Help with firewalls

I think I’m asking a philosophical question. Do I need a firewall and if so, what kind?

I’m a home user with a pc, a laptop, an ipad and a cell phone. All of these go through my router to get to the internet. From time to time, I use a vpn. My connections to the outside world are for surfing and email. I don’t create many files, but along with photos, I upload them to the cloud.

Should I put a firewall on the router? Is opensuse’s built-in firewall a solution for each device individually? I’ve looked at the “manual” but don’t understand the details well enough to make decisions about what to add where. How does the vpn enter into the equation?

What are you doing with regard to firewalls?

As with so many things this is a personal decision.

Personaly I have no firewalls running on the systems in the house (I trust the users). The router has firewall functionality and protects the LAN from the world outside. This implies that I can configure the router including it’s firewall, NAT, etc. functions. I am not sure if that is the case with all routers offered by ISPs.

OTOH, when you have an environment with e.g. students, I would certainly go for more security. against attacks from within the LAN.

A philosophical question deserves a literary answer…

“To firewall or not to firewall… That is the question…”

And, “need” may need to be defined.
Perhaps start with some basics… As the name implies, a “firewall” is a kind of wall, but what kind of wall?
It can be thought of as a security layer between your vulnerable machine and potential attacks by bad actors by way of networking.
This security layer is configurable to allow permitted traffic and block traffic that isn’t.
There are also many kinds of firewalls that can block traffic in different ways, the iptables based firewall you find on openSUSE is just one type… There are also application layer firewalls, port-based firewalls, proxy firewalls… and as you’ve noticed they can be installed on each individual machine (Host based firewalls) and at critical points of entry into your network like on your Internet Gateway Router.
No one absolutely “needs” to run a firewall, but it’s generally advisable and as part of a “security in depth” strategy where an intruder must successfully traverse multiple safeguards before an attack might be successful.
Security is also a subjective issue where every person (or entity) makes an individual decision on how much and how to implement security… It doesn’t matter if you are a home User, if you’re protecting something extremely sensitive, valuable or irreplaceable it makes sense to commit more money and resources for better security.

VPNs extend the security you typically have set up in your LAN to other machine(s) across untrusted networks like the dangerous Internet.
So, for example if you were traveling and away from home but suddenly needed something on another machine at home, a VPN would enable you to connect to your home network from wherever you are in a secure way.
There are other reasons why some use VPNs, too.

Nowadays,
Nearly everyone will run a Host-based firewall with varying configuration wherever your machine is connected to a network… Your machine might be set up very permissively at home where your other machines should be protected from Internet threats… But if your machine is a laptop and you connect to a public WiFi hotspot, then you’ll want your firewall configured in a very untrusting mode, denying everything that’s unexpected.

HTH,
TSU

Thanks for the responses. I see that this question requires deep thought and may have multiple correct answers. :wink:

Sure. But can you trust their appliances? A considerable percentage is hacked without their users even knowing.

As I use the same openSUSE provided applications on my own system, there would be no need for them to go through a firewall :wink: .

Hi, local lan is not what it used to be. Now it is the same hostile place as the wide internet, but more dangerous, because people trust it. Never do that, because you never know what flaws or backdoors have all the smartphones, smart bulbs, cameras, etc, whatever is or eventually can be connected to your lan. So you should use firewall for sure and avoid using trust zones.

Manage the LAN. I know what is connected to it and I allow or not what can be connevted to it.

But I agree, when you have your LAN open the the world, using a firewall in it’s original meaning (on the border of the LAN) is quite useless and having a (what is often called “personla”) firewall on every device is needed.

Everyone to her/his needs.

And that is the problem, you can never know what is connected to your lan. With mitigations and all those intel ME backdoors (cough cough bugs) you cannot even trust your own system :wink: It’s yesterdays news, but still quite fresh.

Hi
Is there some trick to getting intel windows applications/drivers running under linux? :wink: Plus don’t see my Xeon E3-1245 V2 mentioned… I don’t run a firewall on my desktop machine, laptops I do and they are AMD gpu/cpu…

Afaik only various flaws and bugs seem to run well on all systems :slight_smile: You’re right, that the yesterday’s bug seem to be windows only, at least for now. But many people use dual booting, myself included (games), so if I got my system crippled under windows, I will never know. I don’t want to offend someone, call me paranoid, but it can also mean it was not discovered on linux yet.>:)

Why not? I am pretty sure about what is connected to my LAN.

I did not read all of this, but this is the title:

Bad Intel drivers give hackers a backdoor to the Windows kernel

Now what is the connection to my openSUSE systems?

I can only repeat myself: Everone to her/his own needs.

No Windows here. Even the suggestion that I would have one I feel more or less as an insult lol!.

I cannot automatically start boincmgr on reboot. Another thread suggests that the firewall may be blocking it, but nowhere is it listed as a service. I know nothing about the safety of opening a port. But I haven’t a clue as to how to (much less which) port to open for one service like boincmgr. What is the effect and danger of opening ports?

I now start boinc manager from the cli as root, otherwise it won’t connect to localhost and run.

Hearkening back over 15 yrs ago, wrapping Windows drivers in a Linux layer was a common way to support printers, NICs and other devices.
Haven’t seen this for a very, very long time though…

TSU

I think you’re referring to NIDISwrapper (which was for wireless network drivers), but I don’t recall any such mechanism for printer drivers, (which only exist in the user-space anyway).