I've spent some time searching this question, but I have yet to find a satisfying answer. The majority of answers that I have seen state something along the lines of the following:
- "It's just good security practice."
- "You need it if you are running a server."
- "You need it if you don't trust the other devices on the network."
- "You need it if you are not behind a NAT."
- "You need it if you don't trust the software running on your computer."
The only answer that makes any sense to me is #5. #1 leaves a lot to be desired, as it advocates for doing something without thinking about why you're doing it -- it is essentially a non-answer. #2 is strange -- why does it matter? If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router's NAT at port 80 to open that server's port to the public. What difference does it make to then have another firewall that needs to be port forwarded? #3 is a strange one -- what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there's nothing to access. #4 feels like an extension of #3 -- only, in this case, it is most likely a larger group that the device is exposed to. #5 is the only one that makes some sense; if you install a program that you do not trust (you don't know how it works), you don't want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device's actions.
If anything, a firewall only seems to provide extra precautions against mistakes made by the user, rather than actively preventing bad actors from getting in. People seem to treat it as if it's acting like the front door to a house, but this analogy doesn't make much sense to me -- without a house (a service listening on a port), what good is a door?
If it's going to some undesirable domain, or IP, then you can block the request for that application. The exact capabilities of the application layer firewall certainly depend on the exact application layer firewall in question, but this is, at least, possible with OpenSnitch.
For the actual content of the traffic, is this not the case with essentially all firewalls? They can't see the content of te traffic if it is using TLS. You would need to somehow intercept the packet before it is encrypted on the device. I'm not aware of any firewall that has such a capability.
The exact level of fine-grain control heavily depends on the application layer firewall in question.
Interesting.
I do, perhaps, somewhat understand this argument, but it still feels quite ridiculous to me.
I think OpenSnitch can do it roughly 2 different ways. Either you use an allow-list. That's pretty secure. But it'll severely interfere with how you're used to browse the internet. You're gonna allow Wikipedia and your favorite news sources, but you won't be browsing Lemmy and just randomly clicking on articles and blogs since you have to specifically allow them in the firewall first. Or you're using a deny-list. That's something like what Chrome does, have a list of well-known malicious sites and it'll ask you 'Do you really want to visit that site? It spreads malware.' It'll add tremendously to security. But won't protect you entirely. Hackers frequently break into webservers to spread malware from new servers. Ones that aren't yet in the list of bad IPs. It'll work for some time until the application firewall and the Chrome browser catches up and they'll move on to a different server. You should definitely think about that and prevent being the millionths victim, however.
I think we're talking about vastly different concepts here. Desktop computers and servers, consumers and enterprises are threatened in vastly different ways. And thus they need different solutions that handle the different threats. On a desktop computer the main way of compromising it is getting people to click on something. Or do whatever an official-looking e-mail instructs them to do. On a server that is meaningless. There isn't that much random applications someone clicks on without thinking it through. There is no e-mail client on the server. But on the other side you're serving random people from all over the world. Your connections are different, too. And if someone wants to upload their malware somewhere or send spam... They're going to go for a server and not a desktop computer.
About the "Störerhaftung": I think so, too. It's been ridiculous and in the end the courts also ruled it's against the law. The 100€ is also not something you have to pay. They want it and it's just a way to settle out of court. If you pay them, they'll promise to forget about this one time and not care about who did it. I think these kind of settlement exist all around the world and it's not illegal. And the copyright has to find some means of pressuring people, even if it's a bit shady, since such copyright offenses aren't a major crime and courts are often times bothered with more important stuff.