Is there any firewall installed with OSMC? (then - choose iptables or better ufw?)

#1

Hello,
I am using OSMC for a long time, now I am trying to make some educational exercises with Linux.
Is there any firewall installed on OSMC original image?
And it is good idea to install a ufw? Or better will be when installing and using “clean” iptabels?

Greetings!
JA

Connecting 3G usb dongle/modem to osmc on raspberry pi
#2

No. Your local router/gateway should be providing security to the devices connected to your lan. There should be no reason for any firewall on OSMC as it should never be set up in a net facing configuration.

#3

This is not a good security practice (to not have a firewall on a device) since if the network is compromised, then the devices on the network are more easily compromised themselves. IOT attacks are dramatically on the rise, and hardening the Vero 4K is something needed in this day and age.

#4

We used to use iptables in Raspbmc to provide LAN access only. This provided to be quite problematic and didn’t seem to provide any additional security.

Remember there is a fine balance between realistic security measures and convenience.

We are of course happy to hear some suggestions. If you propose some default rules or changes to behaviour we can look over them.

#5

I’m going to try and get firewalld running (simply because it is a somewhat simpler system, that I am familiar with). The key will be trying to figure out all the possible ports and protocols for various services. I’ll share any progress or lack thereof.

#6

I’d always recommend that you place your potentially dodgy IOT devices on a completely separate subnet (or subnets), well away from your “real” machines, such that you can see them but not vice versa.

#7

I agree with this, definitely. However, it won’t be the default situation in most homes.

#8

Agreed, but neither are most people likely to configure firewalls on each of their machines. So in your own case, while adding firewall capability to OSMC is probably useful, you shouldn’t use it as a substitute for properly partitioning your network.

2 Likes
#9

Well, my point is that shipping a device with firewalling is something a vendor can do, rather than requiring customers to redesign their network. I understand from @sam_nazarko that iptables have caused trouble in the past. I’ll settle for figuring out what I can do on my own and share the steps involved if/when that happens. Configuring a firewall is not actually that difficult for most devices, easier than partitioning in some cases, though both are useful security measures.

#10

If an iot attack is the first point of breech, it makes more sense to focus on securing that vector.

#11

OSMC is already shipped with a firewall: iptables. All it needs is a wee bit of configuration and, as you point out:[quote]
Configuring a firewall is not actually that difficult for most devices
[/quote]

But realistically, configuring a firewall to meet users’ unique needs is likely to be an unwanted complication for the majority of people, and a significant support burden for us here on the forums. And remember that firewalld cannot use an X-based interface, since OSMC doesn’t use X, so you’ll need to use the command line, plus AFAIK it doesn’t talk to connman.

#12

Security is everyone’s responsibilty, and for every device. Popular vectors should be a focus, but not the the exclusion of everything else.

#13

And this statement right here should be the public service announcement advertised far and wide. It is the end user himself that is usually his own worst vector because, the dangers of following some random tutorial found online or installing an army of iot devices to increase convenience, are not more strongly advised or widely know to amateur enthusiasts.