I’ve been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I’ve been meaning to get UFW on it but I’ve been too lazy to do so. Is it a necessary thing that I need to have or it’s a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I’d say my server’s pretty secure but not the furthest I could take it. Opinions please?

  • sugar_in_your_tea@sh.itjust.worksEnglish
    6·
    3 days ago

    But is there a good reason to run one on a server? Any port that’s not in use won’t allow traffic in. Any port that’s in use would be added to the firewall exception anyway.

    The only reasons I can think of to use a firewall are:

    • some services aren’t intending to be accessible - with containers, this is really easy to prevent
    • your firewall also does other stuff, like blocking connections based on source IP (e.g. block Russia and China to reduce automated cyber attacks if you don’t have users in Russia or China)

    Be intentional about everything you run, because each additional service is a potential liability.

    • ipkpjersi@lemmy.mlEnglish
      2·
      3 days ago

      Because it’s easy to accidentally run services or set up services temporarily and forget that you left them running. With UPnP being able to automatically/dynamically open ports, a firewall is just another layer of protection. You can also configure firewalls to ignore packets silently or log dropped packets, and if applications ever get new versions and end up listening on new ports, you would have to manually allow the ports. Maybe you want to have one part of an application accessible through the firewall but not another part of the application.

      Plus, like you said, country blocking is another feature which personally I think is nice to have, and there are also other features too like being able to throttle connections, especially with things like fail2ban.

      It’s just another layer of protection, and it ensures that everything you run is deliberate.

      • sugar_in_your_tea@sh.itjust.worksEnglish
        1·
        3 days ago

        It honestly depends on how you run things.

        If everything is in containers, chances are you’re already getting the benefits of a firewall. For example, with podman or docker, you already explicitly expose ports, which is already a form of firewall. If you’re running things outside of containers, then yeah, I agree with you, there’s too much risk of something opening up a port you didn’t expect.

        Everything I run is with podman, which exposes stuff with iptables rules. That’s the same thing a basic firewall does, so adding a firewall is superfluous unless you’re using it to do something else, like geoip filtering.

        When in doubt, use a firewall. But depending on the setup, it could be unnecessary.