Linux Application Firewall

For desktop users who want additional privacy

What Is a Firewall

28 May 2020 | Tags ( introduction firewall faq )

A firewall decides who your computer can talk to. It is the one that decides if your computer can access Facebook or Google, or if other people can access programs running on your computer.

Every computer comes with a built-in firewall. Whether you’re running macOS or Windows, there is a firewall running in the background, silently deciding who your computer can communicate with and who it can’t.

What does it do?

The default setting for most firewalls is to block incoming connections, but allow outgoing ones. That is, programs on your computer can send data to another computer, but other computers can’t talk to you 1.

Take your web browser (Firefox or Google Chrome) for example, you asked it to connect to this server linux-application-firewall.org, and show you this webpage. The firewall decided that since the web browser is on your computer it is allowed to communicate on the network, and that it is allowed to talk to the server linux-application-firewall.org.

Now, if you were at a coffee shop, and someone wanted to talk to your computer, perhaps they want to see if you are sharing any folders, running any services2. Your firewall would normally stop the other computer from talking to any of your programs.

How does it decide?

The figure below shows the process that your computer makes when it talks on the network. The left box is your computer, the middle is the firewall and the right the network.

The firewall box has two questions. ‘Outbound, allowed?’ and ‘Inbound, allowed?', these are the “Firewall Rules”. They are set by your distributions’ maintainer and by you. Firewall rules, or ‘access control lists (ACL)’ are the core principles of how a firewall works. These are basically a list of computers that are okay for your computer to talk too.

In the example above the firewall rule would be:

It is okay to connect to (Outbound) example.com over TCP port 443, and that if this computer started talking (Inbound), we can allow the response from example.com.

Fin

This is a very high-level introduction to what a firewall is, firewalls are a complex system, and can be quiet confusing. Hopefully this post has cleared up some understanding.

If not, please get in touch with me via email or Matrix (pete at port 22 dot co dot uk ). You can direct message me @pgmaynard on twitter.


  1. Technical Note: Other computers can talk to you if you initiate the connection first. ↩︎

  2. Note: A service is a program that starts when your computer boots and listens for other computers. The program might share private information such as photos or documents. ↩︎

docs - faq - get involved - code

Header photo by Viktor Forgacs

Updated on 24 Sep 2020 (CC BY-SA 4.0)
An Uncharted Security project.