Add an installation step of firewall setup or to notify a user that no firewall enabled by default

Hi, Manjaro team!

According to Linux Security - Manjaro:

Running a local firewall is almost always a good practice.

and to Does Manjaro has disabled firewall by default?

Please introduce an installation step of firewall setup.
If a user prefer to not enable firewall, than the user will be notified about that firewall disabled in his installation copy of OS.

Simplest basic single rule can prevent a huge problems: to block all incoming connections on all protocols (at least tcp, udp).

This installation step will greatly reduce many-many risks or a user will be notified of that serious security flaw.

Thanks!

Just to understand: What should a software firewall on your computer do better than the firewall in your NAT router? The only reason I can understand would be a mobile device that is on the move in foreign WLANs.

I guess this idea come from Windows, where the firewall is enabled by default. And yes, there are services running in the background which needs to be protected. For example “Windows Share” is enabled by default.

I mean yes, it has some benefits if the firewall is enabled on devices which are not in a protected network like “direct mobile connections”, “foreign or public Wifi Spots” (so without a NAT), but on Manjaro there are ZERO services running in the background by default which would provide a port, which could be accessed.

If you install a SAMBA Server or SSH Server, then it makes fully sense, but in that case you will need to install and configure the firewall yourself. This is additional software and not part of a basic Manjaro Installation.

You can test it yourself. Run:

nmap -p0-65535 ip_of_the_computer

If there is no open port, then there is no risk. And a firewall is useless this way on a private computer.

Which applications would need such a behavior? Malware? Then don’t install this software…

I installed the manjaro-kde-21.06-development-unstable-210618-linux510.iso from the Release Release 202106180255 · manjaro-plasma/download · GitHub list

$ lsof -i
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
kdeconnec  927    m   11u  IPv6  19913      0t0  UDP *:xmsg 
kdeconnec  927    m   12u  IPv6  19914      0t0  TCP *:xmsg (LISTEN)
....

Also, the image includes the qBitorrent package.
What did you meant “zero”?

Nice You have searched and have found something!

But these images are made for development. Commonly, as I know, development builds have lax security builtin for easier tracking. These are not made for production systems.

Beside that Kde Connect would be completely dysfunctional if you enable a firewall here at the beginning. As I remember (I am not a KDE User at all), KDE Connect pairs it devices for sharing. So it gets authenticated by a key, which has been shared at first connect. So you want to make a service dysfunctional at the beginning which is designed to be always on?

Authentication: Keyfile only
Connection: TLS Encryption
Behavior: You have to allow each device explicitly.

So at the end, the only DE, which has one open port, is KDE. Don’t get me wrong, KDE is a great piece of software, but it aims to be like WindBlows and adapt also bad behaviors. So I am not a fan of KDE at all.

You want to block bittorrent? Seriously? I mean, to block certain IPs, there is commonly used a blocklist, but the whole Port Range? Funny I hear the user crying in my mind: “Why is bittorrent not working? Shit Linux, it blocks everything.”

So @alven please explain, why you would block bittorrent or KDEConnect as a common user instead of removing it or just stopping/disabling the service?

The same image, but now printer service (suspect that other DE has the same service as to support one service is simpler than different services targeted for the same purpose):

$ sudo lsof -i
COMMAND      PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
...
cupsd        527  root    7u  IPv6   17293      0t0  TCP localhost:ipp (LISTEN)
cupsd        527  root    8u  IPv4   17294      0t0  TCP localhost:ipp (LISTEN)
...

man cupsd
NAME
       cupsd - cups scheduler

SYNOPSIS
       cupsd [ -c cupsd.conf ] [ -f ] [ -F ] [ -h ] [ -l ] [ -s cups-files.conf ] [ -t ]

DESCRIPTION
       cupsd  is  the  scheduler  for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1, and supports most of the requirements for IPP Every‐
       where. If no options are specified on the command-line then the default configuration file /etc/cups/cupsd.conf will be used.

$ pacman -Qi cups
Name            : cups
Version         : 1:2.3.3op2-3
Description     : The CUPS Printing System - daemon package
Architecture    : x86_64
URL             : https://github.com/OpenPrinting/cups
Licenses        : Apache  custom
Groups          : None
Provides        : None
Depends On      : acl  pam  libcups>=2.3.3op2  cups-filters  bc  dbus  systemd  libpaper  hicolor-icon-theme
Optional Deps   : ipp-usb: allows to send HTTP requests via a USB connection on devices without Ethernet or WiFi connections
                  xdg-utils: xdg .desktop file support [installed]
                  colord: for ICC color profile support [installed]
                  logrotate: for logfile rotation support [installed]
Required By     : cups-pdf  gutenprint  manjaro-printer
Optional For    : foomatic-db-gutenprint-ppds  hplip
Conflicts With  : None
Replaces        : None
Installed Size  : 12.34 MiB
Packager        : Evangelos Foutras <<hidden>>
Build Date      : Sun 18 Apr 2021 21:52:54 EEST
Install Date    : Fri 18 Jun 2021 06:05:37 EEST
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

There is the manjaro-kde-21.06-development-unstable-210618-linux510-pkgs.txt file with packages listed in the image on the same Release Release 202106180255 · manjaro-plasma/download · GitHub page, which contains

...
cups 1:2.3.3op2-3
...

which version is the same as listed in pacman -Qi cups output above on the machine that uses it.

So, it is another one network listed service built-in and running.
Moreover: I do not have a hardware printer, I even did not print to file (for example print to PDF file), I even did not call print window (Ctrl+P or via menu), but I have that network service listener already running. I.e. I did not call it to run.

Now about stable release:
https://download.manjaro.org/kde/21.0.7/manjaro-kde-21.0.7-210614-linux510.iso

The same cupsd and kdeconnect services listens an external connections both are present even in the LiveCD session.

Anybody can’t be sure for 100% about open ports cause can’t control every package update every build, every hardware configuration, so new open ports it is just the question or time I believe you can stop to tell your imagination stories and can provide a payload info, but it is harder to do than just typing some text. I think it is better to develop a project instead of defense trying to prevent any changes of it.

Also besides open ports.
While every primitive scan for open ports from outside a scanner sends tcp syn to user PC. If there is no handler for a port, then PC sends tcp rst packet, so the event is handled by tcp/ip stack, whcih is a part of kernel.
If that part of kernel will have a vulnerability, than it could be exploited and to get highest permissions.
If firewall is on, then tcp syn packet jandled by another code: of netfilter subsystem, and than where will be no response at all or icmp packet with special status code of response.
Which approach is more secure - is open question, but netfilter is dedicated exactly for firewalls, but not for general network purpose as kernel.

My idea goes like this:

1. to give info/warn to users about no firewall is present by default
   or
2. to give control of initial primitive setup of a firewall to users

All (1) and (2) will make users able to have more secure OS for the scratch: since installation procedure.
Awareness of no firewall by default (and who want will setup it after installation)
or
to make initial/basic setup of it.

Why not to make fast start from simplest ever warning I do not know.

May be someone do not like to make people’s PCs more secure by informing them about important feature absence or to make them able to do their own choice.

ok let me explain here… I started cups and sshd as an example:

cupsd     8708            root    7u  IPv6  96535      0t0  TCP localhost:ipp (LISTEN)
cupsd     8708            root    8u  IPv4  96536      0t0  TCP localhost:ipp (LISTEN)
sshd      8719            root    3u  IPv4  98325      0t0  TCP *:ssh (LISTEN)
sshd      8719            root    4u  IPv6  98327      0t0  TCP *:ssh (LISTEN)

*.ssh → every IP can connect (here you would need a firewall to restrict it)
localhost:ipp → only localhost is able to connect

So in fact, cups is that way not exposed to the network, while it can be used as a printer server, it is by default restricted to localhost (only the computer which run the service).

About kdeconnect: I think it should be disabled by default and only enabled if the user wish to use it. I would disable it anyway.

However… sure it is a general a good idea to inform the user, who has been used Windows before, that there is no firewall installed and why.

1. Maybe the welcome message can be modified and this info can be added there.
2. And a button to install ufw…

But in general, this option is more for Users who come from Windows. Common Linux-Users know that.

When you have a system where you are not able to start or stop processes that open ports (or if you don’t trust the system itself). Then the only solution is to protect the system from itself by installing a firewall that suppresses the use of the ports you want to block.
But you will have to:

• understand and select every service you want to use
• make a set of rules for your firewall that does let the service work without making big holes
• trust the system, that it does not bypass the firewall (this has already happened)

On Linux we normally do it the other way. We often don´t use a firewall, because we are able to start or stop every process that opens a port. If we want to harden a machine, it is easy to detect open ports (as you did). When you found an open port, you are able to stop/disable the process.
This is similar as when you let the process continue, but stop its traffic by a firewall. But it is less komplex.

For a linux-user it is good practice to know what services are running on his machine.
Ssh for example is intended to be used as a service that is available in the network. So you are able to give ssh specific instructions on what is allowed and what not. If you don´t want ssh to get any packets, you only have to disable ssh. Then not only the ssh-port is blocked, but also the ssh-service does not run at all. But by default ssh is not installed, or not enabled.

You may be partly right, because a firewall has a lot of possibilities to select and block packets from different sources. On the other side it was said, that traffic from outside the local network should be blocked by the router.
And to maintain a firewall is also not easy. If you use a firewall you have to install a new service, then enable it, then allow its traffic in the firewall.

It’s like an Android phone that doesn’t need a firewall, because apps have been checked by the security team and posted on the Playstore , iOS too.

You can trust apps as open source in official repos of pacman more than closed source apps that may contain malware or spyware.

I have nothing to do (hard to find) with periodicaly opened ports and futrher opened ports after every peace of update. By that time of found something new it could be too late for incidents done in the past before each user investigation on a local machine.

But not every user is like that. Also software gets updates constantly mutating themselves and switch to another dependencies or update them. It is hard to investigate their state also. Does home users constantly investigate their machines or do actual payload more frequently?

Should, but does it? There are many routers, obsolete models or did not support fast by manufacturer/did not audit frequently their firmware for issues and vulnerabilities and default settings.
Also you forget portable devices public WiFi services. In 3rd decade of 21st century it is inappropriate approach and their market/user share will only increase year by year.

Year, not easy. But a way easier than daily to control router firmware, it’s settings, all packages updates on a PC and their suddenly new open ports.

Probably you think that PlayStore, iOS apps are 100% secure or/and has no vulnerabilities. Ok, than.

I got the main idea: all my opponents got 8 likes, I got none.
Only me protects my idea. Nobody else. But against my idea are 4 mans.

May be my development level is not so good, so only me want that feature, nobody else.
Ok, I got it.

Thank to all who take a part in discussion.
I complete taking part in that discussion but will not close it to save the feature request for others who possible will agree with the requested feature in near future.

Thanks everyone.

If a may interject with a less technical perspective?

Do you trust your own local network? Do you trust the people who use the same local network as yourself?

If so, a firewall running on each device makes little sense, as your router (and yes, even entry-level ones) by default rejects/ignores incoming connections from “outside” (the internet).

SSH, Samba, etc, are protected via authentication, encryption, and keypairs, and the configuration burden should be placed on the server running such services on the local network.

None of the above really justifies a local firewall running on each computer in the trusted local network.

Do you not trust your own local network? Do you not trust the people who use the same local network as yourself?

If so, then there’s a more serious issue that must be addressed with the people you live with and/or deal with on the same local network.

For everything else (such as examples laid out in the length of this discussion), these are the exceptions in which the user is intentionally going their own way to setup their own use-case and ecosystem.

The onus should be on the user to setup a locally run firewall and configure the extra steps needed for their security requirements.

Exceptions to the most common use-cases should not supercede the “out-of-the-box” experience for most users, novice, veteran, and everyone in between.

I hope this clears up some of the contention you might feel was directed at you. I’m not disagreeing with your use-case or others that you might be familiar with. Nor am I trying to say you’re “wrong”. I just wish to lay out a less technical “umbrella” perspective on the topic of “out-of-the-box” end-user experiences and expectations.

What if my local network is Internet provider’s network?
What if my router has vulnerability not know to manufacturer OR know and still unpatched OR even out of service period OR the manufacturer is not exists anymore OR just me don’t know about update or can’t update right now?
What if some package got update.

Nobody can control everything. Good idea is to have protection which you can switch off that to o not have protection at all.
Furthermore, in case of external network local router’s firewall should be to setup also - what to forward to local network and what not. It is also near the same process of firewall setup.
Again, as I said earlier not every user connected via their local network, but can use public WiFi, hotspot especially for portable devices.
Portable devices users can’t have their router everywhere they are currently located at that moment / hour(s) / day(s).

About friends / trust or not. Trust have make layers/levels. Nobody can predict everything. But it is not about friends or trust as their machines can be infected / exploited also.
Finally I got the problem of resistance to increase safety: my opponents possibly don’t know much about security cases: trust or not and friends or not are the only the cause of to block or to allow connection with them, trust for 100% to the apps from G.Play or iOS stores.

“If trust / friend then allow” is completely the same as to be on a territory of a new building construction w/o helmet: you trust to your friends, so nothing can happen.

Did you hold a gun weapon ever?
Remember why the rule do not point a gun to people is present?
Remember why safety lock is present? Do you not trust your family at home or friends?

Again it is not about the trust / friends / family. It is one of the basic security concepts (if someone need it of course).

I’m still on my current development level of the idea to have firewall is much more better then it’s absence. May be sometime later I will know more about that and became like you using trust / friend criteria only or will have more evidences that you was completely wrong.

Ok, if you want than my knowledge is too weak, ok, let it be that for now.

I think you are looking for Glasswire (network monitoring + firewall + notification if new connection comes+ statistics +virus scan + ease of use) but it only supports windows.
Many people want to ask that it should support Linux and MacOS…

You’re probably right, but it may be too early to put a firewall in place for everyone from the time of installation. manjaro is a small distribution, and you probably guessed that introducing a firewall that is switched on by default requires a lot of support at first.
All installation routines for packages with network functions would have to be adapted so that they open the necessary ports in the firewall (after consultation?). This can cause a lot of trouble over a long period of time. I don’t think manjaro can play the pioneering role there.

Under Linux it is the case at the moment that everyone has to take responsibility for their own system. Instructions are given sufficiently e.g. in the ARCH-wiki. There are instructions for firewall as well as for backup (is also important and not set up automatically). For system maintenance …

If you want to secure your system, here are a few keywords that are worth looking for: ufw wireguard btrfs-send opensnitch … the list should be longer, but I know only so little.

IMHO, it depends of your ISP and country’s law about internet (log, identity protection…), and what you are doing on your computer, if you want to play with peer to peer, fall into darknet, you’d better to have moderate firewall configuration.
If it’s normal use, you have the choice.
And a firewall configuration is a second layer of defense if your routeur fail (means old router with outside vulnerability or not up-to-date).

But this has nothing to do with a firewall.

You’re right @omano , example removed

Why? Peer to peer will use certain ports to communicate, darknet (whatever this is) must also communicate over some kind of port. A firewall doesn’t help in any of these cases but will only add complications in using these services.

Thank you!

During initial startup VLC itself asks about sort of to download a file metadata from Internet or not.
I answered to disallow access.

Likely the setting is here:

$ cat /home/m/.config/vlc/vlcrc | grep -iE "metadata[- ]network[- ]access"
# Allow metadata network access (boolean)
#metadata-network-access=0
$

I changed other settings about 10-15 setting items: show toolbars, other interface-related staff, input/codecs tab: profiles, deinterlace method… but I did not touch network settings after reject access to download metadata on initial VLC start.

So, what do we have here?

$ networkctl status | grep -iv "::"
WARNING: systemd-networkd is not running, output will be incomplete.

●        State: n/a
  Online state: unknown
       Address: 172.27.235.75 on enp1s0
       Gateway: 172.27.235.73 on enp1s0

$ sudo lsof -ni | grep -i vlc | grep -i ipv4
vlc       2836    m   19u  IPv4  20074      0t0  TCP 127.0.0.1:44149 (LISTEN)
vlc       2836    m   21u  IPv4  20075      0t0  UDP 127.0.0.1:44149 
vlc       2836    m   22u  IPv4  20077      0t0  TCP 172.27.235.75:35461 (LISTEN)
vlc       2836    m   23u  IPv4  20078      0t0  UDP 172.27.235.75:35461
$

command line args used (simple execution via GUI (Dolphin))

Screenshot_20210824_1521351256×186 12.2 KB

history of outbound connections (destination host list)

Screenshot_20210824_1521551920×960 172 KB

$ pacman -Qi vlc | grep -iv packager
Name            : vlc
Version         : 3.0.16-3
Description     : Multi-platform MPEG, VCD/DVD, and DivX player
Architecture    : x86_64
URL             : https://www.videolan.org/vlc/
Licenses        : LGPL2.1  GPL2
Groups          : None
Provides        : None
Depends On      : a52dec  libdvbpsi  libxpm  libdca  libproxy  lua52  libidn  libmatroska  taglib  libmpcdec  ffmpeg  faad2  libmad  libmpeg2  xcb-util-keysyms  libtar  libxinerama  libsecret  libupnp  libixml.so=11-64  libupnp.so=17-64  libarchive  qt5-base  qt5-x11extras  qt5-svg  freetype2  fribidi  harfbuzz  fontconfig  libxml2  gnutls  libplacebo  wayland-protocols
Optional Deps   : avahi: service discovery using bonjour protocol [installed]
                  aom: AOM AV1 codec [installed]
                  gst-plugins-base-libs: for libgst plugins [installed]
                  dav1d: dav1d AV1 decoder [installed]
                  libdvdcss: decoding encrypted DVDs [installed]
                  libavc1394: devices using the 1394ta AV/C [installed]
                  libdc1394: IEEE 1394 access plugin [installed]
                  kwallet: kwallet keystore [installed]
                  libva-vdpau-driver: vdpau backend nvidia [installed]
                  libva-intel-driver: video backend intel [installed]
                  libbluray: Blu-Ray video input [installed]
                  flac: Free Lossless Audio Codec plugin [installed]
                  twolame: TwoLAME mpeg2 encoder plugin [installed]
                  libgme: Game Music Emu plugin [installed]
                  vcdimager: navigate VCD with libvcdinfo [installed]
                  libmtp: MTP devices discovery [installed]
                  systemd-libs: udev services discovery [installed]
                  smbclient: SMB access plugin [installed]
                  libcdio: audio CD playback [installed]
                  gnu-free-fonts: subtitle font 
                  ttf-dejavu: subtitle font [installed]
                  libssh2: sftp access [installed]
                  libnfs: NFS access [installed]
                  mpg123: mpg123 codec [installed]
                  protobuf: chromecast streaming [installed]
                  libmicrodns: mDNS services discovery (chromecast etc) [installed]
                  lua52-socket: http interface
                  libdvdread: DVD input module [installed]
                  libdvdnav: DVD with navigation input module [installed]
                  libogg: Ogg and OggSpots codec [installed]
                  libshout: shoutcast/icecast output plugin [installed]
                  libmodplug: MOD output plugin [installed]
                  libvpx: VP8 and VP9 codec [installed]
                  libvorbis: Vorbis decoder/encoder [installed]
                  speex: Speex codec [installed]
                  opus: opus codec [installed]
                  libtheora: theora codec [installed]
                  libpng: PNG support [installed]
                  libjpeg-turbo: JPEG support [installed]
                  librsvg: SVG plugin [installed]
                  x264: H264 encoding [installed]
                  x265: HEVC/H.265 encoder [installed]
                  zvbi: VBI/Teletext/webcam/v4l2 capture/decoding [installed]
                  libass: Subtitle support [installed]
                  libkate: Kate codec [installed]
                  libtiger: Tiger rendering for Kate streams
                  sdl_image: SDL image support
                  srt: SRT input/output plugin [installed]
                  aalib: ASCII art video output [installed]
                  libcaca: colored ASCII art video output [installed]
                  libpulse: PulseAudio audio output [installed]
                  alsa-lib: ALSA audio output [installed]
                  jack: jack audio server [installed]
                  libsamplerate: audio Resampler [installed]
                  libsoxr: SoX audio Resampler [installed]
                  chromaprint: Chromaprint audio fingerprinter [installed]
                  lirc: lirc control [installed]
                  libgoom2: Goom visualization
                  projectm: ProjectM visualisation
                  ncurses: ncurses interface [installed]
                  libnotify: notification plugin [installed]
                  gtk3: notification plugin [installed]
                  aribb24: aribsub support
                  aribb25: aribcam support
                  pcsclite: aribcam support [installed]
Required By     : elisa
Optional For    : None
Conflicts With  : vlc-plugin
Replaces        : vlc-plugin
Installed Size  : 59.77 MiB
Build Date      : Wed 04 Aug 2021 11:22:58 EEST
Install Date    : Mon 23 Aug 2021 17:34:54 EEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

$ shasum /usr/bin/vlc -a 224
ede44a86838be7923bb8dee544fb4f2887b787c70a12619938475e90  /usr/bin/vlc

$ shasum /usr/bin/vlc -a 256
5191dbd08a3895e4aad6206dfe0aa3ed6d46bc03dbc19f15312682df0b9320eb  /usr/bin/vlc

$ shasum /usr/bin/vlc -a 512
6a9160ff86e3680febefa5b0a0eb84a9b779d235eac0cd7324e585660788f79adbd90f070ab2cb4e2a79a8bbe0aa0453d316867f2ed17309b356a8e6b1e13a20  /usr/bin/vlc

$

So, while the local app VLC media player playbacks a local file, it connects to Internet hosts, even many various hosts, even with metadata access turned off, even listens incoming connections.

For now I can’t figure out why.

Firewall helps (at least that simple ufw, which controls only TCP and UDP protocols, unfortunately). There are many unexpected or sophisticated (complex environment so with less predictable behavior) cases could be besides vulnerabilities and improperly / not enough configured FW on a router (if a user has a configurable firewall on a router and that user learned and configured FW there completely as he want it to be).

So you see that to have correctly configured firewall a user should properly and fully configure it on a router or (but I insist on the “and”) all user machines even in local network.
A user have to learn firewall technologies anyway: to correctly and completely setup it on a router or (much better the “and”) on every end-user machine.

Also, how do you recognize which app do listens connections or do connects to a host on a router (the connection initiator app name (and path))? You can’t. App info is absent in a network packet, and presents only: in/out status, protocol, IP/hostname, port.

Are you still on the development stage of no FW is needed on a end-user devices?
Just learn about it more and you will find useful or very useful cases (if you care of privacy of course).

Why to resist against the option for a user of defense of his/her privacy or to do not do it?

Thanks to @andreas85 and others who supports the idea (or suggests their idea to improve mine initial) and suggests their methods how to do that!
May be together we will advise some initial configuration for Manjaro (of course to ask a user to turn that initial config on or off)?

But a very basic config is ready: to block all incoming connections.
After that a user can add/remove his preferable rules. But what the point of an idea is: user will be aware about if he will agree to turn on a firewall while installation, than he will lost incoming connection to that device (only TCP and UDP protocols, not ICMP (ping)?) if leaved turned off, than that user’s privacy is more questionable subject.
Or may be a user has a perfect and completely configured (by whom? who did that configuration? who knows that user’s network usage profile? it is permanent lifetime usage profile or it can and will have changes?) router.

Again it is about a user choice: to turn it on or to do not care, the main point is aware.
Or at least just show a readme file content for a user while installation and it could point to the Firewalls - Manjaro wiki page with it’s first section of

Overview
Running a local firewall is almost always a good practice. Even when you are behind a network firewall, a local firewall protects you from threats on the inside of your network.

Thanks!