Is it necessary to configure a firewall like iptables or firestarter when the goal is only to surf safely?
For me, there is no need to open any port (i.e. samba, etc.).
Asked
Active
Viewed 175 times
0
-
2Judging by the confusion in some answers below, I think you could improve your question by specifically stating what type of "safety" you're after. Are you interested in safety *and* anonymity? – nutty about natty Mar 21 '13 at 09:53
-
From the FAQ: "Your questions should be reasonably scoped. If you can imagine an entire book that answers your question, you’re asking too much." It's my opinion that this question, most probably unintentionally, is too broadly scoped. – Mar 21 '13 at 10:58
4 Answers
1
If you're behind router and it uses network address translation (NAT) to share a single public IP assigned by your ISP, among computers in your LAN, I'd say you're pretty much safe and you don't need to set up addition firewall or iptables rules.
Because NAT, by default, will drop any unsolicated incoming traffic from the Internet when reaches your router. So in effect it also acts as a firewall that prevents incoming requests from reaching your computer
This also why when you need to access a service in your LAN from outside the network eg IP camera, you must set up a port forwarding on your router to allow the request to reach the service
Flint
- 3,121
- 5
- 27
- 50
-
[What are the risks of NOT using a firewall (home computer)?](http://askubuntu.com/questions/263483/what-are-the-risks-of-not-using-a-firewall-home-computer) – nutty about natty Mar 21 '13 at 11:11
0
No, you don't need it if all you want to do is surf safe. However you can take the following steps:
green
- 14,240
- 8
- 41
- 64
-
Thanks for your quick answer, the goal is not to surf anonymously, but deny things as pings, udp... – Tim Mar 21 '13 at 08:14
-
1@Tim There's no need to accept an answer, if it doesn't answer your question (or at least help you towards an answer). – nutty about natty Mar 21 '13 at 09:29
-
1@Tim If you like an answer, you can upvote it; in fact, you can upvote many answers, but you can only accept one single answer; there's no rush in accepting, and you can also un-accept. – nutty about natty Mar 21 '13 at 09:37
0
If you're using Firefox (recommended), NoScript by Giorgio Maone is a great option worth considering!
The NoScript website itself looks a bit messy; don't let that give you the wrong impression, though!
The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).
NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
Watch the "Block scripts in Firefox" video by cnet.Staying safe has never been so easy!
Experts do agree...
Additionally, you may want to refer to Should I use No-Script?
nutty about natty
- 6,658
- 8
- 47
- 68
0
Here are simple iptables rules that are helpful to deny things as pings and other unwanted input connections:
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
You will find more details here.
sorgel
- 429
- 2
- 6