Page MenuHomeSolus

Include a firewall back end in the next ISO
Closed, WontfixPublic

Description

One can't assume that people have routers with decent firewalls so please consider a firewall back end (ufw or other). A graphical front end is non-important to me but it might be beneficial to some.

Should you decide to include a graphical front end as well, please consider something that blends nicely with Plasma (definitely not Gufw).

Nitrux and KaOS use the Nomad front end.

https://github.com/nx-desktop/nx-firewall
https://nxos.org/#nomad-firewall
https://kaosx.us/packages/view.php?repo=apps&name=nomad-firewall-0.6-2

jraleigh created this task.Jan 4 2019, 1:07 PM
Herald removed sunnyflunk as the assignee of this task. · View Herald TranscriptJan 4 2019, 1:07 PM
Herald added a subscriber: sunnyflunk.
DataDrake closed this task as Wontfix.Jan 4 2019, 1:09 PM
DataDrake added a subscriber: DataDrake.

Not going to add packages to the base install that most people don't use. If you want a firewall manager that integrates with Plasma, file a Package Request.

Not going to add packages to the base install that most people don't use. If you want a firewall manager that integrates with Plasma, file a Package Request.

One cannot assume that most people have decent router firewalls and one cannot assume that most people don't use a firewall other than the one that may or may not work properly in their routers (if at all).

I don't need to assume anything. The default policy is to deny all incoming connections unless a user runs a program that opens a port. The only reason to install a firewall is to explicitly prohibit a program from opening a port or to restrict out-going connections.

The default policy is to deny all incoming connections unless a user runs a program that opens a port. The only reason to install a firewall is to explicitly prohibit a program from opening a port or to restrict out-going connections.

Sounds like a firewall to me. What am I missing here?

It's not a firewall. It's a static system policy. If there's nothing listening on a port, the only thing that sees the packets is the kernel/driver. Firewalls dynamically configure packet filters in the kernel which actively perform some form of packet inspection.

Hasshu added a subscriber: Hasshu.May 18 2019, 9:10 AM

It's a static system policy.

@DataDrake Do you mean an iptables policy? Also, is it set to block or drop incoming connection attempts (i.e., does it make your PC's ports appear closed or stealth)?

To be frank, I struggle to have confidence in Solus' security at this point.

EbonJaeger added a subscriber: EbonJaeger.EditedJun 10 2019, 3:37 PM

It appears to me that iptables is already installed by default since I have it and did not explicitly install it. If you want configuration tools, there are multiple options in the repo that you can grab post-install.

DataDrake added a comment.EditedJun 10 2019, 4:09 PM

This isn't Windows. Linux has a much better security model out of the gate, which is why most mainstream Linux distributions ship without a firewall application enabled by default. Even on Ubuntu you have to enable the firewall on a fresh install if you want to use it. The ones that do, ship with firewalld which has a horrible end-user experience. Find me a firewall or firewall manager that is actively developed, has a stable release, and prompts users with a graphical dialog when services want to communicate, and then we'll talk.

If you want configuration tools, there are multiple options in the repo that you can grab post-install.

@Gnat008 And that's the problem: I should be able to secure my PC before going online.

This isn't Windows. Linux has a much better security model out of the gate, [...]

@DataDrake I'm aware of that, yet "better" doesn't mean "flawless". Not to mention that we're talking about firewalls, and not antivirus software.

[...] which is why most mainstream Linux distributions ship without a firewall application enabled by default. Even on Ubuntu you have to enable the firewall on a fresh install if you want to use it.

I believe it's simply because many assume that everyone has a router.

The ones that do, ship with firewalld which has a horrible end-user experience.

I'm not sure what you mean by "a horrible end-user experience", but I at least can use firewalld on Fedora to secure my PC before connecting to the Internet. It also allows me to make all the ports stealth in a few mouse clicks, whereas Ubuntu's ufw requires manually editing config files to make it drop incoming ICMP echo requests.

Find me a firewall or firewall manager that is actively developed, has a stable release, and prompts users with a graphical dialog when services want to communicate, and then we'll talk.

So, is it about firewalls somehow being unneeded with GNU/Linux, or about there not being a suitable one...? Anyhow, if you mean something similar to "personal firewalls" on Windows, OpenSnitch does look quite promising. See also this discussion on Reddit: https://www.reddit.com/r/linux/comments/a9ipg0/once_you_discover_opensnitch_you_wonder_why_isnt/

Incidentally, why are you acting so belligerent? I came here with a genuine question, but was met with much hostility.

livingsilver94 added a comment.EditedJun 11 2019, 10:10 AM

I concur with the opinion that firewalld isn't horrible. On the contrary, its CLI is well organized and the concept of firewall zones is handy.

I concur with the opinion that firewalld isn't horrible. On the contrary, its CLI is well organized and the concept of firewall zones is handy.

You are missing my point entirely. We do not expect users to learn to use the command line. We need a graphical firewall with alerts like the Windows firewall before I consider shipping one by default.

@Hasshu I think you are misreading my tone. I am being terse, not belligerent or hostile. I mean that we need a firewall that is easy for a novice user to use and requires no knowledge of TCP/UDP/IP to be usable. OpenSnitch has been on my radar as a candidate for awhile, but still doesn't have a stable release.

If you want to use firewalld, it's a quick install and it's obvious you know how to use it.

crom5 added a subscriber: crom5.Jun 12 2019, 8:11 AM

I am an old computer user who never used a computer without a firewall. I am very happy that my Espon L365 printer/scanner works ok in a WiFi mode, but not without firewall being turned off. I don't accept that in 2019 my firewall is not smart enough to understand that my Espon L365 printer/scanner is a friend and not an enemy :(

I think you are misreading my tone. I am being terse, not belligerent or hostile. I mean that we need a firewall that is easy for a novice user to use and requires no knowledge of TCP/UDP/IP to be usable.

@DataDrake I see. You probably know that already, but there is a graphical front end for firewalld called firewall-config; setting it up is just a matter of selecting one of the predefined firewall zones. It is also possible to select a different zone for every network connection directly via NetworkManager.

If you want to use firewalld, it's a quick install and it's obvious you know how to use it.

Again, in order to install a firewall I would have to go online — it's a chicken-and-egg situation.

OpenSnitch has been on my radar as a candidate for awhile, but still doesn't have a stable release.

Personally, I believe that an imperfect interim firewall would be better than no firewall at all, but yeah... I hope that OpenSnitch is going to see a stable release in the foreseeable future.

Again, in order to install a firewall I would have to go online — it's a chicken-and-egg situation.

In order to fetch updates for that very firewall to ensure what you're running doesn't have a vulnerability, you'd have to do it too. And if you don't trust the source (a repo provided by us, over HTTPS) with providing you package updates and the packages themselves, including the firewall, and to install your firewall, then why should you be installing Solus in the first place?

Don't forget the ISO they used to install in the first place.

And if you don't trust the source (a repo provided by us, over HTTPS) with providing you package updates and the packages themselves, including the firewall, and to install your firewall, [...]

@JoshStrobl Erm... Where did I say anything along these lines? My point is that any general-purpose OS should have a firewall preinstalled. @DataDrake mentioned some static system policy that's supposed to make up for that, but my question about it was ignored.

DataDrake added a comment.EditedJun 14 2019, 9:37 AM

And our point is that Linux doesn't need a firewall if there aren't any open incoming ports on a base install. Linux rejects incoming requests unless something is actively listening on an incoming port. That's been the case for as long as I can remember.

Edit: To reiterate, the purpose of incoming firewall rules is to restrict access to open ports from remote devices. Ports are only opened for incoming communications when services are listening for requests. Those requests can still be denied by those services. The purpose of outgoing firewall rules is to restrict what ports can be opened to issue requests to remote devices and which remote devices may be communicated with.

And our point is that Linux doesn't need a firewall if there aren't any open incoming ports on a base install.

OK.