• 18 minutes

    iptables and nftables are just different frontends to the netfilter kernel module.

  • OpenSnitch is a nice for the desktop environment, deny by default and prompts the user when an application requests a open port, at first the prompts can get a little overwhelming given how many things want to connect to xyz server but eventually lightens up.

    • 6 hours

      Its a little annoying on Linux but I wonder what it would be like on Windows.

      • 13 minutes

        The firewall is annoying? I would argue and say the firewall is protecting your computer from connecting to a rouge server, annoying or not it’s better than some douche abusing an exploit in your system.

        • Simplewall works great, it’s open source. And yes, there are a couple of million requests made by windows apps alone, which are completely fine to block. Simplewall also blocks windows telemetry. I have to use win11 at work and it’s an absolute ahitstorm of network requests that you don’t get to see when using windows firewall.

          Glaswire looks beautiful and functions well, but you will hit the paywall after a couple of weeks (I used this on the around 2010 I think)

  • 7 hours

    These firewall tools are interesting, but I honestly haven’t needed them in years. The premise is a little out of date. Who puts cloud servers on the open internet these days? Everything I see uses a public load balancer and a WAF service.

    • 7 hours

      Sure, but what if youve configured your waf or w/e incorrectly, what if someone gains access to another part of your network? Having sane firewall settings is always better than none at all.

      • 6 hours

        All the cloud services I’ve used had virtual network firewalls for internal traffic. Security Groups for AWS, Cloud Firewall for GCP, etc. That’s typically how lateral traffic gets managed. Defense in depth is good, but as I said I haven’t used host firewalls in forever, and we get audited for security certificates every year, and no auditor has asked about them that I recall.

    • 6 hours

      A lot of people host websites created with a static site generator just fine without that extra layer. Unless your site has expensive to generate dynamic pages, lots of video content, or deep changelog pages (wiki history or forge commit diff’s publicly available), it makes a lot of sense to keep it simple.

      Putting everything behind Cloudflare is just cargo cult behaviour and learning all the ins and outs of it isnt any harder than learning a firewall (which is transferrable knowledge that can also protect your machines from each other).

    • If you’re trying to be cost-effective, renting a VPS for a fixed term instead of using a IaaS platform that provides all these things just by clicking a checkbox, then caring about your firewall is a necessary part of building the system image that you deploy. You can of course set up your own private networking between systems and build the same type of architecture that a IaaS would provide, but to do that you’re going to need to understand everything about linux networking and netfilter already.

      • 6 hours

        Maybe that’s the context. All of my cloud hosting work is very large corporate systems in the big three clouds. You’re talking about Hostinger or Scalahosting type services, yes?