I think you are looking for Glasswire (network monitoring + firewall + notification if new connection comes+ statistics +virus scan + ease of use) but it only supports windows.
Many people want to ask that it should support Linux and MacOS…
1 Like
You’re probably right, but it may be too early to put a firewall in place for everyone from the time of installation. manjaro is a small distribution, and you probably guessed that introducing a firewall that is switched on by default requires a lot of support at first.
All installation routines for packages with network functions would have to be adapted so that they open the necessary ports in the firewall (after consultation?). This can cause a lot of trouble over a long period of time. I don’t think manjaro can play the pioneering role there.
Under Linux it is the case at the moment that everyone has to take responsibility for their own system. Instructions are given sufficiently e.g. in the ARCH-wiki. There are instructions for firewall as well as for backup (is also important and not set up automatically). For system maintenance …
If you want to secure your system, here are a few keywords that are worth looking for: ufw wireguard btrfs-send opensnitch … the list should be longer, but I know only so little. 
IMHO, it depends of your ISP and country’s law about internet (log, identity protection…), and what you are doing on your computer, if you want to play with peer to peer, fall into darknet, you’d better to have moderate firewall configuration.
If it’s normal use, you have the choice.
And a firewall configuration is a second layer of defense if your routeur fail (means old router with outside vulnerability or not up-to-date).
But this has nothing to do with a firewall.
Why? Peer to peer will use certain ports to communicate, darknet (whatever this is) must also communicate over some kind of port. A firewall doesn’t help in any of these cases but will only add complications in using these services.
Thank you!
During initial startup VLC itself asks about sort of to download a file metadata from Internet or not.
I answered to disallow access.
Likely the setting is here:
$ cat /home/m/.config/vlc/vlcrc | grep -iE "metadata[- ]network[- ]access"
# Allow metadata network access (boolean)
#metadata-network-access=0
$
I changed other settings about 10-15 setting items: show toolbars, other interface-related staff, input/codecs tab: profiles, deinterlace method… but I did not touch network settings after reject access to download metadata on initial VLC start.
So, what do we have here?
$ networkctl status | grep -iv "::"
WARNING: systemd-networkd is not running, output will be incomplete.
● State: n/a
Online state: unknown
Address: 172.27.235.75 on enp1s0
Gateway: 172.27.235.73 on enp1s0
$ sudo lsof -ni | grep -i vlc | grep -i ipv4
vlc 2836 m 19u IPv4 20074 0t0 TCP 127.0.0.1:44149 (LISTEN)
vlc 2836 m 21u IPv4 20075 0t0 UDP 127.0.0.1:44149
vlc 2836 m 22u IPv4 20077 0t0 TCP 172.27.235.75:35461 (LISTEN)
vlc 2836 m 23u IPv4 20078 0t0 UDP 172.27.235.75:35461
$
the `vlc` info
$ pacman -Qi vlc | grep -iv packager
Name : vlc
Version : 3.0.16-3
Description : Multi-platform MPEG, VCD/DVD, and DivX player
Architecture : x86_64
URL : https://www.videolan.org/vlc/
Licenses : LGPL2.1 GPL2
Groups : None
Provides : None
Depends On : a52dec libdvbpsi libxpm libdca libproxy lua52 libidn libmatroska taglib libmpcdec ffmpeg faad2 libmad libmpeg2 xcb-util-keysyms libtar libxinerama libsecret libupnp libixml.so=11-64 libupnp.so=17-64 libarchive qt5-base qt5-x11extras qt5-svg freetype2 fribidi harfbuzz fontconfig libxml2 gnutls libplacebo wayland-protocols
Optional Deps : avahi: service discovery using bonjour protocol [installed]
aom: AOM AV1 codec [installed]
gst-plugins-base-libs: for libgst plugins [installed]
dav1d: dav1d AV1 decoder [installed]
libdvdcss: decoding encrypted DVDs [installed]
libavc1394: devices using the 1394ta AV/C [installed]
libdc1394: IEEE 1394 access plugin [installed]
kwallet: kwallet keystore [installed]
libva-vdpau-driver: vdpau backend nvidia [installed]
libva-intel-driver: video backend intel [installed]
libbluray: Blu-Ray video input [installed]
flac: Free Lossless Audio Codec plugin [installed]
twolame: TwoLAME mpeg2 encoder plugin [installed]
libgme: Game Music Emu plugin [installed]
vcdimager: navigate VCD with libvcdinfo [installed]
libmtp: MTP devices discovery [installed]
systemd-libs: udev services discovery [installed]
smbclient: SMB access plugin [installed]
libcdio: audio CD playback [installed]
gnu-free-fonts: subtitle font
ttf-dejavu: subtitle font [installed]
libssh2: sftp access [installed]
libnfs: NFS access [installed]
mpg123: mpg123 codec [installed]
protobuf: chromecast streaming [installed]
libmicrodns: mDNS services discovery (chromecast etc) [installed]
lua52-socket: http interface
libdvdread: DVD input module [installed]
libdvdnav: DVD with navigation input module [installed]
libogg: Ogg and OggSpots codec [installed]
libshout: shoutcast/icecast output plugin [installed]
libmodplug: MOD output plugin [installed]
libvpx: VP8 and VP9 codec [installed]
libvorbis: Vorbis decoder/encoder [installed]
speex: Speex codec [installed]
opus: opus codec [installed]
libtheora: theora codec [installed]
libpng: PNG support [installed]
libjpeg-turbo: JPEG support [installed]
librsvg: SVG plugin [installed]
x264: H264 encoding [installed]
x265: HEVC/H.265 encoder [installed]
zvbi: VBI/Teletext/webcam/v4l2 capture/decoding [installed]
libass: Subtitle support [installed]
libkate: Kate codec [installed]
libtiger: Tiger rendering for Kate streams
sdl_image: SDL image support
srt: SRT input/output plugin [installed]
aalib: ASCII art video output [installed]
libcaca: colored ASCII art video output [installed]
libpulse: PulseAudio audio output [installed]
alsa-lib: ALSA audio output [installed]
jack: jack audio server [installed]
libsamplerate: audio Resampler [installed]
libsoxr: SoX audio Resampler [installed]
chromaprint: Chromaprint audio fingerprinter [installed]
lirc: lirc control [installed]
libgoom2: Goom visualization
projectm: ProjectM visualisation
ncurses: ncurses interface [installed]
libnotify: notification plugin [installed]
gtk3: notification plugin [installed]
aribb24: aribsub support
aribb25: aribcam support
pcsclite: aribcam support [installed]
Required By : elisa
Optional For : None
Conflicts With : vlc-plugin
Replaces : vlc-plugin
Installed Size : 59.77 MiB
Build Date : Wed 04 Aug 2021 11:22:58 EEST
Install Date : Mon 23 Aug 2021 17:34:54 EEST
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
$ shasum /usr/bin/vlc -a 224
ede44a86838be7923bb8dee544fb4f2887b787c70a12619938475e90 /usr/bin/vlc
$ shasum /usr/bin/vlc -a 256
5191dbd08a3895e4aad6206dfe0aa3ed6d46bc03dbc19f15312682df0b9320eb /usr/bin/vlc
$ shasum /usr/bin/vlc -a 512
6a9160ff86e3680febefa5b0a0eb84a9b779d235eac0cd7324e585660788f79adbd90f070ab2cb4e2a79a8bbe0aa0453d316867f2ed17309b356a8e6b1e13a20 /usr/bin/vlc
$
So, while the local app VLC media player playbacks a local file, it connects to Internet hosts, even many various hosts, even with metadata access turned off, even listens incoming connections.
For now I can’t figure out why.
Firewall helps (at least that simple ufw, which controls only TCP and UDP protocols, unfortunately). There are many unexpected or sophisticated (complex environment so with less predictable behavior) cases could be besides vulnerabilities and improperly / not enough configured FW on a router (if a user has a configurable firewall on a router and that user learned and configured FW there completely as he want it to be).
So you see that to have correctly configured firewall a user should properly and fully configure it on a router or (but I insist on the “and”) all user machines even in local network.
A user have to learn firewall technologies anyway: to correctly and completely setup it on a router or (much better the “and”) on every end-user machine.
Also, how do you recognize which app do listens connections or do connects to a host on a router (the connection initiator app name (and path))? You can’t. App info is absent in a network packet, and presents only: in/out status, protocol, IP/hostname, port.
Are you still on the development stage of no FW is needed on a end-user devices?
Just learn about it more and you will find useful or very useful cases (if you care of privacy of course).
Why to resist against the option for a user of defense of his/her privacy or to do not do it?
Thanks to @andreas85 and others who supports the idea (or suggests their idea to improve mine initial) and suggests their methods how to do that!
May be together we will advise some initial configuration for Manjaro (of course to ask a user to turn that initial config on or off)?
But a very basic config is ready: to block all incoming connections.
After that a user can add/remove his preferable rules. But what the point of an idea is: user will be aware about if he will agree to turn on a firewall while installation, than he will lost incoming connection to that device (only TCP and UDP protocols, not ICMP (ping)?) if leaved turned off, than that user’s privacy is more questionable subject.
Or may be a user has a perfect and completely configured (by whom? who did that configuration? who knows that user’s network usage profile? it is permanent lifetime usage profile or it can and will have changes?) router.
Again it is about a user choice: to turn it on or to do not care, the main point is aware.
Or at least just show a readme file content for a user while installation and it could point to the Firewalls - Manjaro wiki page with it’s first section of
Overview
Running a local firewall is almost always a good practice. Even when you are behind a network firewall, a local firewall protects you from threats on the inside of your network.
Thanks!
A user has already the choice to install a firewall. If a user is interested in this topic or want a firewall, he or she is already aware and knows how to install its favorite firewall application, if needed. And if not, a user installs no firewall, and there is nothing wrong with it.
To me, it looks more like a crusade to dictate the using of a firewall.
Btw., my VLC does not create and/or establish any connection to any IP while starting, playing and stopping a local file. And I have in the vlc config metadata-network-access=1 . Fabricated evidence for your crusade or just not able to accurate use VLC to play a file?
Have a time to re-read the topic title.
Not fabricated. It is what I see.
If a double click on multimedia file if not accurate enough, than yes.
I’m presuming zero trust will be the norm for the future, complexity is increasing, DIY is certainly possible but the situation varies. From my perspective a default setup with a ‘trust the least amount of components’ is desirable. Making sure it is manageable is indeed the best route to take.
1 Like
@alven You are really hardheaded and I like people who are like that when it comes to security 
Ok in general you are targeting users who have no idea about firewalls, right? Since only certain programs are affected by such behavior, surely it would make more sense to isolate those programs instead of establishing a global software firewall. That’s where the firejail program comes into play, for example.
- System calls with seccomp can be restricted
- Incoming connections are blocked by default (at least for programs that need it, exception are for example transmission-gtk). This can also be further restricted.
- Access to the file system can be restricted.
- There are already profiles that provide a minimum level of security.
So in the end, firejail uses just about all the security features offered by the Linux kernel. The tool targets the home user and is relatively easy to use. There is also already a GUI for it.
So in general, it’s not the kernel that’s the problem, but the programs that exhibit unpredictable behavior or are proprietary and therefore tend to be less trusted.
If you really want to do something, then please do so, but not so half-heartedly with a firewall.
How to explain it to a normal user? So if you install a program on Android for example, then the apps are sandboxed like that. You have to allow these programs to have privileges on installation, but there are also apps that can manage the privileges and restrict it further. Firejail is something like that, but has its own rules, which are not set by the developers of the programs.
Frequently Asked Questions · netblue30/firejail Wiki · GitHub
Here is a profile for vlc for example:
➜ ~ cat /etc/firejail/vlc.profile
# Firejail profile for vlc
# Description: Multimedia player and streamer
# This file is overwritten after every install/update
# Persistent local customizations
include vlc.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/vlc
noblacklist ${HOME}/.config/vlc
noblacklist ${HOME}/.config/aacs
noblacklist ${HOME}/.local/share/vlc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
read-only ${DESKTOP}
mkdir ${HOME}/.cache/vlc
mkdir ${HOME}/.config/vlc
mkdir ${HOME}/.local/share/vlc
whitelist ${HOME}/.cache/vlc
whitelist ${HOME}/.config/vlc
whitelist ${HOME}/.config/aacs
whitelist ${HOME}/.local/share/vlc
include whitelist-common.inc
include whitelist-player-common.inc
include whitelist-var-common.inc
#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
caps.drop all
netfilter
nogroups
noinput
nonewprivs
noroot
nou2f
protocol unix,inet,inet6,netlink
seccomp
shell none
private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
private-dev
private-tmp
# dbus needed for MPRIS
# dbus-user none
# dbus-system none
Isn’t it what AppArmor can do to an extend too (installed by default I think)?
But to go back to the topic, I don’t really think that having an option in Calamares installer to install and enable UFW defaults would be a problem. By default it blocks all incoming traffic, what is probably already the case from the router/modem for most people. Unknown traffic is rejected. It is then up to people to open ports in UFW (and open/forward ports from router perspective too anyway).
Having a whole set of rules made and maintained by Manjaro team that I could understand that it is not wanted as it would require people to dedicate to that, but if user wants UFW installed and enabled during install, why not? I’m actually all for more options to select during install on the full ISO, like there was with the office suites.
1 Like
Exactly. It does the same thing and it is installed by default on Manjaro, but not activated. It can do the same things like firejail in general, but apparmor is focused on server applications and not GUI applications, as you can see here: profiles · master · AppArmor / apparmor · GitLab
Firejail on the other side has a lot of profiles for GUI Apps: firejail/etc at master · netblue30/firejail · GitHub
How much efforts will took the addition of a couple lines of text with a hyper link?
But how helpful it could be for users?
We heard several calls of each other.
Don’t have further resources to constantly overcome resistance. As about me: I’m done here. But leaving the thread open.
Thanks for taking a part to all: like-minded people, opponents and those who still pondering!
@alven If you really care, then check the source here:
- src/modules/finishedq/finishedq.qml · development · Applications / calamares · GitLab
- lang/calamares_en.ts · development · Applications / calamares · GitLab
Clone it, change it, test it and send a patch to the devs.
At the end, I don’t resist, but it would be better to use application specific sandboxes like apparmor or firejail instead of a global software firewall for a personal computer. The applications are isolated and network filtered then, which is much better. But someone have to maintain the profiles for each application, since behaviors can change. Then everyone profit from it.
Go for it!
I installed Firejail and switched to other tasks thinking that I would test it later. Several days after I discovered that my dotfiles in $HOME and .config folder are uneditable and unviewable with Kate. It took me a couple of Backintime rollback actions to realize that that was Firejail to blame. Wiped it at once. It’s defaults are ridiculous.
And it is not a substitute for a firewall. It is a tool that has another application, more for paranoid use cases.
But still, I don’t think that Manjaro needs a firewall pre-installed. Instead it needs a warning message that by default it has no open ports, and it’s up to user to install and configure a firewall.
1 Like
Most firewalls only blocks incoming traffic.
If you want to control outgoing traffic on an application level - one could try to build the opensnitch package.
In AUR as either
pamac build opensnitch
or for the latest source
pamac build opensnitch-git
1 Like
No wonder… by default only the bare minimum which is really needed only for this application is set. Its up to you to whitelist directories. It’s not about being paranoid, but to have default profiles which only define what the application needs to run.
Kate profile: firejail/kate.profile at master · netblue30/firejail · GitHub
Btw… Same/Similar sandbox features are used in Android, but there the developer have to define the profile I would not say that Android is for paranoids… or?
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.