I’ve been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I’ve been meaning to get UFW on it but I’ve been too lazy to do so. Is it a necessary thing that I need to have or it’s a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I’d say my server’s pretty secure but not the furthest I could take it. Opinions please?

  • non_burglar@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    5
    ·
    9 days ago

    Op means, as they said, a firewall on the server itself.

    NAT is, effectively, a firewall.

    No it isn’t. Stop giving advice on edge security.

    • hedgehog@ttrpg.network
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 days ago

      Are you saying that NAT isn’t effectively a firewall or that a NAT firewall isn’t effectively a firewall?

      • non_burglar@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        9 days ago

        NAT simply maps IPS across subnet boundaries in such a way that upstream routing tables don’t need updating.

        If you use destination NAT forward rules to facilitate specific destination port access, you are using a firewall.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      edit-2
      8 days ago

      How is NAT not a firewall? Sure theoretically it isn’t but I’ve yet to see a implementation of NAT that doesn’t act as a Firewall

      • non_burglar@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        8 days ago

        Because NAT acts as a firewall with a “default deny” policy for incoming packets, but no other rules. You cannot prevent a device on the private subnet side of a NAT from attempting to communicate with an “outside” ip with nat alone, nat doesnt understand the concepts of accept/deny/drop.

        All nat does is rewrite address headers.

        The machines behind a NAT box are not directly addressable because they have private IP addresses. Machines out on the general Internet cannot send IP packets to them directly. Instead, any packets will be sent to the address of the NAT box, and the NAT box looks at its records to see which outgoing packet an incoming packet is in reply to, to decide which internal address the packet should be forwarded to. If the packet is not in reply to an outgoing packet, there’s no matching record, and the NAT box discards the packet.

        It’s a confused topic because for a lot of people, nat does essentially everything they want. As soon as you get into more complex networking where a routing table needs to be updated, or bidirectional fw rules, it becomes apparent why routing + fw + nat is the most common combo.