Add an installation step of firewall setup or to notify a user that no firewall enabled by default

A user has already the choice to install a firewall. If a user is interested in this topic or want a firewall, he or she is already aware and knows how to install its favorite firewall application, if needed. And if not, a user installs no firewall, and there is nothing wrong with it.

To me, it looks more like a crusade to dictate the using of a firewall.

Btw., my VLC does not create and/or establish any connection to any IP while starting, playing and stopping a local file. And I have in the vlc config metadata-network-access=1 . Fabricated evidence for your crusade or just not able to accurate use VLC to play a file?

Have a time to re-read the topic title.

Not fabricated. It is what I see.
If a double click on multimedia file if not accurate enough, than yes.

I’m presuming zero trust will be the norm for the future, complexity is increasing, DIY is certainly possible but the situation varies. From my perspective a default setup with a ‘trust the least amount of components’ is desirable. Making sure it is manageable is indeed the best route to take.

@alven You are really hardheaded and I like people who are like that when it comes to security

Ok in general you are targeting users who have no idea about firewalls, right? Since only certain programs are affected by such behavior, surely it would make more sense to isolate those programs instead of establishing a global software firewall. That’s where the firejail program comes into play, for example.

1. System calls with seccomp can be restricted
2. Incoming connections are blocked by default (at least for programs that need it, exception are for example transmission-gtk). This can also be further restricted.
3. Access to the file system can be restricted.
4. There are already profiles that provide a minimum level of security.

So in the end, firejail uses just about all the security features offered by the Linux kernel. The tool targets the home user and is relatively easy to use. There is also already a GUI for it.

So in general, it’s not the kernel that’s the problem, but the programs that exhibit unpredictable behavior or are proprietary and therefore tend to be less trusted.

If you really want to do something, then please do so, but not so half-heartedly with a firewall.

How to explain it to a normal user? So if you install a program on Android for example, then the apps are sandboxed like that. You have to allow these programs to have privileges on installation, but there are also apps that can manage the privileges and restrict it further. Firejail is something like that, but has its own rules, which are not set by the developers of the programs.

Frequently Asked Questions · netblue30/firejail Wiki · GitHub

Here is a profile for vlc for example:

➜ ~ cat /etc/firejail/vlc.profile
# Firejail profile for vlc
# Description: Multimedia player and streamer
# This file is overwritten after every install/update
# Persistent local customizations
include vlc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/vlc
noblacklist ${HOME}/.config/vlc
noblacklist ${HOME}/.config/aacs
noblacklist ${HOME}/.local/share/vlc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

read-only ${DESKTOP}
mkdir ${HOME}/.cache/vlc
mkdir ${HOME}/.config/vlc
mkdir ${HOME}/.local/share/vlc
whitelist ${HOME}/.cache/vlc
whitelist ${HOME}/.config/vlc
whitelist ${HOME}/.config/aacs
whitelist ${HOME}/.local/share/vlc
include whitelist-common.inc
include whitelist-player-common.inc
include whitelist-var-common.inc

#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
caps.drop all
netfilter
nogroups
noinput
nonewprivs
noroot
nou2f
protocol unix,inet,inet6,netlink
seccomp
shell none

private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
private-dev
private-tmp

# dbus needed for MPRIS
# dbus-user none
# dbus-system none

Isn’t it what AppArmor can do to an extend too (installed by default I think)?

But to go back to the topic, I don’t really think that having an option in Calamares installer to install and enable UFW defaults would be a problem. By default it blocks all incoming traffic, what is probably already the case from the router/modem for most people. Unknown traffic is rejected. It is then up to people to open ports in UFW (and open/forward ports from router perspective too anyway).
Having a whole set of rules made and maintained by Manjaro team that I could understand that it is not wanted as it would require people to dedicate to that, but if user wants UFW installed and enabled during install, why not? I’m actually all for more options to select during install on the full ISO, like there was with the office suites.

Exactly. It does the same thing and it is installed by default on Manjaro, but not activated. It can do the same things like firejail in general, but apparmor is focused on server applications and not GUI applications, as you can see here: profiles · master · AppArmor / apparmor · GitLab

Firejail on the other side has a lot of profiles for GUI Apps: firejail/etc at master · netblue30/firejail · GitHub

How much efforts will took the addition of a couple lines of text with a hyper link?

image1190×795 95.2 KB

But how helpful it could be for users?

We heard several calls of each other.
Don’t have further resources to constantly overcome resistance. As about me: I’m done here. But leaving the thread open.
Thanks for taking a part to all: like-minded people, opponents and those who still pondering!

@alven If you really care, then check the source here:

1. src/modules/finishedq/finishedq.qml · development · Applications / calamares · GitLab
2. lang/calamares_en.ts · development · Applications / calamares · GitLab

Clone it, change it, test it and send a patch to the devs.

At the end, I don’t resist, but it would be better to use application specific sandboxes like apparmor or firejail instead of a global software firewall for a personal computer. The applications are isolated and network filtered then, which is much better. But someone have to maintain the profiles for each application, since behaviors can change. Then everyone profit from it.

Go for it!

I installed Firejail and switched to other tasks thinking that I would test it later. Several days after I discovered that my dotfiles in $HOME and .config folder are uneditable and unviewable with Kate. It took me a couple of Backintime rollback actions to realize that that was Firejail to blame. Wiped it at once. It’s defaults are ridiculous.
And it is not a substitute for a firewall. It is a tool that has another application, more for paranoid use cases.

But still, I don’t think that Manjaro needs a firewall pre-installed. Instead it needs a warning message that by default it has no open ports, and it’s up to user to install and configure a firewall.

Most firewalls only blocks incoming traffic.

If you want to control outgoing traffic on an application level - one could try to build the opensnitch package.

In AUR as either

pamac build opensnitch

or for the latest source

pamac build opensnitch-git

No wonder… by default only the bare minimum which is really needed only for this application is set. Its up to you to whitelist directories. It’s not about being paranoid, but to have default profiles which only define what the application needs to run.

Kate profile: firejail/kate.profile at master · netblue30/firejail · GitHub

Btw… Same/Similar sandbox features are used in Android, but there the developer have to define the profile I would not say that Android is for paranoids… or?

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.