# How to stay safe on public wifi?

## grant123

I'm going to try a co-working space where I'll be on public wifi.  My firewall blocks all inbound connections.  Is there anything else I should do to stay safe?

----------

## albright

 *Quote:*   

> My firewall blocks all inbound connections

 

why not then just turn off you wifi interface?

----------

## grant123

You mean connect via ethernet?  Is that less perilous than wifi?  I'd still be on the same network of course.

----------

## bentii

 *grant123 wrote:*   

> I'm going to try a co-working space where I'll be on public wifi.  My firewall blocks all inbound connections.  Is there anything else I should do to stay safe?

 

You could use a VPN to home or work( if they have one ) to stay safe from snoopers.

 *albright wrote:*   

>  *Quote:*   My firewall blocks all inbound connections 
> 
> why not then just turn off you wifi interface?

 

It probably drops all inbound connections and only allow RELATED,ESTABLISHED ones through, it's a pretty common firewall setup.

----------

## NeddySeagoon

grant123,

The problem with shared (public) wifi is that everyone on the same network shares the same wifi key, so wireshark will show you what everyone else on the network is doing.

Wired isn't much safer if you are connected to a hub, not a switch, everyone gets all the packets on the hub.

A switch is slightly safer, in that packets are (normally) only sent to the port that needs them.  Its possible to configure a switch to do port replication, so your traffic can be monitored.

You need a layer of encryption that's private to you when you are using an untrusted network. That's what a Virtual Private Network is for.

----------

## szatox

 *Quote:*   

>  Its possible to configure a switch to do port replication, so your traffic can be monitored. 

 It's also possible to ARP spoof the gateway or overflow it's memory turning it into a hub. Works well enough with quite a lot of cheaper devices.

And finally there are devices like gateways and routers all along the ISP's network which forward your traffic and allow intercepting it. So, regardless of the connection you're using there is always a way to sniff on you. If you want to send anything confidential over any sort of public network (e.g. one you don't manage and control yourself), use an encrypted VPN on top of it.

----------

## UberLord

Re the topic - "How to stay safe on public wifi?"

I dislike the assumption that non public wifi (which includes physical cable connection) is safe.

Trust no-one.

----------

## depontius

Firewalling is all well and good, but it's only one layer.  When I'm not on a trusted network with my laptop, I run NO services.  Boot the laptop, login, start and xterm, "netstat -tupan" and the only thing you'll see is dhcp.

It's of questionable value these days, but running something like https-everywhere is a good idea, too.

And, as others have said, a VPN.

Finally, keep in mind that you're not home, and act appropriately, because there is a distinct possibility that all else will fail.

----------

## grant123

If a firewall is blocking all incoming requests, what are some dangerous scenarios I could run into besides snooping?

----------

## eccerr0r

If you don't trust the owner of the wifi, they could do routing tricks or dns tricks too.

For the most part if you can understand your SSL certificates or use VPN on a untrusted network, you're probably OK.  I ended up setting up a VPN on my home machine with two way key verification to make sure I don't have MITM when accessing my VPN, but I only use this when I completely don't trust the network.  Usually I have some trust (it's usually the routing hacks, dns cheats, and port blocking that may need to be worked around) and just use SSL over the network and it's good enough for most other things.

I don't know if the intent of the query is also including services that might be running on your Gentoo box, but you can disable those if you're not comfortable with leaving them on and someone on the same AP/LAN is nmapping you.  Up to you, hopefully your machine is up to date and those services are not insecure.

----------

## Ant P.

If you have any possibility of using IPv6, configure it correctly. The kernel default is geared toward ease of use, not privacy.

For dhcpcd, putting this in its config is a good idea (to get rid of predictable MAC-based addresses):

```
slaac private
```

Put these in /etc/sysctl.d to make the system use random temporary addresses for outgoing connections. Daemons won't listen on temp addresses usually, so it makes it harder to scan you for open ports:

```
net.ipv6.conf.all.use_tempaddr=2

net.ipv6.conf.default.use_tempaddr=2
```

And if you have an iptables firewall, make sure you have a corresponding ip6tables one.

----------

