Host Firewall

From Kicksecure
Jump to navigation Jump to search

Essentials

Info The recommendation to install a host firewall is documented in the Computer Security Education section, along with basic settings.

Dedicated Connection

If possible, it is safer to avoid sharing the network (LAN, Wi-Fi, hotspot) with other potentially compromised machines.

Filtering Ports

Introduction

From time to time a user asks which incoming/outgoing ports are required by Template:Gateway product name. The answer is:

  • Incoming: none.
  • Outgoing: all.

Incoming

Template:Gateway product name itself does not open any ports. Users are advised to close all ports on the host as outlined in the Host Firewall Essentials entry.

Outgoing

Warning: This procedure is not recommended. Port-based filtering of outgoing traffic is not applicable (as in useful) in the case of Template:Gateway product name.

Filtering outgoing ports is difficult, since Tor entry guards or bridges listen on a variety of different ports. Limiting ports Tor uses for outgoing traffic is still possible, but recommended against, since it reduces anonymity. The effect is fewer entry guards or bridges are made available to the user. If users wish to proceed despite the risk, follow the instructions below.

On Template:Gateway product name.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Kicksecure inside Qubes, complete the following steps.

Qubes App Launcher (blue/grey "Q")Kicksecure ProxyVM (commonly named kicksecure)Tor User Config (Torrc)

If you are using a graphical Kicksecure, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Kicksecure, complete the following steps. Click = Copy Copied to clipboard! sudo nano /usr/local/etc/torrc.d/50_user.conf

Add.

Click = Copy Copied to clipboard! ReachableDirAddresses *:80 ReachableORAddresses *:443 ## maybe: FirewallPorts PORTS ## See Tor manual: https://www.torproject.org/docs/tor-manual.html.en

Save.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Kicksecure inside Qubes, complete the following steps.

Qubes App Launcher (blue/grey "Q")Kicksecure ProxyVM (commonly named 'kicksecure')Reload Tor

If you are using a graphical Kicksecure, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Kicksecure, click HERE for instructions.

This issue was also discussed in the old Template:Project name forumarchive.org iconarchive.today icon.

NAT Router

Being behind an ordinary NAT router might provide a marginal layer of extra security. In all cases, it is recommended to purchase a commercial-grade router and avoid cheap models, since they are often less-secure.

It is also suggested to review the entire Router and Local Area Network Security chapter, particularly:

Port Scan

Using an Internet-based port scanner servicearchive.org iconarchive.today icon to test the local LAN's router/firewall is a sensible idea. Users must carefully research and find a legitimate service, since many companies only want to sell a product and will purposefully present false positives. A better alternative is to scan the local LAN with a port scanning application from an external IP address. To scan the home IP address, users can either login remotely (SSH) via an external machine, or proxy through an external IP address. Detailed instructions on accomplishing that are beyond the scope of this document.

A special case is presented by users who share a LAN with other PCs (a stand-alone machine is not used). In this instance, the port scanning/testing service or a port scan application from an external IP address will actually only scan the local LAN's router/firewall and not the actual host's PC. If the latter is mis-configured, then the user could be susceptible to attacks from other machines within the LAN which sit behind the router, and a false sense of security could be the result.

For example, if the user shares the LAN with flatmates who are not so sophisticated in computer security, then those foreign machines should be regarded as potentially malicious. There is every possibility they may have been infected with a botnet already or other harmful programs. Therefore, the user cannot trust the output of a port scan application running on their machine. If there is no spare machine for testing, then foreign computers on the LAN can be booted from a live CD, and the user can scan their personal machine with a port scan application. Details on how to accomplish that task are also outside the scope of this document.

Footnotes

Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Host_Firewall&oldid=52782"