# How necessary is a firewall?



## Purple_Q (Feb 13, 2010)

Here goes the question that might likely get me laughed out of the community so to speak, but is a firewall necessary?

I'm running 8.0 Release, and i've not done a thing regarding security since my install other than keep up with the freebsd-update tool. Internet security stuff was always a bit too technical for me (I look at iptables stuff and it makes my head hurt). I used to use a program called Guarddog a long time ago on Slackware which wrote iptables and basically disabled any services I clicked off.

Is there anything required of a regular desktop user that any of you who aren't super-paranoid feel is mandatory? I'm fairly convinced FreeBSD is quite secure out of the box to begin with. I don't keep much extremely sensitive data on my computer to begin with, but as long as someone can't intercept my password to my online banking login or something, i'm good to go.

Sorry if this a moronic set of questions fellas. Web security. Some of us just aren't that educated!
  --Q


----------



## DutchDaemon (Feb 13, 2010)

If nothing is listening on the Internet-exposed side of your desktop, or if you have a NAT layer between you and the Internet, you may get away without a firewall.

Then again, having pf with a minimal ruleset in between (block everything in, allow everything out and keep state with proper flags) isn't that much work and always safer than having no protection at all.


----------



## Purple_Q (Feb 13, 2010)

I have no idea what a NAT layer is. I've heard that term used alot with routers, which I do not have. What is pf short for? I'll google for it.


----------



## FBSDin20Steps (Feb 13, 2010)

Here is a link of the author "The Book of PF'


----------



## volatilevoid (Feb 13, 2010)

Purple_Q said:
			
		

> I have no idea what a NAT layer is.


If I get DutchDaemon right, he meant a router between your computer and the Internet. The router exposes just its own IP to the outer network and not the one of your NIC.

pf is short for packet filter.


----------



## DutchDaemon (Feb 13, 2010)

For 'router' you can also read 'about every DSL/cable modem having a public IP address on the outside and a private range of IP addresses on the inside'.


----------



## dennylin93 (Feb 13, 2010)

Purple_Q said:
			
		

> I look at iptables stuff and it makes my head hurt



I haven't had much experience with other firewalls such as IPFW and iptables, but PF is really easier to understand and learn than all the other firewalls I've seen. It might be worth giving it a try.


----------



## graudeejs (Feb 13, 2010)

dennylin93 said:
			
		

> It might be worth giving it a try.



I think you didn't mean what you wrote.


----------



## trybeingarun (Feb 14, 2010)

Plus immaterial of whether you have sensitive data or not you can learn something when you set up a firewall (at least my objective to choose FBSD for my PC was for learning purpose and boy, i am learning a lot!)


----------



## anomie (Feb 14, 2010)

Purple_Q said:
			
		

> Here goes the question that might likely get me laughed out of the community so to speak, but is a firewall necessary?



Entirely subjective. For a non web-facing host (e.g. with a firewall at the perimeter of a protected network) it's arguable whether a host-level firewall is necessary or even desirable. 

For a web-facing host, I'd say a host-level firewall is a good idea -- even if you're not running any listening services. Doubly true if you _are_ accepting tcp/udp connections on any ports. A host-level firewall gives you: flexibility in IP access control, logging mechanisms, and another layer of protection from malformed/malicious packets.

---

To stay on point here: for a FreeBSD workstation that you keep updated and use to casually cruise the 'net, you're probably OK without a firewall. (On the other hand, it doesn't hurt to run one either.)


----------



## Purple_Q (Feb 14, 2010)

Well, I guess i'm going to have to try and find out something more on PF perhaps. I never went to school for computing so everything i've ever learned has been mostly out necessity.

Still, to anomie, that last line is encouraging. At least i'm no longer wondering if my laptop here is a "sitting duck".

I tried to compile guarddog from source and it fails, though there are other more advanced GUI tools for iptables and whatnot in freshports. I'm obviously not at some great risk or I would've been told explicitly so by now :stud

Thank you folks.
  --Q


----------



## Ruler2112 (Feb 15, 2010)

I've used iptables and find it to be overly complex and generally a cause of headaches.  I set up a box to do asterisk with integration to a Cisco Call Manager over a VPN set up over the internet last summer.  I could not get vpnc to negotiate with our Cisco 3000 series concentrator, so I had to go with Linux for the box.  Getting iptables configured took me what seemed like forever!  I had the pf rule set I wanted in place after about 3 minutes, but translating that to iptables took close to 2 days!    IMO, pf really is the way to go if you want an effective firewall that's simple to understand and build rules for.


----------

