Was curious if there was a way to not allow outgoing connections by default, and then only allow programs/services that I trust.
Sure can be done. Install gufw and setup the firewall. It is pretty self-explaining.
pamac install gufw
1 Like
Nice, Iāll check it out. Is there anything I should remove before I install it to avoid conflicts? I haveā¦ whatever firewall came with Manjaro, in my system tray. āfirewalldā
A firewall is protecting against outside connections.
While you can setup a firewall to block all outgoing connections you cannot block everything as you need to setup rules to allow for specific target ports e.g. 80, 443.
If you are concerned about dataleaking you should look towards another type of firewall also known as an application firewall.
Search for opensnitch - which is the equivalent to Little Snitch on macOS.
4 Likes
To be more specific, itās stuff like keyloggers in particular Iām thinking about. Iām pretty careful, I mainly just use the official repos and try to read up on anything Iām getting from the AUR, but thereās still cases where I need something from somewhere else so I wanted to have some way of accounting for that sort of thing in advance. If something on my PC doesnāt need to phone home for my use, Iād rather it didnāt.
Iāll look into opensnitch too, thank you.
1 Like
Yeah keep sure that you have one firewall application to avoid conflicts.
If someone installed a keylogger, whether software or hardware, on your personal system, then you have other more concerning issues besides configuring any sort of firewall.
2 Likes
Feel free to elaborate. Specifically software, Iām not concerned about anything local.
Is it wrong to assume that, worst case scenario, if there was a keylogger in something Iād downloaded, that if I was blocking traffic by default to everything I havenāt personally allowed (on the assumption that the keylogger wasnāt one of those things I had allowed), then the keylogger wouldnāt be able to send anything it had logged to be used?
Your assumption is incongruent.
Youāre savvy enough to use Linux as your primary OS, and have the foresight to avoid malicious downloads and protect yourself with a very tight firewall policy. Not to mention targeting Linux is not worthwhile compared to Windows clients.
Youāre wayyyyy less likely to install a keylogger to your system than most desktop users.
So if it got to the point that a keylogger is installed, running, and attempting to phone home from your Linux computer, then itās already too late and too deep to rely on a software firewall to keep you safe.
2 Likes
Yeah I already know all that ā ā ā ā ā I just want to know if said firewall would actually block a keylogger trying to send what it had collected out, or if itād just a hitch a ride some other way.
Way I see it, I donāt have any reason to not to block all outgoing connections I havenāt personally approved anyway. So I wanted to know if doing so would also cover things like this.
Quite simply, you can trust open source codes that you make compiler or build.
If you donāt trust closed source app at first, you can test it in VM with network monitoring.
Trying to block āeverythingā except āapprovedā destinations would make your usage of the internet, and online services in general, very frustrating, while fighting a losing battle if your PC is truly compromised.
EDIT: Iām not trying to sound facetious. Iāve been in your situation before, but then realized going down such a rabbit hole of aiming for 100% security wasnāt worth it, nor achievable. There is stress and paranoia that come with it.
Keep it simple, but smart: Minimize usage/reliance on AUR or custom PKGBUILDs. Try to avoid installing software from third-party sources. Favor open-source over proprietary. Always review any script or commands you find online. Check the softwareās/developerās trust and reputation, and if feasible look at the source code or ask someone else to vet it.
Even without taking such rigid safety measures, youāre still much safer than a typical Windows user who just downloads software and games, and visits dubious websites, even with antimalware protection ākeeping them safeā. 
If an attacker has it out for you and is sophisticated enough, simply trying to block as much outgoing traffic as possible might not protect you anyways. Why wouldnāt their malware just log your user/root password, and use it to elevate itself and disable the firewall? ā Thatās what I mean by āIf someoneās got a keylogger on your Linux system, itās too late and too deep to mitigate it with a firewall or outgoing traffic rules.ā
Yeah, you did sound like kind of an ass. I got what you were saying but I still wanted a straight answer.
Why wouldnāt their malware just log your user/root password, and use it to elevate itself and disable the firewall?
This is the kind of info I wanted, thanks. Probably still going to look into the firewall stuff, though, if itās not too much pain to allow the things I actually use through it. I just like the idea.
I completely agree, which is why I initially started working on picosnitch with the only goal of being able to detect this for peace of mind then do a clean install if needed.
And after going down this rabbit hole, came to the exact same conclusion.
I even tried to mitigate this by allowing the SQL logs to be stored on another machine, with only insert privileges granted, then use a network firewall/router like opnsense to cutoff network access. However, setting this up is too much trouble, so even I didnāt bother with it, and even still there are a number of other limitations I came across and doubt I mentioned them all. This is why I would recommend something like Qubes over picosnitch if security is that much of a concern.
Now Iām finally done with this rabbit hole of chasing 100% security, and am content with just the general consensus of sticking to trusted repos, and being smart about AUR usage and other third parties. I am no longer adding new features to picosnitch and my approach now is to just document any limitations and best practices so it can at least be used effectively for what it is and help educate others, and will always appreciate any issues/pull requests to add anything I missed.
4 Likes
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.