Add an installation step of firewall setup or to notify a user that no firewall enabled by default

Hi, Manjaro team!

According to Linux Security - Manjaro:

Running a local firewall is almost always a good practice.

and to Does Manjaro has disabled firewall by default?

Please introduce an installation step of firewall setup.
If a user prefer to not enable firewall, than the user will be notified about that firewall disabled in his installation copy of OS.

Simplest basic single rule can prevent a huge problems: to block all incoming connections on all protocols (at least tcp, udp).

This installation step will greatly reduce many-many risks or a user will be notified of that serious security flaw.

Thanks!

Just to understand: What should a software firewall on your computer do better than the firewall in your NAT router? The only reason I can understand would be a mobile device that is on the move in foreign WLANs.

I guess this idea come from Windows, where the firewall is enabled by default. And yes, there are services running in the background which needs to be protected. For example “Windows Share” is enabled by default.

I mean yes, it has some benefits if the firewall is enabled on devices which are not in a protected network like “direct mobile connections”, “foreign or public Wifi Spots” (so without a NAT), but on Manjaro there are ZERO services running in the background by default which would provide a port, which could be accessed.

If you install a SAMBA Server or SSH Server, then it makes fully sense, but in that case you will need to install and configure the firewall yourself. This is additional software and not part of a basic Manjaro Installation.

You can test it yourself. Run:

nmap -p0-65535 ip_of_the_computer

If there is no open port, then there is no risk. And a firewall is useless this way on a private computer.

Which applications would need such a behavior? Malware? Then don’t install this software…

3 Likes

This post was flagged by the community and is temporarily hidden.

I installed the manjaro-kde-21.06-development-unstable-210618-linux510.iso from the Release Release 202106180255 · manjaro-plasma/download · GitHub list

$ lsof -i
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
kdeconnec  927    m   11u  IPv6  19913      0t0  UDP *:xmsg 
kdeconnec  927    m   12u  IPv6  19914      0t0  TCP *:xmsg (LISTEN)
....

Also, the image includes the qBitorrent package.
What did you meant “zero”?

Nice :+1: You have searched and have found something!

But these images are made for development. Commonly, as I know, development builds have lax security builtin for easier tracking. These are not made for production systems.

Beside that Kde Connect would be completely dysfunctional if you enable a firewall here at the beginning. As I remember (I am not a KDE User at all), KDE Connect pairs it devices for sharing. So it gets authenticated by a key, which has been shared at first connect. So you want to make a service dysfunctional at the beginning which is designed to be always on?

Authentication: Keyfile only
Connection: TLS Encryption
Behavior: You have to allow each device explicitly.

So at the end, the only DE, which has one open port, is KDE. Don’t get me wrong, KDE is a great piece of software, but it aims to be like WindBlows and adapt also bad behaviors. So I am not a fan of KDE at all.

You want to block bittorrent? Seriously? I mean, to block certain IPs, there is commonly used a blocklist, but the whole Port Range? Funny :clown_face: I hear the user crying in my mind: “Why is bittorrent not working? Shit Linux, it blocks everything.”

So @alven please explain, why you would block bittorrent or KDEConnect as a common user instead of removing it or just stopping/disabling the service?