I’ve been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I’ve been meaning to get UFW on it but I’ve been too lazy to do so. Is it a necessary thing that I need to have or it’s a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I’d say my server’s pretty secure but not the furthest I could take it. Opinions please?
You must log in or register to comment.
You should, yes. I run a firewall (I usually use ufw) on all of my Internet-connected devices, since all of my devices run Linux. There’s not really any good reason not to in 2025.
I just went done this road and i’d say it is worth it even only for the learning part. I’ve set counter per application in nftable, and via a python script send them in SVG graph format to Glance dashboard. The result is I can monitor my whole network per application and the best part it all add up very well so I know there is no ‘unknown’ outgoing or ingoing traffic on my machine.
My personal advice, secure it down to only permitting what needs it, regardless of your trust to the network.
Treat each device as if they’ve been compromised and the attacker on the compromised device is now trying to move laterally. Example scenario: had you blocked all devices except your laptop or phone to your server, your server wouldn’t have been hacked because someone went through a hacked cloud-connected HVAC panel.
I lock down everything and grant access only to devices that should have access. Then on top of that, I enable passwords and 2FA on everything as if it were public… Nothing I self host is public. It’s all behind my network firewall and router firewall, and can only be accessed externally by a VPN.
That depends. If you have exposed services, you could use some features of the firewall to geoip restrict incoming requests to prevent spam from China and Russia and whatnot.
If you don’t have any services running on a publicly accessible port, then what would the firewall protect?
I only bind applications to ports on the Internet facing network interfaces that need to be reachable from outside, and have all other ports closed because nothing is listening on them. A firewall in this case would bring me no further protection from external threats, because all those ports have to be open in the firewall too.
But Linux comes with a firewall build in, so I use it even if it is not strictly needed with my strict port management regime for my services. And a firewall has the added benefit to limit outgoing network traffic to only allowed ports/applications.
Disclaimer, I’m not a network professional im only learning. But you dont need ufw since your router firewall should be able to filter majority of the traffic. But in security there is a concept of layers. You want your router firewall then your device firewall to provide multiple layers incase something slips through one layer.
So to give a simple answer, it depends how secure you want your network to be. Personally I think UFW is easy so you may as well set it up. 5sec of config might stop a hacker traversing your network hoping from device to device.
To follow up on this, I’d look to network segmentation as another useful security barrier. I’ve just started playing around with VLANs, but the way I plan on setting things up is to have individual VLANs for services, management and IoT, with the LAN for all other user-land devices. On top of this you add strict firewall rules to what can talk to what, on which ports, etc. So all devices on the network can do DNS queries to my two DNS servers, for instance, but things from my services VLAN can’t reach anything outside of this VLAN…
This is the best answer. Your router protects you from the outside, but a local firewall can protect you from someone prodding your lan from a hacked camera or some other IoT device. By having a firewall locally you just minimize the attack surface further.
This. It’s unnecessary but it’s another layer.
Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.
I’ve heard this analogy before but I don’t really care for it myself.
It creates a mental image but isn’t really analogous.
In the case of a firewall on a server behind a NAT, ports forwarded through the NAT are holes through the first several slices.
If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that’s only really meaningful, if it’s not a software firewall on that same server…)
Sure mate, keep trotting out the dumb swiss cheese analogy. Fine by me.
I have about 20 services on my machine so I’m going to need to open a ton of ports (ssh, SSL, multiple higher number ports since some services require several ports). At that point, what is the point of a firewall if so many ports are open? With so many ports open, it seems like a firewall doesn’t add much security vs the complexity it adds.
If someone exploits a service on the machine they can then connect outside that machine on any port. Ufw would prevent this. The router firewall would also likely prevent this unless they used an open port of the router or upnp was enabled.
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip’s for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don’t expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
Also get rid of password authentication if you can.
My server is only available on my LAN and via a VPN. Is fail2ban applicable? Or is it mainly for public facing servers?
Only public facing ports, maybe your openvpn login. But that means you are already firewalled up and your attack surface is tiny, good 👍
Sounds like you could use a reverse proxy.
That doesn’t count as a firewall though no? I use traefik as my reverse proxy (and like one thing on nginx that also goes through traefik ultimately) but I still put crowdsec on top
No, but putting a bunch of those services behind a reverse proxy would lower the amount of open ports. It would also have the side effect of making firewall configuration easier, since you don’t need rules for all those ports anymore.
True, I love not having to open ports anymore, game changing.
it depends how secure you want your network to be. Personally I think UFW is easy so you may as well set it up
IMO this attitude is problematic. It encourages people (especially newbies) to think they can’t trust anything, that software is by nature unreliable. I was one of those people once.
Personally, now I understand better how these things work, there’s no way I’m wasting my time putting up multiple firewalls. The router already has a firewall. Next.
PS: Sure, people don’t like this take - you can never have enough security, right? But take account of who you’re talking to - OP didn’t understand that their server is not even on the public internet. That fact makes all the difference here.
IMO this attitude is problematic. It encourages people (especially newbies) to think they can’t trust anything, that software is by nature unreliable. I was one of those people once.
IMO: Exactly the reverse. That’s how we get clients clicking and agreeing to everything presented without for once thinking critically.
In 6 working years (MSP) I had probably less than 10 occurrences of clients questioning a security concept from their own action.
If we didnt protect them from their own stupidity, the amount of cyber breaches would explode…Just recently:
A client: I clicked on the box that is asking me for domain credentials.The client didnt say what type of window it was or what happened before/after.
The client juat contacted us, because the pc wouldnt connect to the network and thus was unusable… >_>Possibly it’s about personality types. I was only going on my own experience. Of always being told by a chorus of experts “Oh no you don’t want to do that!” and ending up being terrified to touch anything. When I now know that I usually had nothing to be afraid of, because dangerous things tend to be locked down by design, exactly as they should be.
Until they arent.
They are experts because they knew what clicking the wrong button might do.
E.g.: Database admins using the wrong script with a miscconfigured argument or a backup admin responding to a failover, tripple checking every setting to not create a problematic failover and then still clicking the wrong button causing an outage because some random behaviour caused an overload.It happens. And best case you were better (double or tripple) safe than sorry.
IMHO, security measures are necessary. I have a tendency to go a bit heavy on security because I really hate having to mop up after a breach. So the more layers I have, the better I feel. Most of the breaches I’ve experienced were not some dude in a smokey, dimly lit room, wearing a hoody, and clacking away at a keyboard, while confidently announcing ‘I’m In!’ or ‘Enhance!’. Most are bots by the thousands. The bots are pretty sophisticated now days. They can scan vulnerabilities, attack surfaces, et al. They have an affinity for xmrig too, tho those are easy to spot when your server pegs all resources.
So, for the couple days investment of implementing a good, layered security defense, and then the time it takes to monitor such defenses, is worth it to me, and lets me sleep better. To each their own. Not only are breaches a pain in the ass, they have serious ramifications and can have legal consequences such as in a case where your server became a hapless zombie and was orchestrated to attack other servers. So, even on the selfhosted side of things, security measures are required, I would think.
It takes about 5 minutes to set up UFW which would be the absolute minimum, I would think.
If it is just you on your server and the only access from outside your network is SSHing in front the VPN? You’re good. Especially if it’s just you on your network/VPN.
If there are services that others utilize, you need a firewall. Can’t trust other people’s devices to not drag in malware.
I like to run ufw on all my machines but I’m also a tinfoil-hat wearing wacko who believes that no computer should ever really be trusted. Just trusted enough to do specific tasks.
If someone somehow busts into one of my VLANs, at least the other machines on that net will still have some sort of protection.
No
If it’s just one server you probably already use a firewall on the server.
In your case: no need for a fw if you can trust your local network.
Generally: services can have bugs - reverse proxy them. Not everybody needs to access the service - limit access with a firewall. Limit brute-force/ word-list attempts - MFA / fail2ban.
One thing that hasn’t been said in this thread is the following: Do you trust your router? Do you have an isp that can probe your router remotely and access it? In those cases, you absolutely need a firewall
Absolutely. Even if your ISP is firewalling, never trust they will maintain it, and some of these cheapshit routers they use are awful. Use your own router and put it on the ISP routers DMZ.
You have a firewall. It’s in your router, and it is what makes it so that you have to VPN into the server. Otherwise the server would be accessible. NAT is, effectively, a firewall.
Should you add another layer, perhaps an IPS or deny-listing? Maybe it’s a good idea.
Op means, as they said, a firewall on the server itself.
NAT is, effectively, a firewall.
No it isn’t. Stop giving advice on edge security.
Are you saying that NAT isn’t effectively a firewall or that a NAT firewall isn’t effectively a firewall?
NAT simply maps IPS across subnet boundaries in such a way that upstream routing tables don’t need updating.
If you use destination NAT forward rules to facilitate specific destination port access, you are using a firewall.
What sort of isp supplied residential equipment doesn’t block inbound connections? Pedantically, you’re correct.
How is NAT not a firewall? Sure theoretically it isn’t but I’ve yet to see a implementation of NAT that doesn’t act as a Firewall
Because NAT acts as a firewall with a “default deny” policy for incoming packets, but no other rules. You cannot prevent a device on the private subnet side of a NAT from attempting to communicate with an “outside” ip with nat alone, nat doesnt understand the concepts of accept/deny/drop.
All nat does is rewrite address headers.
The machines behind a NAT box are not directly addressable because they have private IP addresses. Machines out on the general Internet cannot send IP packets to them directly. Instead, any packets will be sent to the address of the NAT box, and the NAT box looks at its records to see which outgoing packet an incoming packet is in reply to, to decide which internal address the packet should be forwarded to. If the packet is not in reply to an outgoing packet, there’s no matching record, and the NAT box discards the packet.
It’s a confused topic because for a lot of people, nat does essentially everything they want. As soon as you get into more complex networking where a routing table needs to be updated, or bidirectional fw rules, it becomes apparent why routing + fw + nat is the most common combo.
Assuming it’s not a 1-1 NAT it does make for a functional unidirectional firewall. Now, a pure router in the sense of simply offering a gateway to another subnet doesn’t do much, but the typical home router as most people think of it is creating a snat for multiple devices to reach out to the internet and without port forwarding effectively blocks off traffic from the outside in.
Assuming it’s not a 1-1 NAT it does make for a functional unidirectional firewall.
That’s like saying a router and firewall are the same thing. NAT appears to be a “firewall” because it’s usually deployed with one. NAT itself has no filtering functions the way you’re describing.
Now, a pure router in the sense of simply offering a gateway to another subnet
A “pure” router, as you put it, understands upstream subnets and routing tables. NAT does not, and is usually overlayed on top of an existing routing function.
You can set up NAT between two subnets as an experiment with no iptables and it will do its job.
In practice a stateful NAT is the same as a stateful Firewall. I’ve never heard of a NAT that isn’t a Firewall. A port forward is the same as a Firewall allow rule.
What you might call a stateful NAT is really a 1-1 NAT, anything going out picks up an IP and anything retuned to that IP is routed back to the single address behind the NAT. Most home users a many to one source nat so their internal devices pick up a routable IP and multiple connections to a given dest are tracked by a source port map to route return traffic to the appropriate internal host.
Basically yes to what you said, but a port forward technically is a route map inbound to a mapped IP. You could have an ACL or firewall rule to control access to the NAT but in itself the forward isn’t a true firewall allow.
Same basic result but if you trace a packet into a router without a port forward it’ll be dropped before egress rather than being truly blocked. I think where some of the contention lies is that routing between private nets you have something like:
0.0.0.0/0 > 192.168.1.1 10.0.0.0/8 > 192.168.2.1
The more specific route would send everything for 10.x to the .2 route and it would be relayed as the routing tables dictate from that device. So a NAT in that case isn’t a filter.
From a routable address to non-route 1918 address as most would have from outside in though you can’t make that jump without a map (forward) into the local subnet.
So maybe more appropriate to say a NAT ‘can’ act as a firewall, but only by virtue of losing the route rather than blocking it.
NAT in the sense used when people talk about at home is a source nat, or as we like to call it in the office space a hide address, everyone going to the adjacent net appears to be the same source IP and the system maintains a table of connections to correlate return traffic to.
The other direction though, if you where on that upstream net and tried to target traffic towards the SNAT address above the router has no idea where to send it to unless there’s a map to designate where incoming connections need to be sent on the other side of the NAT so it ends up being dropped. I suppose in theory it could try and send it to everyone in the local side net, but if you get multiple responses everything is going to get hosed up.
So from the perspective of session state initiation it can act as a firewall since without route maps it only will work from one side.
If your router is setup to only allow in the ports with a service hanging off it, like SSH. Then a firewall wont add anything your router doesnt.
On the flip side, if your running any kind of VPS or directly accessible server, like a VPS or dedicated server. Then a firewall is required.
Now protecting your server from other things on your local network might something you want to do, think IoT stuff getting popped and being used to hack other things on the network
I use OpenWRT on my network and each server I have is on its own VLAN. So in my case, my router is the firewall to my servers. But I do have on my todo list to get the local firewalls working as well. As others have said, security is about layers. You want an attacker to have to jump multiple hurdles.
Why did you put each server in its own vlan? You now have a bunch of separate broadcast domains that need a router to move traffic between them. Switching is much faster since it is done in hardware most of the time.
Mainly for security reasons. Both servers have some limited exposure to the internet. Are you saying doing it that way has performance implications? I haven’t noticed any problems its all fast just like before when everything was on the same LAN
It will impact server to server performance significantly.
If the servers are independent that’s fine but don’t do a file share or some other performance critical component across vlans.
Interesting, I haven’t noticed anything, in fact since I switched everything has felt faster. And I’m constantly sending large files to devices on other VLANs.
It will be slower with more latency and CPU usage.
I would highly recommend you read up on networking and the OSI model. Switching is extremely fast because it is done in hardware. Routing is slow because it goes though the CPU.
If all else fails you could create a dedicated vlan for storage access.
