Privacy & lack of sensible firewall

I’m sorry if I’m thinking in terms of “Window$”. The old habits are hard to die, I guess. There are tons of apps in Linux. They are all free. It’s all good!

I’m going to digress here a bit, please bear with me!

In my own experience, I never had to worry about a “virus” infecting my Linux system, which is awesome. But the question still stands! Is is because nobody has any interest to code virus for Linux since everything is free? Meaning, there is no “business interest” to create (code) any virus for Linux. Or is it because Linux is really safe (rock solid) for virus infection? Which is it? Maybe a combination of both?

I don’t even know if there’s any antivirus for Linux or if there is any need for it.

Antivirus is a big business in the Window$ world. Most probably the so-called antivirus software companies are the ones, releasing the viruses in order to promote, justify, thus continue their financial survival. I know, you can’t make this sh… up!

If the reason you’re running the f… away from Window$ is not for the “3-letter agencies” which they’re deeply ingrained and involved in the operations of Microsoft, then maybe it is the reason that you’re sick and tired of bloating your system with bunch of so-called protection, and still worry about getting infected! Doesn’t it say something about so-called protection??!?!

Then there is a “privacy” issue. The privacy must be respected and honored!

Almost everything you install in Window$ (including Windows itself!) connects to internet and sends “whatever data” it is sending to “wherever”. Who the f… knows what they are collecting and where the data is going!? But at least in the Window$ environment, there is something called “Firewall”.

In Window$, I can set up a third-party firewall (say, “Comodo” firewall) with a pop-up to inform me if an application is requesting to connect to internet (behind my back), and I can easily know about it and block such access! Some may say and argue that it is not enough that they can still sneak out through a “port” or blah blah… Let’s not get into splitting hairs, and stop here and say that at least, I can find such firewall in the Window$ environment .

Here is the “heart” of this post. How come (why) there is no such firewall in Linux environment that I know of… that could simply notify me or alert me if there is any application, requesting internet access (behind my back) with a pop-up notice for me to allow or deny?

There are tons of free apps in Linux. I don’t know what each app is doing and if it is connecting to internet and sending any data out. I have no firewall in Linux to inform me of that (that I know of). There may be a command to type in terminal to magically list all the outgoing connection. If so, please let me know of the command! But yet the internet connection is wide open to all apps in Linux unless and until you manually block each and every app that does not need internet connection!

How to we (Linux users) know that our data is not collected unless you block all app access to internet other than your internet browser and your package manager. Maybe you can add a few more legitimate apps that require internet access, but my point is: Linux, being wide open to internet, how come personal privacy is not a concern?

Yes, there is a Linux firewall, which (as I understand) you manually set up to block app access to internet. But there is no such Linux firewall (that I know of) that automatically detects any outgoing internet request to alert you. Why?

I urge you to look up iptables. It’s pretty much standard on all linux machines.
I think there are a TON of firewall software for you to choose from.
Myself, I have gone the route of protecting my network with a firewall instead. My argument is “if my network is breached and my personal firewall is the only defence, im pretty much fkd already anyway”.

The opinion on having a firewall on your computer or not is very varying, it completely up to the user preference.

If you want a firewall in line of “windows material” I think you have to be prepared to pay a bit. If you are ready to do a bit of tinkering yourself, a whole other line of personal firewalls opens up.

Because that is not how linux works. YOU have to configure that stuff.
Linux is not and should not be restrictive out of the box imho.
Again, iptables. Block all traffic and start opening up the things you want through.
Hold on to your hat though, these things are not stuff you learn in an afternoon.

But in terms of viruses. They DO exist, just very rarely.
But if you use windows software (including steam games run in proton, unlikely but possible), and therefore wine you can be affected by the same viruses a windows machine does, so you are still vulnerable there.

I actually have a systemd timer running clamav once every week checking my home and stuff wine could potentially have access to.

Todays result:

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 5
Time: 1388.575 sec (23 m 8 s)
Start Date: 2023:11:26 18:00:02
End Date:   2023:11:26 18:23:10

(the errors can be ignored xD)

That’s a very aggressive stance to take. Why do you think linux does not care about your privacy?

Installing something is ALWAYS you trusting the developer. The same on ALL systems.
The difference is on linux, if it is open source, you can CHECK what the program does (or someone who can read code, the point is it’s available to read) by reading the source code. Can you do that on windows?

You have to drop this mentality where you think everything wants to do evil to you. On windows, I kinda understand that feeling, but this is linux, the whole idea of open source is completely different.


First of all, you have to understand the technical differences in design between GNU/Linux (or UNIX in general) and Microsoft Windows, and where they come from in terms of evolution.

GNU/Linux is a Free Software UNIX implementation, and UNIX was designed from the ground up as a multitasking, multi-user operating system for minicomputers and mainframes. By consequence, it was also designed from the ground up to have a very thorough security implementation, modeled after the Multics mainframe operating system.

In UNIX, nothing is executable unless it is stored as a file on the filesystem, and has explicitly been given execute permission in the filesystem. The POSIX file ownership and permissions are stored in the inode of the file itself.

Now, compare this to Microsoft Windows. Windows started off as a graphical user interface — and in its first iterations, merely a tiling-only window manager — for computers running MS-DOS, a 16-bit single-user operating system designed for a processor that had no privilege separation, no multitasking, and no memory management unit. Anything that ran on top of DOS had direct access to the hardware, and therefore, also to all memory registers.

Later on, Windows started integrating a DOS memory extender and a primitive cooperative multitasking system, but it still ran all of its code with full privileges and full access to the hardware, and it spent more than 70% of its time in the processor’s real mode, which is the only thing DOS itself understood.

Given that DOS was a single-user operating system for non-networked computers and that it used an improved version of the FAT filesystem originally designed for Digital Research’s CP/M, DOS had no way to determine which files would be executable or not. As the matter of fact, it followed CP/M — of which DOS was essentially an illegal 16-rewrite by Tim Paterson of Seattle Computer, because CP/M was only 8-bit — in that it would regard any file with a certain filename suffix — .COM, .EXE and .BAT — as executable.

The above, and the fact that DOS allowed anything running on it full access to all memory registers and all of the hardware, made it very easy to write viruses for DOS.

Later on, when Windows was ported to the NT kernel, Windows retained the convention of regarding a file as executable if it had one of the three listed filename suffixes — plus .CMD, which was the designated filename suffix for a batch file that ran in protected mode on OS/2 — while relying on the optional ACL (“Access Control List”) support in the NT kernel, which itself was more or less copied over from the kernel of the VMS operating system.

What this essentially means on account of Microsoft Windows, is that Windows is not an integrated platform designed from the ground up as a coherent operating system, but more of an application binary interface ported to a kernel from another, completely different and incompatible operating system, i.e; VMS. As such, underneath its graphical interface, Microsoft Windows is full of holes, and is being held together with duct tape and strangely twisted nuts and bolts.

As a result, Microsoft Windows is still a security nightmare, while UNIX systems (including GNU/Linux) were designed as coherent, robust, secure and scalable operating systems from the get-go.

That is one reason as to why there are fewer viruses for GNU/Linux. A second reason is that GNU/Linux in particular — and this also applies to the various BSDs — is Free & Open Source Software.

This means that the source code is freely available, and that there are more eyes to spot the bugs and the weaknesses — many more than that there would be bad guys trying to exploit those bugs and weaknesses — and that due to the vast numbers of developers involved, bugs and security weaknesses are virtually immediately patched as soon as someone comes across them.

Conversely, Microsoft Windows is proprietary and closed-source software, and Microsoft has quite a reputation of relying on security-by-obscurity. By this I mean that when they find a security vulnerability in Windows, they will simply hush-hush about it and pretend that it’s not there until it’s exploited in the wild. Their philosophy is “if no one knows about it, then it won’t get exploited.”

Now, that all said, there is malware for GNU/Linux systems, but most of it is rather of the “proof-of-concept” variety, meaning that it has been proven exploitable under laboratory conditions, and with full or partial cooperation from the system administrator. Also, there is a significant difference between remotely exploitable vulnerabilities and vulnerabilities that can only be exploited by a local user.

Furthermore, malware in the form of worms generally only targets internet-facing servers, not desktops or laptops. And malware designed to infect desktop or laptop machines generally isn’t operating-system-specific, because then we’re talking of malicious browser add-ons, or things that require the user to click on a link on a compromised website, which then installs some malware on their computer, which initially only works in the user’s own account — because the user account is separated from the system, and the user only has write access to their own home directory.

Now, there does indeed exist antivirus software for GNU/Linux, but here’s the thing: it scans for Windows viruses. This is helpful in the event that you want to clean a Windows drive from within GNU/Linux, or if your GNU/Linux machine acts as a mail server for Windows clients and must clean the emails from malware before they get forwarded to the Windows machines.

Of course, antivirus makers are commercial companies, and even though they are perfectly aware of how GNU/Linux is a lot safer than Microsoft Windows, they will still try to make money off of their antivirus products. And therefore, it is in their best corporate interest to keep you scared enough so that you would buy their product.

But that is not the case in GNU/Linux. First of all, the source code is open, and as such, anything phoning home without that there’s a damn good reason for it would immediately be spoken about within the GNU/Linux community.

Case in point, when Canonical made their deal with Amazon and essentially made Ubuntu into spyware, the whole community immediately responded, and people all around were advising against or even boycotting Ubuntu. And Canonical had to drop out of their deal with Amazon if they wanted Ubuntu to survive.

Secondly, while Windows is a very promiscuous operating system that listens on almost all ports, the default configuration of a UNIX system (including GNU/Linux) is to drop all traffic on all ports unless something is explicitly enabled by the system administrator to be listening for certain connections on certain ports.

In GNU/Linux concretely, the Linux kernel itself is the firewall, and as @bedna says, you can configure and tailor its firewalling behavior with iptables, so that a single GNU/Linux machine can act as a standalone firewall and router for an entire network.

However, on account of userspace programs, nothing will be phoning home without your explicit permission, and therefore you also don’t need to explicitly block any ports. Furthermore, if you’re behind a router with NAT, then the router itself will commonly already contain a firewall.

Now, that said, if you are on a laptop with a wireless connection, then that’s a different story, because then there is the possibility that the traffic between your laptop and the wireless access point gets intercepted.

The most recent standard in wireless protocols provides for a very thorough encryption of the wireless signal, so that it becomes harder for anyone to sniff your wireless connection. But then it still pays to be mindful of what services you enable on your laptop and what not.

If you’re on a laptop and you connect to the internet wirelessly, then you should definitely not have sshd running, or any other remote management software. But on account of your userspace software, you’d be pretty safe, as long as you keep the connection encrypted. And most websites these days also use SSL encryption, so you’re pretty safe already.

That all said, the weakest link in the chain is always the biological unit between the keyboard and the chair. Don’t click on every link that passes before your eyes, don’t click on links in HTML emails unless you’re absolutely certain that they will take you to where they claim to be taking you, don’t download any third-party software from the internet, but only use the repositories and the recommended software from your distribution, and so on.

Lastly, if you insist on using a userspace firewall, there are several packages available in the repositories. But if you actually want real-time information, then you might be better off with an intrusion detection system such as snort or aide — both are available from the AUR.

Hope this helps. :wink:


Without detracting from anything written in previous posts, I’ll just add that there does exist (at least) one application with the feature set you desire.

On MacOS, I (and probably most Mac users) have purchased an app simply known as Little Snitch, which monitors both incoming and outgoing traffic, and warns of potential undesired connections.

There is a project called OpenSnitch which aims to duplicate the functionality of Little Snitch, on Linux.

The use of OpenSnitch and a simple firewall such as GUFW/UFW (correctly configured) should provide adequate protection for a typical Linux desktop environment.

I hope this helps. Cheers.


It is highly recommended to use firewalld instead of ufw.

Firewalld is simpler to use and setup than ufw and it is created for systemd based systems.

The TLDR: setting up incoming traffic block and outgoing traffic information.

sudo pacman -Syu firewalld opensnitch
sudo systemctl enable --now firewalld opensnitchd

And here I though I’m the only one with that opinion…

I can create my own malware in AUR, it will encrypt or delete your important files when running it without root permission in offline. That’s easy. Firewall has no effect against this malware. :man_shrugging:

If you want to install unknown random proprietary programs, then you should test them in VM first or never use them. Do not forget to make backups.


I get your point. The firewall is not “what I consider” to be a proactive protection anyway. My main use of firewall in Window$ is “mainly” for privacy to be aware of any internet connection, going out and to stop it if and when I deem “unnecessary”.

In some rare instances, firewall can prevent a malware or a virus from being downloaded into your system when and if the file you executed tries to connect “outside” in order to download some sh… into your computer.

Sometimes it is not even a file you click on to execute, it may be a some website that you previously visited that may have downloaded something into your system and requesting outbound access to actual malware or the virus. Again, if and when a scenario like this happens in Window$, firewall helps to stop things. Needless to say, firewall, as you know, is never meant to be a virus protection.

Yep! I absolutely get that it is not the stuff you learn overnight! :wink:

Maybe I did put it the wrong way! I could have articulated a bit better. It’s not that I don’t trust Linux. I do trust Linux. That’s why I switched to Manjaro Linux. 98% of the time, I don’t even bother using Window$. I think my “hard-line” approach comes my Window$ experience.

I like the way Aragorn put it. Since things in Linux are opensource, the source code is there for anyone to see and analyze.

Open Source is great: anyone who is able is free to improve the code as best they can; anyone who is able, is also free to find ways to exploit the same code, as best as they can. It’s a trade-off, but it keeps people off the streets. :wink:


I noticed you haven’t yet addressed OpenSnitch which was previously mentioned; this more than addresses one of your stated needs:

1 Like

If that is the case, here is the following question. Let’s assume that you created a virus or a malware in AUR, can you stay anonymous to protect yourself? In Package Manager, under details, it lists the details for the AUR package. If your detail info doesn’t check, you won’t last long. From that point on, you won’t have much of a chance. Will you?

Believe me I learned my lesson and didn’t need the help of any malware or virus with that!? Sometimes updates are worst than the virus!!?! I installed bunch of “conflicting” stuff in my system, not knowing what I was doing. When the package manager informed that there was a 3GB of update, I did the update and afterwards, I couldn’t boot back up to Manjaro KDE plasma desktop. I was locked out. I had to revert back to an old image of TimeShift because I didn’t create backup images regularly. Lesson, learned though!!?! I won’t make that mistake again! And I won’t bloat my system with AUR packages. I will keep AUR to minimum. Since, the flatpak packages are self-contained and independent, I rather choose flatpaks over AUR. I only have 1 flatpack in my system, LibreWolf browser, anyway.


Perhaps this thread would be best moved to the Members area, as the OP seems more interested in a chit-chat than solving an actual problem.

Linux certainly isn’t free - people get paid,everything costs money. Whilst there are a few warriors that do a ton of work for nothing (true for Windows and many other things in life) let’s ask Phlim how long he’d continue with Manjaro if the income stream ceased to exist.

The term ‘free’ used in the Windows world generally means ‘likely to be infected with malware, or designed to get money from advertising’.

Look at the downfall of ‘CCleaner’ which was one of the top rated apps when I used Windows in the past.

One of the biggest problems I suffered and also became aware of was the fact that mostly it’s closed source. Loading websites, you’d get flashing warnings to download and scan for malware, and always the paranoia can easily be fixed by getting out your credit card and paying them some money.

Also, you must be aware that MOST people who get Windows don’t exactly ‘pay for it’. They pay for hardware, and get special deals and mostly don’t buy a Windows licence.

I’m pretty convinced that Microsoft fostered a balance of piracy in order to maintain dominance.


That’s not entirely accurate.

The cost of the OS is actually factored into the selling price of the (OEM) hardware. The OEM pays Microsoft for a bulk amount of Windows licenses; those costs are then recouped within the selling price of the hardware.

Computer stores buy these computers and stack them nicely upon shelves, with mood lighting, and whatever other sales enhancements they can muster, Mister.

Now the retail store resells that computer, and Mom and Pop consumers pony-up, blissfully unaware that they also paid a license fee for that Windows that came pre-installed on the computer for free.

If you buy a new computer from the local Computer dude, you stand a better chance of seeing the cost of the OS included on an invoice; certainly more so than you ever will when buying off-the-shelf.

So, whether you need it, want it, or not, you pay for it. “That’s not fair”, I hear you cry – and, it’s not; but just you try to get your money back for that (very secretive) monetry value…

Here’s some interesting historical research: using your favourite browser, search for Windows Refund Day. :wink:

1 Like

“There’s no such thing as a free lunch.”

Makes me doubly glad I only buy separate components…


For sure, I only ever bought one - a HP Pavillion, what a piece of junk that turned out to be - 2 years later a new ATX case and PSU, and eventually replaced all the bits and bobs to throw in the case.

There were a lot of threads around from angry folks who want to buy a PC with Linux, and get the ‘Windows Tax’ refunded as @soundofthunder pointed out.

What I was referring to is that very few people ‘buy windows’ because it’s more of a tax built in, anyone who buys a PC donates, even if they don’t want or use Windows - that even includes computers sold with Linux installed.

You do assemble them, at some point, right? :slight_smile:

Yeah, I know.

It makes me sad. And angry. Sangry?

Anyway…at least in Europe, at least, it’s easi er and cheap er to get your hands on any non-windows hardware, like System76, Librem, Tuxedo laptop/computer and so on…

Actually, no.
I take the case to the shop (as I did when the PSU exploded last year) and point out the boxes I want, they then take them to a table and assemble it.

First the PSU, still no good - then add a Mobo and CPU - bingo!!!

30 minutes, pay the bill, go home.

I think just crazy is more accurate… :crazy_face:


I remember one guy wanting me to build him a computer. I checked the best quality components of the day, printed a temporary invoice, and he went away to think about it. A few days later, he came back with a list of components that he thought or was advised were better.

His list was filled with components that were cheaper (in more ways than one). So, I sent him to whatever high turnover, low quality computer store was in vogue at the time.

He whined “but I want a Custom PC, they’re better!”

1 Like