I’ve spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:
- “It’s just good security practice.”
- “You need it if you are running a server.”
- “You need it if you don’t trust the other devices on the network.”
- “You need it if you are not behind a NAT.”
- “You need it if you don’t trust the software running on your computer.”
The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you’re doing it – it is essentially a non-answer. #2 is strange – why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access. #4 feels like an extension of #3 – only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
A large part of this is only thinking of a firewall as preventing inbound connections. A big part of securing a net comes from preventing things like someone establishing an outbound connection on some random port and siphoning off everything to a home base.
A firewall in itself won’t cover everything, that’s just ports, protocols, and addresses. Tack on an IPS for behavioral scanning, reputation lists for dynamic ‘do no allow connections to/from these IPs’ and some DNS filters or a proxy to help get vision into the basic 80/443 traffic that you can’t just block without killing the internet and you’ve got something going.
A firewall is not security on a box, although most think of it that way. A lot of commercial security-suite products actually do a few things but it’s just easier to market it to grandma if they simply call it a firewall, it’s a term well embedded in the public concesness.
What’s the stop said malware from siphoning data over a known port? If one were to block all outbound connections, then they essentially have an offline device. If they were to want to browse the web, for example, they would need to allow outbound connections to at least HTTPS, HTTP, and DNS. What’s to stop the malware from simply establishing a connection to a remote server over HTTPS?
That’s where some of the other lines come into play. Stop the bad domains with some lists in pi-hole/ad-guard, IP reputational blocking tools, proxies can be used for decrypting traffic if you want to go that route, IPS systems can help identify behavioral patterns for known bad actors.
I like to think of a basic firewall as the very efficient big dumb first line. You block everything except what is needed and it doesn’t matter what app or vulnerability is in play those ports are dead to the world. Then the more refined tools dig through the rest to find the various evil bits and needles in the needle stack.