It will help monitoring your internet traffic, point out any suspicious connections, unusual bandwidth consumption and if there are any non-consensual tracking/telemetry done or was introduced recently and to catch malware.
There are multiple options: AFWall+, NetGuard, Karma Firewall, Rethink. I don’t know which one is considered the “most” useful here, as I don’t have much experience with all of them.
I think it would be more useful to provide information on proper hardware firewalls instead. With an emphasis on ones with open source firmware support, as this provides an indirect privacy benefit and allows for more budget solutions.
Not only will they provide much better firewall functionality but hardware solutions are going to be far less reliant on whatever operating system the users device runs on.
Disclaimer: I co-develop an on-device “firewall” for Android.
Debatable. The closer you’re to what you intend to block, the more surgical you can get.
OS firewalls are better because they have more context (see Little Snitch) about a given request.
This is also a reason why in-browser plugins work better for content blocking than OS/hardware firewalls. They’re that much closer to the content of the webpages.
True, though the limitation is, save for road warrior setups (like Tailscale), your hardware is staying at home, unreachable. Not workable for smartphones (or devices that roam, like notebooks).
I will concede on this point, you probably know more about firewalls then I ever will.
Correct me if I am wrong but wouldn’t a hardware firewall + browser extension be better then a software firewall + browser extension in most cases?
Depends on how much work the community and staff want to put into the section but obviously firewalls could be split into a bunch of subsections either by OSI layer, type, etc
I agree, I tend to believe though that securing the home network through a firewall is probably the biggest need for most people.
If browser is close to the only software you use, and you never install apps or services that potentially run in the background (other than those built-in to the OS).
IP rules are enough and there isn’t a need for per-app rules.
A network-level (hardware) firewall makes total sense when you do not have much control over the OS (no root access). For example, Apple apps on macOS & iOS or Google+OEM apps on Android retain the ability to bypass user-set firewall/vpn rules, at will.
Would everyone prefer a general “Firewalls” section with both software and hardware types?
If we do implement this section, I would like additional discussion on specific recommendations (specifically for hardware-based firewalls) since this section would be very research-intensive.
I don’t think a single section would make much sense, since that would imply that you can freely choose between the two. (e.g. Choosing between cloud-based or self-hosted email, you don’t need both.) A con of a hardware firewall is that it will only protect you while on your home network (unless you VPN into your home network, if, but I think such a setup becomes too complicated, especially if you want to use a public VPN for your public internet traffic). On the other hand, hardware firewalls have clear benefits to software-based ones, like the obvious fact that Apple can’t choose to bypass your hardware firewall when it comes to their own apps.
This is an amazing idea as a software firewall is necessary for most Windows 10/11 users:
Originally, my plan was to setup a HARDWARE firewall device that’d connect to my Router but then I realised that this entire firewall device could be bypassed if a Windows PC has a backdoor way of communicating to a malicious user online.
I have no linked with the Portmaster company, but it still looks like the best from everything I’ve looked at. It’s only $3.50 per month if you sign up for a 12 month plan for the Plus version and it gives you 5 devices to install upon and it’s multi-platform.
I’m using Netguard(Premium version) on Android and it seems fine.
pfSense has pfBlockerNG, which is probably the best all around but pfSense itself has issues
OpenWrt has the banIP package, it works well enough with some elbow grease
OPNsense has native support for external ipsets via floating rules, but that is rough and even more work
Deep packet inspection via Snort/Suricata hasn’t really been viable for a good decade now with the widespread HTTPS adoption, but may still be worth running if you’ve the hardware to spare
If you have a managed switch you can further employ ACLs on your VLANs to enforce strict and fine grained isolation. eg. additionally enforcing at the network layer that no management ports (SSH) can be accessed while still allowing clients to access other services.
This can also be useful as a fallback/backstop incase eg. firewalld fails to start
I would avoid “true”/traditional hardware firewalls as that is usually hellish vendor-lockin, but they do still excel at certain usecases (extremely high packet processing/edge filtering).
I used to think a dedicated firewall device running a firewall OS like OPNsense or this way as well.
However, if a Windows 10/11 PC has a software trojan installed that’s connected to the Internet and sending telemetry containing personal and private user information back to a malicious person on the Internet then the dedicated firewall is useless…
It’s so easy to install an App in Windows 10/11 that will send private user information back to someone on the Internet such as a PDF Reader App or a malware infected word processor etc. This is why I feel like a software firewall is always necessary.
This page has some great info that I think will be helpful for users on here:
You don’t even have to go there. It isn’t unheard of for OEMs to plug in a SIM / eSIM to bypass Wifi (and thus the hardware firewall / firewall OS local to a network). An on-device firewall might do the trick, but since OEMs also control the OS, they might have their apps/processes bypass an on-device firewall too.
Protectli firewalls might be worth looking at. These are the ones Michael Bazzell recommends.
It should be noted that Protectli does not manufacture these devices. They are all made by a Chinese company called Yanling. Protectli orders them in bulk and resells them. Protectli offers to flash the firewall firmware with coreboot before shipping your device. This is highly recommended, and replaces the stock Chinese firmware on the device with an open-source alternative to legacy BIOS options. This provides a simpler, faster, and more secure overall boot process for your device. Protectli offers coreboot firmware specifically for these devices for free on their website.
Protectli is dedicated to providing reliable, cost-effective, and secure computer equipment with coreboot-based firmware tailored for their hardware. It comes with the Dasharo firmware, maintained by 3mdeb. Protectli hardware has verified support for many popular operating systems such as Linux distributions, FreeBSD, and Windows. Support includes Debian, Ubuntu, OPNsense, pfSense, ProxMox VE, VMware ESXi, Windows 10 and 11, and many more.