front door to a house, but this analogy doesn't make much sense to me -- without a house (a service listening on a port), what good is a door?

126

You're viewing a single thread.

126 comments
  • Firewalls are necessary for least privilege. You only give something access that needs access.

    Additionally you should not port forward and especially not port 80.

    • Yeah like JFC the most insecure way to access the Internet let's just open it up to the whole world.

    • Additionally you should not port forward

      In what context? There is nothing inherently insecure about port forwarding. If you want a service accessible outside of your local network, you generally need to port forward. The security mostly depends on the service that is bound to the forwarded port.

      especially not port 80

      Why? If you want to run a webserver without specifying a port in the URL all the time, you are going to forward port 80; port 80 is a standardized port for all HTTP connections.

      • No offense to you but there is a massive risk exposing services to the internet. I'll let someone else more qualified explain.

        • Of course there is risk in exposing a service to the internet; a service open to the internet has a far greater potential attack surface, so there is a greater chance that an existing vulnerability in the exposed service gets exploited. But that is not an argument against the practice of port forwarding -- you just need to make sure that you take adequate precautions to mitigate risk. You do realize that, to be able to access a service from the internet, you need to expose it to the internet, right?

          • The problem is when you expose your server to the entire internet. It only takes a few minutes for the bots to find you.

            Honestly you should use a mesh VPN instead.

            • The problem is when you expose your server to the entire internet. It only takes a few minutes for the bots to find you.

              I mean, sure, but the existence of bots doesn't immediately guarantee that a given service will be compromised; simply take precautions to ensure that the exposed services are secure, that the rest of the network, and the device itself are adequately protected, etc.

              Honestly you should use a mesh VPN instead.

              In order to solve what problem, specifically?

You've viewed 126 comments.