Do I really need a firewall for my server?
-
It will impact server to server performance significantly.
If the servers are independent that's fine but don't do a file share or some other performance critical component across vlans.
Interesting, I haven't noticed anything, in fact since I switched everything has felt faster. And I'm constantly sending large files to devices on other VLANs.
-
I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?
I only bind applications to ports on the Internet facing network interfaces that need to be reachable from outside, and have all other ports closed because nothing is listening on them.
A firewall in this case would bring me no further protection from external threats, because all those ports have to be open in the firewall too.But Linux comes with a firewall build in, so I use it even if it is not strictly needed with my strict port management regime for my services.
And a firewall has the added benefit to limit outgoing network traffic to only allowed ports/applications. -
I have about 20 services on my machine so I'm going to need to open a ton of ports (ssh, SSL, multiple higher number ports since some services require several ports). At that point, what is the point of a firewall if so many ports are open? With so many ports open, it seems like a firewall doesn't add much security vs the complexity it adds.
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip's for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don't expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
-
Interesting, I haven't noticed anything, in fact since I switched everything has felt faster. And I'm constantly sending large files to devices on other VLANs.
It will be slower with more latency and CPU usage.
I would highly recommend you read up on networking and the OSI model. Switching is extremely fast because it is done in hardware. Routing is slow because it goes though the CPU.
If all else fails you could create a dedicated vlan for storage access.
-
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip's for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don't expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
Also get rid of password authentication if you can.
-
In practice a stateful NAT is the same as a stateful Firewall. I've never heard of a NAT that isn't a Firewall. A port forward is the same as a Firewall allow rule.
What you might call a stateful NAT is really a 1-1 NAT, anything going out picks up an IP and anything retuned to that IP is routed back to the single address behind the NAT. Most home users a many to one source nat so their internal devices pick up a routable IP and multiple connections to a given dest are tracked by a source port map to route return traffic to the appropriate internal host.
Basically yes to what you said, but a port forward technically is a route map inbound to a mapped IP. You could have an ACL or firewall rule to control access to the NAT but in itself the forward isn't a true firewall allow.
Same basic result but if you trace a packet into a router without a port forward it'll be dropped before egress rather than being truly blocked. I think where some of the contention lies is that routing between private nets you have something like:
0.0.0.0/0 > 192.168.1.1
10.0.0.0/8 > 192.168.2.1The more specific route would send everything for 10.x to the .2 route and it would be relayed as the routing tables dictate from that device. So a NAT in that case isn't a filter.
From a routable address to non-route 1918 address as most would have from outside in though you can't make that jump without a map (forward) into the local subnet.
So maybe more appropriate to say a NAT 'can' act as a firewall, but only by virtue of losing the route rather than blocking it.
-
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip's for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don't expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
My server is only available on my LAN and via a VPN. Is fail2ban applicable? Or is it mainly for public facing servers?
-
I have about 20 services on my machine so I'm going to need to open a ton of ports (ssh, SSL, multiple higher number ports since some services require several ports). At that point, what is the point of a firewall if so many ports are open? With so many ports open, it seems like a firewall doesn't add much security vs the complexity it adds.
If someone exploits a service on the machine they can then connect outside that machine on any port. Ufw would prevent this. The router firewall would also likely prevent this unless they used an open port of the router or upnp was enabled.
-
I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?
That depends. If you have exposed services, you could use some features of the firewall to geoip restrict incoming requests to prevent spam from China and Russia and whatnot.
If you don't have any services running on a publicly accessible port, then what would the firewall protect?
-
I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?
My personal advice, secure it down to only permitting what needs it, regardless of your trust to the network.
Treat each device as if they've been compromised and the attacker on the compromised device is now trying to move laterally. Example scenario: had you blocked all devices except your laptop or phone to your server, your server wouldn't have been hacked because someone went through a hacked cloud-connected HVAC panel.
I lock down everything and grant access only to devices that should have access. Then on top of that, I enable passwords and 2FA on everything as if it were public... Nothing I self host is public. It's all behind my network firewall and router firewall, and can only be accessed externally by a VPN.
-
My server is only available on my LAN and via a VPN. Is fail2ban applicable? Or is it mainly for public facing servers?
-
I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?
I just went done this road and i'd say it is worth it even only for the learning part.
I've set counter per application in nftable, and via a python script send them in SVG graph format to Glance dashboard.
The result is I can monitor my whole network per application and the best part it all add up very well so I know there is no 'unknown' outgoing or ingoing traffic on my machine. -
Disclaimer, I'm not a network professional im only learning. But you dont need ufw since your router firewall should be able to filter majority of the traffic. But in security there is a concept of layers. You want your router firewall then your device firewall to provide multiple layers incase something slips through one layer.
So to give a simple answer, it depends how secure you want your network to be. Personally I think UFW is easy so you may as well set it up. 5sec of config might stop a hacker traversing your network hoping from device to device.
To follow up on this, I'd look to network segmentation as another useful security barrier. I've just started playing around with VLANs, but the way I plan on setting things up is to have individual VLANs for services, management and IoT, with the LAN for all other user-land devices. On top of this you add strict firewall rules to what can talk to what, on which ports, etc. So all devices on the network can do DNS queries to my two DNS servers, for instance, but things from my services VLAN can't reach anything outside of this VLAN...
-
I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?
You should, yes. I run a firewall (I usually use ufw) on all of my Internet-connected devices, since all of my devices run Linux. There's not really any good reason not to in 2025.
-
I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?
I'll ask this question.
would you fuck without a condom at a hundred man orgy?
-
I'll ask this question.
would you fuck without a condom at a hundred man orgy?
@GreenKnight23 @theselfhoster Yes. I wouldn't even question it.
-
You should, yes. I run a firewall (I usually use ufw) on all of my Internet-connected devices, since all of my devices run Linux. There's not really any good reason not to in 2025.
But is there a good reason to run one on a server? Any port that's not in use won't allow traffic in. Any port that's in use would be added to the firewall exception anyway.
The only reasons I can think of to use a firewall are:
- some services aren't intending to be accessible - with containers, this is really easy to prevent
- your firewall also does other stuff, like blocking connections based on source IP (e.g. block Russia and China to reduce automated cyber attacks if you don't have users in Russia or China)
Be intentional about everything you run, because each additional service is a potential liability.
-
But is there a good reason to run one on a server? Any port that's not in use won't allow traffic in. Any port that's in use would be added to the firewall exception anyway.
The only reasons I can think of to use a firewall are:
- some services aren't intending to be accessible - with containers, this is really easy to prevent
- your firewall also does other stuff, like blocking connections based on source IP (e.g. block Russia and China to reduce automated cyber attacks if you don't have users in Russia or China)
Be intentional about everything you run, because each additional service is a potential liability.
Because it's easy to accidentally run services or set up services temporarily and forget that you left them running. With UPnP being able to automatically/dynamically open ports, a firewall is just another layer of protection. You can also configure firewalls to ignore packets silently or log dropped packets, and if applications ever get new versions and end up listening on new ports, you would have to manually allow the ports. Maybe you want to have one part of an application accessible through the firewall but not another part of the application.
Plus, like you said, country blocking is nice, and there are also other features too like being able to throttle connections, especially with things like fail2ban.
It's just another layer of protection, and it ensures that everything you run is deliberate.
-
But is there a good reason to run one on a server? Any port that's not in use won't allow traffic in. Any port that's in use would be added to the firewall exception anyway.
The only reasons I can think of to use a firewall are:
- some services aren't intending to be accessible - with containers, this is really easy to prevent
- your firewall also does other stuff, like blocking connections based on source IP (e.g. block Russia and China to reduce automated cyber attacks if you don't have users in Russia or China)
Be intentional about everything you run, because each additional service is a potential liability.
This is the right way to think about it. NAT is by its nature a form of firewall. As long as you do t put a host in the DMZ, using NAT is good enough unless you plan to use web application firewalls.
-
Because it's easy to accidentally run services or set up services temporarily and forget that you left them running. With UPnP being able to automatically/dynamically open ports, a firewall is just another layer of protection. You can also configure firewalls to ignore packets silently or log dropped packets, and if applications ever get new versions and end up listening on new ports, you would have to manually allow the ports. Maybe you want to have one part of an application accessible through the firewall but not another part of the application.
Plus, like you said, country blocking is nice, and there are also other features too like being able to throttle connections, especially with things like fail2ban.
It's just another layer of protection, and it ensures that everything you run is deliberate.
It honestly depends on how you run things.
If everything is in containers, chances are you're already getting the benefits of a firewall. For example, with podman or docker, you already explicitly expose ports, which is already a form of firewall. If you're running things outside of containers, then yeah, I agree with you, there's too much risk of something opening up a port you didn't expect.
Everything I run is with podman, which exposes stuff with iptables rules. That's the same thing a basic firewall does, so adding a firewall is superfluous unless you're using it to do something else, like geoip filtering.
When in doubt, use a firewall. But depending on the setup, it could be unnecessary.
