Was curious if there was a way to not allow outgoing connections by default, and then only allow programs/services that I trust.
Sure can be done. Install
gufw and setup the firewall. It is pretty self-explaining.
pamac install gufw
Nice, I’ll check it out. Is there anything I should remove before I install it to avoid conflicts? I have… whatever firewall came with Manjaro, in my system tray. “firewalld”
A firewall is protecting against outside connections.
While you can setup a firewall to block all outgoing connections you cannot block everything as you need to setup rules to allow for specific target ports e.g. 80, 443.
If you are concerned about dataleaking you should look towards another type of firewall also known as an application firewall.
Search for opensnitch - which is the equivalent to Little Snitch on macOS.
To be more specific, it’s stuff like keyloggers in particular I’m thinking about. I’m pretty careful, I mainly just use the official repos and try to read up on anything I’m getting from the AUR, but there’s still cases where I need something from somewhere else so I wanted to have some way of accounting for that sort of thing in advance. If something on my PC doesn’t need to phone home for my use, I’d rather it didn’t.
I’ll look into opensnitch too, thank you.
Yeah keep sure that you have one firewall application to avoid conflicts.
If someone installed a keylogger, whether software or hardware, on your personal system, then you have other more concerning issues besides configuring any sort of firewall.
Feel free to elaborate. Specifically software, I’m not concerned about anything local.
Is it wrong to assume that, worst case scenario, if there was a keylogger in something I’d downloaded, that if I was blocking traffic by default to everything I haven’t personally allowed (on the assumption that the keylogger wasn’t one of those things I had allowed), then the keylogger wouldn’t be able to send anything it had logged to be used?
Your assumption is incongruent.
You’re savvy enough to use Linux as your primary OS, and have the foresight to avoid malicious downloads and protect yourself with a very tight firewall policy. Not to mention targeting Linux is not worthwhile compared to Windows clients.
You’re wayyyyy less likely to install a keylogger to your system than most desktop users.
So if it got to the point that a keylogger is installed, running, and attempting to phone home from your Linux computer, then it’s already too late and too deep to rely on a software firewall to keep you safe.
Yeah I already know all that ■■■■■ I just want to know if said firewall would actually block a keylogger trying to send what it had collected out, or if it’d just a hitch a ride some other way.
Way I see it, I don’t have any reason to not to block all outgoing connections I haven’t personally approved anyway. So I wanted to know if doing so would also cover things like this.
Quite simply, you can trust open source codes that you make compiler or build.
If you don’t trust closed source app at first, you can test it in VM with network monitoring.
Trying to block “everything” except “approved” destinations would make your usage of the internet, and online services in general, very frustrating, while fighting a losing battle if your PC is truly compromised.
EDIT: I’m not trying to sound facetious. I’ve been in your situation before, but then realized going down such a rabbit hole of aiming for 100% security wasn’t worth it, nor achievable. There is stress and paranoia that come with it.
Keep it simple, but smart: Minimize usage/reliance on AUR or custom PKGBUILDs. Try to avoid installing software from third-party sources. Favor open-source over proprietary. Always review any script or commands you find online. Check the software’s/developer’s trust and reputation, and if feasible look at the source code or ask someone else to vet it.
Even without taking such rigid safety measures, you’re still much safer than a typical Windows user who just downloads software and games, and visits dubious websites, even with antimalware protection “keeping them safe”.
If an attacker has it out for you and is sophisticated enough, simply trying to block as much outgoing traffic as possible might not protect you anyways. Why wouldn’t their malware just log your user/root password, and use it to elevate itself and disable the firewall? ← That’s what I mean by “If someone’s got a keylogger on your Linux system, it’s too late and too deep to mitigate it with a firewall or outgoing traffic rules.”
Yeah, you did sound like kind of an ass. I got what you were saying but I still wanted a straight answer.
Why wouldn’t their malware just log your user/root password, and use it to elevate itself and disable the firewall?
This is the kind of info I wanted, thanks. Probably still going to look into the firewall stuff, though, if it’s not too much pain to allow the things I actually use through it. I just like the idea.
I completely agree, which is why I initially started working on picosnitch with the only goal of being able to detect this for peace of mind then do a clean install if needed.
And after going down this rabbit hole, came to the exact same conclusion.
I even tried to mitigate this by allowing the SQL logs to be stored on another machine, with only insert privileges granted, then use a network firewall/router like opnsense to cutoff network access. However, setting this up is too much trouble, so even I didn’t bother with it, and even still there are a number of other limitations I came across and doubt I mentioned them all. This is why I would recommend something like Qubes over picosnitch if security is that much of a concern.
Now I’m finally done with this rabbit hole of chasing 100% security, and am content with just the general consensus of sticking to trusted repos, and being smart about AUR usage and other third parties. I am no longer adding new features to picosnitch and my approach now is to just document any limitations and best practices so it can at least be used effectively for what it is and help educate others, and will always appreciate any issues/pull requests to add anything I missed.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.