21

Let's assume we have an example machine connected to the internet. This machine is typically a client one, and it has no services like ssh running on. Does this kind of machines need any firewall to restrict incoming connections? On the one hand, there's no services that would accept the network packets, so there's no threat to the system, but is it really safe to accept such packets without DROP'ing them? Is there any possibility that the linux kernel would misinterpret such packets and behave in unpredictable way?

Mikhail Morfikov
  • 563
  • 1
  • 4
  • 15
  • 3
    Might be worth distinguishing between firewalls placed outside of the system vs. within it. Because [out-of-band management](https://en.wikipedia.org/wiki/Out-of-band_management), attacks on network-adapters ([PDF](https://www.ssi.gouv.fr/uploads/IMG/pdf/paper.pdf); [related CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0104)), etc.. – Nat Oct 02 '21 at 18:16
  • 1
    How does "connected to the internet" and "without any listening services" go together? I really thought the first required the second. – PcMan Oct 03 '21 at 08:42
  • 1
    @Nat, yes, I'm asking about a FW inside the same system/machine it should protect. – Mikhail Morfikov Oct 03 '21 at 16:50
  • 4
    Can you absolutely, positively guarantee that no future software (security) update will start a listening service? – Eric Towers Oct 03 '21 at 23:55
  • `netstat -a` shows NO listening services? – AbraCadaver Oct 04 '21 at 18:46
  • @EricTowers, no, but let's assume that's the case, i.e. no new listening services will be ever launched. – Mikhail Morfikov Oct 04 '21 at 22:06
  • @AbraCadaver, yes. i.e. no listening network sockets. – Mikhail Morfikov Oct 04 '21 at 22:07

6 Answers6

27

This is close to ask whether a shutdown computer needs updates. The answer is not if and only if you are sure that it will always stay off. Your question should receive a similar answer: if you are sure that no listening services are active and will never be you do not need to block incoming connections.

But in real world, no network service at all is hard to achieve. At least XWindow is a network oriented protocol and many services are installed and are active by default on a newly installed system.

Furthermore, a firewall should not be limited to blocking incoming connections, but should also control which outgoing connections are allowed. Doing so can prevent that a user just downloads or receives by mail (through legitimate outgoing connections...) in infected application that later will try to leak private informations or even worse will open a tunnel giving the attacker a local access. The stricter the outgoing filter the harder it will be for the attacker.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • And even if you do have only one listener, maybe you want to filter incoming IP addresses that can access that listener. – user10489 Oct 01 '21 at 23:33
  • 3
    *This is close to ask whether a shutdown computer needs updates.* If it's connected to the network and the power cord is plugged in, is it **ever** really "shutdown"? ILOM/DRAC/RSA/IPMI/whatever remote management is built into a lot of systems, often physically sharing network connection(s), and those are active whenever power is applied. – Andrew Henle Oct 02 '21 at 11:46
  • "This is close to ask whether a shutdown computer needs updates." -- I don't think so. It would be more like: does a computer without a network connection need a FW. :) But when you plug a machine to the net, it can process and possibly make weird decisions. – Mikhail Morfikov Oct 03 '21 at 16:54
  • X11 should be set to only listen to localhost. So should other services like that. I suppose you can ask whether you're likely to accidentally open it to the whole internet? – user253751 Oct 04 '21 at 12:54
10

Does a machine with no listening services strictly need a firewall? Not really.

Does a machine with no listening services exist in practice? Not really, if we're talking about the more common desktop & server operating systems.

If you somehow identify and disable every single service that listens on a TCP or UDP port, an update to a package could introduce a new one at a later date. If your checks missed IPv6 services, you could be unknowingly exposing sensitive services. A firewall is an excellent compensating control for this scenario.

The other problem is that not all network services are based on TCP or UDP. It's entirely possible that you have services running SCTP, DCCP, RSVP, or other transport layer protocols that would be prohibited by a firewall's default-block policy. If you've only looked at TCP and UDP on IPv4/IPv6, you'll have probably missed anything that's listening on other protocols.

In this context, there's absolutely no value in not running a firewall. Your iptables setup could consist solely of a default-DROP policy on INPUT and FORWARD, plus a single rule that allows inbound TCP packets that are related to existing connections - about as simple as firewall rules get. Filtering outbound traffic is advisable but not mandatory.

Ultimately this comes down to defence in depth. Your security controls should offer protection in the current state of the system, but should also offer protection in foreseeable future states. This includes potential changes introduced by updates, as well as any possible mistakes you might make in future while managing the system.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 3
    "Not really, if we're talking modern operating systems." <-- some of us would not call that "modern" but "broken". All BSDs and Linux distributions I would consider using in a serious environment have no listening services by default. On the other hand, plenty of historical bad systems had lots. There is no correlation with "modernity" here, just with bad choices. – R.. GitHub STOP HELPING ICE Oct 02 '21 at 03:20
  • 4
    @R..GitHubSTOPHELPINGICE I don't disagree that there _are_ Linux/BSD distros that don't come with application-layer services listening by default, albeit with the most popular distros not being among them. However, while those cleaner distros might not have SSH or NFS or `finger` running by default, they almost certainly have DHCP, LLDP, ICMP, a DNS client, etc. as part of the typical network stack, and those services do have an attack surface that can be reduced by a firewall. I'll edit to clarify what I meant by "modern", though, since it was a poor choice of word. – Polynomial Oct 02 '21 at 13:43
  • 1
    There is a major group of devices that don't have any listening services -- it's android phones. The devices don't filter any incoming connections. And this was the source of my question. – Mikhail Morfikov Oct 03 '21 at 16:59
  • 1
    @MikhailMorfikov It would've been helpful, then, if you'd have mentioned Android at all in your question, or tagged it with the Android tag. – Polynomial Oct 03 '21 at 17:06
  • 1
    @R..GitHubSTOPHELPINGICE, "services" are a lot broader than you're picturing. Almost any computer on the Internet is listening for things like ICMP, and [those have been used for attacks](https://en.wikipedia.org/wiki/Ping_of_death). – Mark Oct 04 '21 at 06:11
  • @Mark: Did you read my answer? It mentions nukes already, as mostly as thing of the distant past. – R.. GitHub STOP HELPING ICE Oct 04 '21 at 12:27
  • @Polynomial, it's not really a Android phone specific question. You can have other machines with no listening services as well -- it just depends on the configuration. – Mikhail Morfikov Oct 04 '21 at 22:11
  • @Mark, yes ICMP and port scans are the things to keep in mind. For instance a full port scan (via nmap) takes 15s, whereas with INPUT DROP, it takes 2h or so? I don't remember but there's a huge difference here. – Mikhail Morfikov Oct 04 '21 at 22:14
  • @MikhailMorfikov, nmap is designed for accuracy, not speed. A rapid portscan that's willing to accept the occasional false negative can scan every port in a matter of seconds regardless of firewall policy. – Mark Oct 04 '21 at 22:21
  • @Mark, I didn't really test much using nmap, only `-p 1-65535` , and the same scan was conducted with and without DROP in INPUT, and there was a huge difference in time to complete such scans. – Mikhail Morfikov Oct 06 '21 at 16:51
  • 1
    @MikhailMorfikov, with the default settings, nmap will slow down and make repeated tests when a packet doesn't get a reply, in an attempt to tell the difference between packets dropped by a firewall and packets dropped due to network congestion. – Mark Oct 06 '21 at 22:17
  • @Mark, good to know. – Mikhail Morfikov Oct 07 '21 at 23:21
6

It depends on the risk profile and the stakes involved (these in turn depend on what the machine is used for).

Just a few reasons why you MAY need a firewall:

  1. A lurking vulnerability in the machine's network stack may enable an attack even if no open TCP or UDP ports exist.

The famous "ping of death" attack comes to mind.

  1. There may be a vulnerability that exploits an outgoing connection as well.

  2. In modern, bloatware-ladden computers one can never be sure what is exactly hooked to the network stack.

Did you ever bothered to disable IRDP? IGMP anyone?

A reason you may NOT want a firewall:

  1. Added attack surface

If a machine has simple enough function and software stack, the firewall itself (both internal or external) may offer to an attacker a valuable additional possible vulnerabilities to pick from. I remember at least one case when a naively configured MS ISA server enabled an attack that ended up as the attacker owning the whole AD domain.

  1. Added complexity / cpu and memory load / cost / point of failure / point of maintenance

All these things are bad in themselves. The cost may outweigth the possible benefits.

fraxinus
  • 3,425
  • 5
  • 20
4

In short, no. Using firewalls for this is really a bad practice (a form of treating the network layer as access control, a big Considered Harmful), which inevitably leads to bad things like insecure services being left open to LAN or to localhost, in ways that can be exploited. But if you use an operating system with tons of default services that are hard or impossible to remove without breaking things, a firewall may be your only easy option.

One way in which firewalls historically sometimes provided additional protection was back in the days of "nuke" and "ping of death" attacks where most OS network stacks had bugs whereby malformed packets could crash (or sometimes even achieve arbitrary code execution on!) the targeted system's kernel. If the firewall was running on a separate router/gateway machine, it could fully block these (although perhaps crashing itself). On the same host, though, it varied a lot as to whether the firewall would catch the packet at a layer before or after the one it caused the crash at.

Another way in which a firewall still can be beneficial is by preventing OS fingerprinting and resource waste from replying (with rejection) to unwanted connection attempts.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
  • 2
    *Using firewalls for this is really a bad practice (a form of treating the network layer as access control, a big Considered Harmful), which inevitably leads to bad things like insecure services being left open to LAN or to localhost* Doesn't that imply that **not** using a firewall somehow helps to prevent "bad things like insecure services being left open to LAN or to localhost"? IME those will happen anyway. At least a firewall will provide protection when those mistakes happen. – Andrew Henle Oct 02 '21 at 11:37
  • 1
    @AndrewHenle: Presumption that there's a firewall making it so "only someone local can access it, so it doesn't matter" is the justification for running unauthenticated or otherwise insecure local services on network ports. The right solution is enforcing a policy that kills anything opening listening ports except an allowlist; that way they're not exposed locally either. – R.. GitHub STOP HELPING ICE Oct 02 '21 at 13:03
  • 3
    Oof, I _strongly_ disagree with your opinion here. Yes, in an ideal world the system would be stripped down to the bare minimum services, with careful configuration and review of everything present, and everything would be re-assessed after any package update or config change. In reality this is a huge chore that few people can reasonably dedicate enough time into, and it's incredibly fragile - it gives you no margin for error. Having a host firewall with a default-block policy is a highly effective defence-in-depth measure against accidental exposure. – Polynomial Oct 02 '21 at 13:50
  • 4
    I'm also somewhat at a loss to understand your assertion that "using a firewall as a network layer access control is harmful". A firewall _is_ a network layer access control - it literally controls access to network services. Yes, using it as a _sole_ access control for an application is considered poor practice, but using network-layer security controls to prevent access to services by default is well-established standard practice. Claiming that it is "considered harmful" is an unusually extreme take that I don't think you'll find much support for. – Polynomial Oct 02 '21 at 14:02
  • @Polynomial: "Treating the network layer as access control Considered Harmful" is a principle that all network traffic, regardless of where it originates from (even localhost), should be considered untrusted, and the ability to originate, intercept, or alter network traffic should not yield any access. – R.. GitHub STOP HELPING ICE Oct 02 '21 at 14:42
  • I feel like these comments are getting dragged into discussing a tangential philosophy rather than the answer to the question, though. If you really want to discuss this, please open another question rather than using a parenthetical remark as a hook for something outside the scope of, but related to, the question. OP already specified the lack of listening services as a premise of the question, not something that's under question. – R.. GitHub STOP HELPING ICE Oct 02 '21 at 14:45
2

Although you probably don't really need a firewall if there no listening service, it can be hard to be sure that there aren't any. Suppose the user of the machine clicks on a trojan horse that installs a listening service, now your premise no longer applies.

Firewalls can also be useful for restricting outgoing connections by policy. For instance, if malware installs zombie software, it will usually connect to the control server. Firewalls can block connections to known C&C addresses. Corporate firewalls may also block access to porn and/or gaming sites.

Barmar
  • 584
  • 3
  • 9
1

No perfectly configured, bug-free server needs a firewall, listening services or not. After all, what does the FW actually do? It blocks connections to ports where anyway we aren't listening, and lets them through on the ports we are listening. So it actually doesn't change a thing.

So we don't use firewalls to block off unused ports. We use firewalls as an additional layer in a defense-in-depth strategy. Because in the real world, our servers aren't always perfectly configured and neither are they bug-free. That service you turned off could be turned on again by accident when someone updates the system configuration, or as the result of a bug or malware. Additionally, modern firewalls and application-layer firewalls, WAFs, etc. do more than just port-blocking. They can sanitize the packets coming in, inspect them, redirect them and a dozen other things. Not least of all: Log them or forward them to a SIEM.

The straight answer is that the risk that the Linux kernel will behave strangely upon receiving a packet to a port with no listening service on it is negliegable. Not zero - it's software, you never know - but close enough for practical purposes. What is not zero is the chance someone (including you) accidentally starts an unsafe service, such as when updating the system, not looking closely enough at the prompts and overwriting your carefully crafted config with the package maintainer's default.

Tom
  • 10,124
  • 18
  • 51