Here are some basic facts to think about.... ssh keys are more secure than passwords, especially if it is based on words and any common morphing technique. Apple vs App13 or something like that. Also, if you are running any sort of world accessible service on your systems, hackers usually try to download /etc/shadow and crack that at their leisure and then use that on your ssh.
If you want to really secure ssh there are a plethora of strategies and we can split that out into a different list. Suffice to say, I disallow password authentication on public ssh access and rely on one-time authentication tokens. If your machine is behind a NAT and you have a network address like 192.168.x.y and you have not configured your router to forward traffic via ip or socket, external malicious entities can not access your computer unless you contact them first. Thus is it perfectly fine to bring up a system without a firewall. I don't know what you propose for rules on your system's firewall, but there are two types of threat from network access on Linux. (1) from outside your local router and (2) from inside your local network. If you are using NAT, and you are not forwarding ip or ports to a machine, you have nothing to fear from the internet. (At least nothing your firewall can do anything about) If, however, you are using a wifi router and do not have it secured, your biggest threat is from within your local network. zero-day vulnerabilities take many forms. Most have nothing to do with the "internet" directly. They have more to do with compromised software. https://www.cve.org/ I will say this: Linux does not "listen" on ports that do not have a service. All access to your system from the network will have to go through a service. You can control and limit the services on your linux system easily and audit all access. It is far far more secure on linux. The default firewall that gets installed is just fine in 99% of installations. Seriously, even if this machine were on the open internet with a public IP, I still wouldn't be worried about initial setup because they can't get in without something being configured to let them in. > Thanks for this thoughtful reply. (Not that the other people who replied > weren't thoughtful, it's just that I wasn't clear enough in my initial > message.) > > To reply to your points one-by-one: > >> is this newly installed linux machine on a >> publically routable IP Address, or is it sitting behind a NAT, >> comfortably >> sitting on a 192.168 (or 172.16, or 10.x) address? >> >> Related question: don't you have a network firewall at your border? > > I'll check on these. I have the standard home router that Verizon > provides for Fios, and my Linux machines are the only devices that use > that router. But I would have to check on specifics and get back to you. > It's also true that I might be reluctant to put my trust in anything > Verizon gives when it comes to security/privacy issues. There are two > risks for Verizon, both that they wouldn't be careful enough and that I > wouldn't rule out them doing something I would consider malicious. > >> Umm... ssh passwords are MUCH less secure than SSH Keys.. So I would >> rephrase this as "especially because I use passwords". Having said >> that, >> unless your machine is publicly routable, you wont be getting any >> external >> SSH connections. > > Thanks, this is definitely useful info. > >> Start your machine behind a firewall and get it configured before you >> put >> it on the public Internet. > > That has been my plan from the beginning. The problem is, how do I get a > working firewall before I put the machine on the public internet? Given > Debian's hostility to firewall-first users like me, I've been finding it > difficult to solve that problem. > >>> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j >>> DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't visit >>> any websites. >> >> Because that will drop ALL incoming packets -- even packets that are >> tied >> to existing connections. This is what the ESTABLISHED,RELATED is all >> about. > > Thanks, that was my suspicion too, especially after I found that these > iptables settings made Firefox unable to access any websites. > Unfortunately, when I searched online for suggestions on how to configure > iptables or firewalld, almost all the suggested configurations I found > were for "How to configure a firewall for a machine that will be a server" > or assumed that the user wants things like ssh. The idea of doing "-A > INPUT -j DROP" was, incredibly, the only suggestion I could find anywhere > online that was claimed to block all potentially malicious connections > initiated from outside. And, as you say, it doesn't work. I wouldn't > have expected my use case/threat model to be so unusual that no one would > have suggestions for it on existing web pages, but since it seems to be > that way, I'm asking on this list. > >> For what it's worth, Fedora comes with firewalld enabled by default in >> the >> configuration you desire (although I do believe that it allows SSH >> connections). > > I had planned to do a separate thread on problems configuring firewalld on > Fedora, but we might as well move that topic here. I did notice that > Fedora comes with a version of firewalld that's up and running (no > firewall-config, just firewall-cmd). But as you say, its firewall > settings are too loose. So I can't safely connect Fedora to the internet > out of the box. > > Again, it's very strange that Fedora's developers aren't providing a > built-in option for my use case -- I think my use case is probably the > same one that most users want if they only intend to do basic laptop stuff > without relatively fancy things like ssh or webserver hosting, and are > drawn to Linux for privacy/security reasons. > > Fedora 42's initial firewall actually enables a lot of stuff, not just > ssh. To be more specific, here is what I got, using an iso of Fedora 42, > when I ran "firewall-cmd --list-all": > > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: dhcpv8-client samba-client ssh > ports: 1025-65535/udp 1025-65535/tcp > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich-rules: > > The man page for firewall-cmd is impenetrable -- lots of undefined terms > like "policies", "services", "helpers", etc. I don't even know whether > policies, services, helpers, etc. are things inside firewalld or things > located elsewhere on the internet that firewalld can guard you against. I > haven't been able to work out how to configure firewalld safely. > > If there is a safe way to configure Fedora 42's firewall so I can connect > to the internet, I'd be glad to hear. > >> You can (and should) also look into fail2ban for dynamic management. > > Thanks for this suggestion and for your other help. > > On Fri, Jan 16, 2026, at 11:10 AM, Derek Atkins wrote: >> Hi Randall, >> >> I've been working in the cyber-security industry for over 30 years, and >> I >> have a question for you: is this newly installed linux machine on a >> publically routable IP Address, or is it sitting behind a NAT, >> comfortably >> sitting on a 192.168 (or 172.16, or 10.x) address? >> >> Related question: don't you have a network firewall at your border? >> >> more inline... >> >> On Fri, January 16, 2026 10:55 am, Randall Rose wrote: >>> Sorry, I left out some context. The context is that I simply do not >>> want >>> to connect a machine to the internet without a firewall -- ever. >>> Regardless of how secure Linux may be in the abstract, I believe >>> zero-days >>> exist for Linux, and I prefer the extra security that a firewall >>> provides. >>> For example, I do not want to allow a random outside node to do ssh >>> into >>> my machine even though I use passwords. >> >> Umm... ssh passwords are MUCH less secure than SSH Keys.. So I would >> rephrase this as "especially because I use passwords". Having said >> that, >> unless your machine is publicly routable, you wont be getting any >> external >> SSH connections. >> >> [snip] >> >>> Here are my questions, rephrased for clarity: >>> >>> 1. Given that I want a firewall as strong as what "ufw enable" provides >>> and Debian doesn't provide ufw on its iso, what is the best way to >>> achieve >>> it? >> >> Start your machine behind a firewall and get it configured before you >> put >> it on the public Internet. >> >>> 2. Any thoughts on why it doesn't work to just do "iptables -A INPUT -j >>> DROP; ip6tables -A INPUT -j DROP"? When I try that Firefox can't visit >>> any websites. >> >> Because that will drop ALL incoming packets -- even packets that are >> tied >> to existing connections. This is what the ESTABLISHED,RELATED is all >> about. >> >> For what it's worth, Fedora comes with firewalld enabled by default in >> the >> configuration you desire (although I do believe that it allows SSH >> connections). >> >> You can (and should) also look into fail2ban for dynamic management. >> >> -derek >> -- >> Derek Atkins 617-623-3745 >> [email protected] www.ihtfp.com >> Computer and Internet Security Consultant > _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
