Posted on Sep 29, 2017
What basic functions should the average computer user know about software or hardware firewall configuration?
2.45K
10
11
2
2
0
Update (4/16/2020): This was meant to apply to users on their PC on their home network. Looking back, I should've specified this much earlier.
I'm going to start with a few:
1. How to turn it on
2. Logging
3. That it's not a complete solution
4. What it does and doesn't do
I'm going to start with a few:
1. How to turn it on
2. Logging
3. That it's not a complete solution
4. What it does and doesn't do
Informational Security
Cybersecurity
Cyber
Privacy
Computers
Edited >1 y ago
Posted 7 y ago
Responses: 6
3
3
0
SGT (Join to see) In a perfect world, you don't want the average user touching the firewall at all in any way. They are likely to cause more problems than they can possibly solve. What I want the average user to know about the firewall is that if a site they need to complete a task is blocked by the firewall, send the URL to the IT Group so it can be reviewed and a decision made. Sorry, Netflix is not needed for work purposes.
(3)
(0)
SPC(P) (Join to see)
Ideally most users shouldn't have to know too much about firewalls, especially not how to config them. Perhaps they might need to know a bit more about them in a ipv6, post nat(network address translation) world. Some people benefited security-wise being behind a nat due to ipv4 address scarcity, but they can do just fine without nat if they have a stateful firewall. So as consumers they should have a clue to look for that as a feature in their cable modems or dsl whatever.
As consumers they should also be aware that they can have negative effects towards the computing "eco-system"(for lack of better term)... Such as the negative effect they have had on the adoption of ecn(explicit congestion notification) and other ip and tcp extensions. Firewalls have tended to ossify things in a rigid ways that stifle progress. Also see the tendency to put everything through ports 80 and 443 , even when that's silly. Erodes the legitimate use of port numbers as a protocol multiplexing determinate. They should know to keep away from overly aggressive firewall products.
Home users likely need things like flatpak/bubblewrap/selinux to sandbox apps more than they need most traditional firewalls.
[[Netflix is not needed for work purposes.]]
Probably not needed. I don't use netflix, but don't they have some nonfiction shows on it? For work machines I'd want to block or turn off drm features though: so no silverlight, flash, or eme(Encrypted Media Extensions).
I do remember once that I had to debug a dns issue so I turned on logging, caught someone in the middle of porn viewing. So I can understand companies, and the government trying to get some control over wasting time and resources during business hours.
As consumers they should also be aware that they can have negative effects towards the computing "eco-system"(for lack of better term)... Such as the negative effect they have had on the adoption of ecn(explicit congestion notification) and other ip and tcp extensions. Firewalls have tended to ossify things in a rigid ways that stifle progress. Also see the tendency to put everything through ports 80 and 443 , even when that's silly. Erodes the legitimate use of port numbers as a protocol multiplexing determinate. They should know to keep away from overly aggressive firewall products.
Home users likely need things like flatpak/bubblewrap/selinux to sandbox apps more than they need most traditional firewalls.
[[Netflix is not needed for work purposes.]]
Probably not needed. I don't use netflix, but don't they have some nonfiction shows on it? For work machines I'd want to block or turn off drm features though: so no silverlight, flash, or eme(Encrypted Media Extensions).
I do remember once that I had to debug a dns issue so I turned on logging, caught someone in the middle of porn viewing. So I can understand companies, and the government trying to get some control over wasting time and resources during business hours.
(1)
(0)
PO3 Steven Sherrill
SPC(P) (Join to see) - Unfortunately we still have some third party software that requires Silverlight. Which is compounded by trying to explain to our users that it is a limitation of the software. We had one who thought buying a new computer would solve the problem, then they were upset when a spanking new PC still gave them errors in Chrome for Silverlight.
(1)
(0)
SPC(P) (Join to see)
PO3 Steven Sherrill - Yes I mostly wanted to emphasize the drm aspects of silverlight and flash... Even though in a more ideal world you'd want such things be be Open Standards with at one implementation licensed using Open Source license(s).
There were attempts to make compatible software for these.
flash had https://www.gnu.org/software/gnash/
silverlight had http://www.mono-project.com/docs/web/moonlight/
https://www.dwheeler.com/essays/opendocument-open.html
https://www.dwheeler.com/essays/open-standards-open-source.html
There were attempts to make compatible software for these.
flash had https://www.gnu.org/software/gnash/
silverlight had http://www.mono-project.com/docs/web/moonlight/
https://www.dwheeler.com/essays/opendocument-open.html
https://www.dwheeler.com/essays/open-standards-open-source.html
GNU Gnash - GNU Project - Free Software Foundation
GNU Gnash is the GNU Flash movie player — Flash is ananimation file format pioneered by Macromedia which continues to besupported by their successor company, Adobe. Flash has been extendedto include audio and video content, and programs written inActionScript, an ECMAScript-compatible language. Gnash is basedon GameSWF,and supports most SWF v7 features and some SWF v8 and v9.
(1)
(0)
1
1
0
That we have a firewall to protect the network and that it'd not ok to try and get around it.
(1)
(0)
1
1
0
Iptables. A scripting language to automate it, TCL if you're working on Cisco. What the standard ports are. What ephemeral ports are. TCP/IP. Handshaking. How to defeat IDS.
(1)
(0)
SPC(P) (Join to see)
https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/
Yes it's great to know what the ports are, admins should have a couple sample configs that they tweak a bit; most shouldn't have to go too crazy. That implies that they might have to know how their use of ports is different from the norm.
stateful configurations for tcp connections.
Not to firewall icmp completely.
These are not for standard average users though.
Yes it's great to know what the ports are, admins should have a couple sample configs that they tweak a bit; most shouldn't have to go too crazy. That implies that they might have to know how their use of ports is different from the norm.
stateful configurations for tcp connections.
Not to firewall icmp completely.
These are not for standard average users though.
What comes after 'iptables'? Its successor, of course: `nftables` - RHD Blog
Nftables is a new packet classification framework that aims to replace the existing iptables, ip6tables, arptables and ebtables facilities.It aims to resolve a lot of limitations that exist in the venerable ip/ip6tables tools. The most notable capabilities that nftables offers over the old iptables are: Performance: Support for lookup tables – no linear rule evaluation …
(0)
(0)
SGT (Join to see)
Firewalld is popular now on the Linux side. ConfigServer Security & Firewall (CSF) is great on servers as you mainly list ports in one file or GUI page.
SPC(P) (Join to see)
SPC(P) (Join to see)
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google