What are the risks of NOT using a firewall (home computer)?

security firewall router nat

101

Solution 1

It depends. Most people use a router between their desktop and the internet and by default there are no sigificant open ports, so in the vast majority of user cases a firewall adds very litte, if anything.

It can help if you inadvertantly install a server, such as VNC or SSH.

A better question is what do you want to use a firewall for ?

See:

https://wiki.ubuntu.com/SecurityTeam/FAQ#UFW

https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports

https://help.ubuntu.com/community/UFW

If you want a graphical tool for your firewall, use gufw

enter image description here

Solution 2

It sounds like the question is about a host-based firewall on an Ubuntu PC.

IF the machine never leaves the NAT-based network (ie, it is not a laptop that you take to coffee shops and use on free wifi networks),

AND there are no ports open on your router that could be mapped to your Ubuntu machine,

AND your router doesn't have any features which helpfully open ports for you based on things that happen on your network (UPnP)

AND you will never have any other devices on your local network that might be compromised and attack your Ubuntu box,

THEN your system is probably secure without a host-based firewall.

However, if some of these things aren't true, or might become untrue in the future, a host-based firewall is a really good idea. Given the potential benefits and the limited drawbacks, why not enable it?

Solution 3

Using a NAT, if you have no port forwarding to your machine, it is not accessible from the internet unless you explicitly open a connection to it (with vnc or teamviewer for example) so I think there is no problem not using a firewall on it. The unique worry could come from internal (LAN) access but usually not the case on home lan.

Solution 4

I think one of the most used firewall feature is to prevent "cracked" programs to check the license on internet. If the "cracked" application doesn't need to be update or doesn't use "online" features, you can prevent it to accessing the internet by setting up a specific firewall rule. Sad but true.

Solution 5

None whatsoever.

The function of a firewall is to block access to services that otherwise would allow it. Ubuntu has no listening services by default, so there is nothing to block. Further, since you are behind a NAT router, you already effectively have a firewall.

View more solutions

101

iSpanya

Updated on September 18, 2022

Comments

iSpanya over 1 year
How can I change the color of the selected item in the navigation drawer.

Here is a screenshot:
http://imgur.com/Ongye5a

The highlights on the selected item is white, how can I change it to something different, like red for example.

I tried using a list selector but I can't seem to pinpoint the correct state.
```
 <?xml version="1.0" encoding="utf-8"?>
 <selector xmlns:android="http://schemas.android.com/apk/res/android">
   <item android:drawable="@color/red" android:state_pressed="true"/>
   <item android:state_activated="true" android:color="@color/red"/>
</selector>
```
CarlosM about 11 years

Thx for your reponse. In fact I already use gufw with open port for my torrent client. And i must say this is more a windows habit, since using windows witout firewall is quite suicidal.
Panther about 11 years

Yes, Windows has a number of both documented and undocumented open ports, although it may be improving (have not used any version of Windows higher then XP).
Panther about 11 years

That is not completely true as some routers have UPnP and people inadvertanly enable desktop sharing (VNC). This leads to the most common crack I have seen on Ubuntu. Of course, they may well open the VNC port without thinking ... I think our position should be education rather then making over reaching generalizations and absolute claims.
davidcl about 11 years

Even on Windows, NAT protects against more threats than most people realize. But I just don't see a good reason NOT to use a firewall.
psusi about 11 years

@bodhi.zazen, I don't see how you can enable it by accident, and if you went to the trouble of enabling it, I imagine you want it to work, so a firewall would be counter productive. It also defaults to prompting you for authorization when someone connects, so even if you left it on and didn't set a password, it still isn't going to let anyone in without your approval.
Panther about 11 years

@davidcl - Just take care not to enable UPnP on your router is all ;) Otherwise +1 to router (which come with firewall/NAT).
davidcl about 11 years

Here's an example of how it can happen by accident: miket5au.blogspot.com/2011/03/beware-vnc-and-upnp.html Sometimes you want to desktop sharing on the LAN, but don't mean to enable it for the outside world.
davidcl about 11 years

That said, your host-based firewall probably doesn't help you in this scenario.
psusi about 11 years

@davidcl, indeed, host based firewall would block it on the LAN too. And the first line of that article, he admits "I was careless". If you are careless enough to leave the front door open ( enable vnc without password or prompt ), then you can just as easily be careless enough to leave the gate open ( firewall ). Having the gate or not makes no difference if you don't leave the front door open.
davidcl about 11 years

...or the host based firewall would have an exception because you want to USE it on the LAN, which would cause this problem. Sure, the person in that blog post made a couple of mistakes. But the point is that UPnP is a rarely-used router feature that can be a security "gotcha." You think you are enabling something on your LAN, and suddenly you've exposed it to the internet.
davidcl about 11 years

Bottom line, while what you've said in your answer is generally true, there are a number of different situations that can place a computer that usually lives behind NAT at risk, and a host-based firewall helps with most of them. (See my answer). There's no good reason I can think of NOT to enable it.
fluffy about 11 years

Not true; read up on STUN traversal. There are many STUN-related flaws which allow external services to open up ports to machines inside the firewall.
fluffy about 11 years

STUN traversal is not 'for' anything, it's an artifact of how NAT works that has been taken advantage of for the purpose of improving peer-to-peer network protocols such as SIP and the like. It can be used for good. It can also be used for evil.