iptables and nftables are just different frontends to the netfilter kernel module.
OpenSnitch is a nice for the desktop environment, deny by default and prompts the user when an application requests a open port, at first the prompts can get a little overwhelming given how many things want to connect to xyz server but eventually lightens up.
I really dont like the idea that a program on my local os doing things I don’t want it to do and the only thing stopping it is a software firewall.
If you don’t trust the platform then you shouldn’t be using it. No bandaid like antivirus or firewall can help with that.
Its a little annoying on Linux but I wonder what it would be like on Windows.
The firewall is annoying? I would argue and say the firewall is protecting your computer from connecting to a rouge server, annoying or not it’s better than some douche abusing an exploit in your system.
Windows firewall already does prompt like this
Glasswire and Tinywall(?) are like this.
Simplewall works great, it’s open source. And yes, there are a couple of million requests made by windows apps alone, which are completely fine to block. Simplewall also blocks windows telemetry. I have to use win11 at work and it’s an absolute ahitstorm of network requests that you don’t get to see when using windows firewall.
Glaswire looks beautiful and functions well, but you will hit the paywall after a couple of weeks (I used this on the around 2010 I think)
Trivial. It pops up, you click.
These firewall tools are interesting, but I honestly haven’t needed them in years. The premise is a little out of date. Who puts cloud servers on the open internet these days? Everything I see uses a public load balancer and a WAF service.
Sure, but what if youve configured your waf or w/e incorrectly, what if someone gains access to another part of your network? Having sane firewall settings is always better than none at all.
All the cloud services I’ve used had virtual network firewalls for internal traffic. Security Groups for AWS, Cloud Firewall for GCP, etc. That’s typically how lateral traffic gets managed. Defense in depth is good, but as I said I haven’t used host firewalls in forever, and we get audited for security certificates every year, and no auditor has asked about them that I recall.
A lot of people host websites created with a static site generator just fine without that extra layer. Unless your site has expensive to generate dynamic pages, lots of video content, or deep changelog pages (wiki history or forge commit diff’s publicly available), it makes a lot of sense to keep it simple.
Putting everything behind Cloudflare is just cargo cult behaviour and learning all the ins and outs of it isnt any harder than learning a firewall (which is transferrable knowledge that can also protect your machines from each other).
If you’re trying to be cost-effective, renting a VPS for a fixed term instead of using a IaaS platform that provides all these things just by clicking a checkbox, then caring about your firewall is a necessary part of building the system image that you deploy. You can of course set up your own private networking between systems and build the same type of architecture that a IaaS would provide, but to do that you’re going to need to understand everything about linux networking and netfilter already.
Maybe that’s the context. All of my cloud hosting work is very large corporate systems in the big three clouds. You’re talking about Hostinger or Scalahosting type services, yes?



