Build that firewall
Protect your ports, lock down your sockets – there’s a packet storm ahead.
W
indows ships with its firewall enabled by default. Desktop users can run a friendly firewall GUI such as ufw, or even write their own iptables or nftables rules, but distros universally leave this up to the user. A cynic might say that this is because Linux users have enough trouble with networking as it is, but the reality is that most desktop users don’t need a firewall.
DANGER OF NAT SLIPSTREAMING
“It was possible for an attacker to establish a direct connection to a machine behind a NAT gateway.”
This changes as soon as you start running services (such as having listening ports that the whole world can connect to). The NAT (network address translation) layer on home routers that filters traffic from its external IP address to the local network (for example 192.168.* addresses) was never meant as a security layer, but it has for years mostly worked as one. As anyone who ever tried to send a file over MSN Messenger in the early naughties will tell you, establishing a direct connection to a machine behind a NAT gateway is difficult, even more so when your machine is likewise NAT-ed.
The only way through NAT would be to forward the appropriate ports on your router. And if you want to run your home server to be accessible from the outside world you’ll still have to do this. Modern applications though, can submit their own port forwarding demands to (compliant) routers through UPnP, so that these are all arranged transparently. One such example is the Transmission BitTorrent client, which forwards the port(s) of your choosing and enables peers to connect to you. If a peer can’t be reached, then the protocol enables the connection to work in the other direction, which thanks to the port-forwarding magic outlined previously should proceed without a hitch.