I've spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:
- "It's just good security practice."
- "You need it if you are running a server."
- "You need it if you don't trust the other devices on the network."
- "You need it if you are not behind a NAT."
- "You need it if you don't trust the software running on your computer."
The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you're doing it -- it is essentially a non-answer. #2 is strange -- why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router's NAT at port 80 to open that server's port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one -- what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there's nothing to access. #4 feels like an extension of #3 -- only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don't know how it works), you don't want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device's actions.
If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it's acting like the front door to a house, but this analogy doesn't make much sense to me -- without a house (a service listening on a port), what good is a door?
To keep your system secure no matter what, you open up only the ports you absolutely need.
People will always make a mistake while configuring software, a firewall is there to make sure that error is caught. With more advanced firewall' you can even make sure only certain app's have access to the internet to make sure only what you absolutely need toconnect to the internet does.
In general it's for security, but can also be privacy related depending on how deep you want to get into it.
EDIT: It isnt about not trusting other devices on your netork,or software you run, or whether you are runni g a server. It's about general security of your system.
This sounds very interesting. This would have to be some forme of additional layer 7 firewall, right (As in it would have to interract with system processes, rather than filtering by network packet at layers 3, and 4)? Does this type of firewall have a specific name, or do you perhaps have some examples? I don't think it would be possible with something like nftables, but I could certainly be wrong.
I honestly only know of a windows one called simplewall.
I used to use it to outright block windows telemetry, microsoft services, apps, ...
It also helped me to save a lot of bandwith in regards to windows and all the stuff that comes preinstalked with it.
I havent searched for one for linux, mostly because 90% of apps I run are cli tools that don't require internet connection, but I'm sure there is probably one that exists.
OpenSnitch was recommended to me in this comment. I've set it up, and it seems to be working quite well. While doing some research on the topic, I also came across Portmaster, but, while it does look nice, some of it's features are locked behind a paywall, so I'm not interested -- OpenSnitch works just fine!