How necessary is a firewall?

[Purple_Q]

Here goes the question that might likely get me laughed out of the community so to speak, but is a firewall necessary?

I'm running 8.0 Release, and i've not done a thing regarding security since my install other than keep up with the freebsd-update tool. Internet security stuff was always a bit too technical for me (I look at iptables stuff and it makes my head hurt). I used to use a program called Guarddog a long time ago on Slackware which wrote iptables and basically disabled any services I clicked off.

Is there anything required of a regular desktop user that any of you who aren't super-paranoid feel is mandatory? I'm fairly convinced FreeBSD is quite secure out of the box to begin with. I don't keep much extremely sensitive data on my computer to begin with, but as long as someone can't intercept my password to my online banking login or something, i'm good to go.

Sorry if this a moronic set of questions fellas. Web security. Some of us just aren't that educated!
--Q

 

[DutchDaemon]

If nothing is listening on the Internet-exposed side of your desktop, or if you have a NAT layer between you and the Internet, you may get away without a firewall.

Then again, having pf with a minimal ruleset in between (block everything in, allow everything out and keep state with proper flags) isn't that much work and always safer than having no protection at all.

 

[Purple_Q]

I have no idea what a NAT layer is. I've heard that term used alot with routers, which I do not have. What is pf short for? I'll google for it.

 

[FBSDin20Steps]

Here is a link of the author "The Book of PF'

 

[volatilevoid]

I have no idea what a NAT layer is.

If I get DutchDaemon right, he meant a router between your computer and the Internet. The router exposes just its own IP to the outer network and not the one of your NIC.

pf is short for packet filter.

 

[DutchDaemon]

For 'router' you can also read 'about every DSL/cable modem having a public IP address on the outside and a private range of IP addresses on the inside'.

 

[dennylin93]

I look at iptables stuff and it makes my head hurt

I haven't had much experience with other firewalls such as IPFW and iptables, but PF is really easier to understand and learn than all the other firewalls I've seen. It might be worth giving it a try.

 

[graudeejs]

It might be worth giving it a try.

I think you didn't mean what you wrote.

 

[trybeingarun]

Plus immaterial of whether you have sensitive data or not you can learn something when you set up a firewall (at least my objective to choose FBSD for my PC was for learning purpose and boy, i am learning a lot!)

 

[anomie]

Here goes the question that might likely get me laughed out of the community so to speak, but is a firewall necessary?

Entirely subjective. For a non web-facing host (e.g. with a firewall at the perimeter of a protected network) it's arguable whether a host-level firewall is necessary or even desirable.

For a web-facing host, I'd say a host-level firewall is a good idea -- even if you're not running any listening services. Doubly true if you are accepting tcp/udp connections on any ports. A host-level firewall gives you: flexibility in IP access control, logging mechanisms, and another layer of protection from malformed/malicious packets.

---

To stay on point here: for a FreeBSD workstation that you keep updated and use to casually cruise the 'net, you're probably OK without a firewall. (On the other hand, it doesn't hurt to run one either.)

 

[Purple_Q]

Well, I guess i'm going to have to try and find out something more on PF perhaps. I never went to school for computing so everything i've ever learned has been mostly out necessity.

Still, to anomie, that last line is encouraging. At least i'm no longer wondering if my laptop here is a "sitting duck".

I tried to compile guarddog from source and it fails, though there are other more advanced GUI tools for iptables and whatnot in freshports. I'm obviously not at some great risk or I would've been told explicitly so by now :stud

Thank you folks.
--Q

 

[Ruler2112]

I've used iptables and find it to be overly complex and generally a cause of headaches. I set up a box to do asterisk with integration to a Cisco Call Manager over a VPN set up over the internet last summer. I could not get vpnc to negotiate with our Cisco 3000 series concentrator, so I had to go with Linux for the box. Getting iptables configured took me what seemed like forever! I had the pf rule set I wanted in place after about 3 minutes, but translating that to iptables took close to 2 days! IMO, pf really is the way to go if you want an effective firewall that's simple to understand and build rules for.