SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Believe or not, there are many people who carry their computers with them on various places and they call this particular portable computers with affection "laptops" ...
I should understand that for you is unimaginable to use Slackware in a laptop to carry with you?
Considering the "feature" of being sent to RTFM for a firewall, well... uh, I tend to agree with you.
The argument I would use for a firewall to be included in Slackware would be this: People in some countries do not have ISPs that provide a modem and a router with a firewall to their customers, nor do they have home internet, or any secure location to install Slackware, so a firewall out of box would be extremely helpful to these users. I don't know the validity of this statement but this is the angle I'd go with along with a proposal for an inclusion of a vetted firewall. I think arno-iptables-firewall would be great. The user has to run the script, do some rudimentary setup, and the source is less than 200 kb in size. Then after figuring all that out, I'd bring out the big puppy dog eyes and argue my case before Slackware's BDFL!
Last edited by RadicalDreamer; 11-15-2021 at 05:06 PM.
At the risk of sounding cranky, may I ask what's a "generic" firewall script?
Been thinking about this too, and I don't think it's possible to find a middle ground here.
At first I figured it was about generic rule set, which is kinda like proposing a generic rifle there's no way it'd have sufficient range, or arc, or rate of fire.
The stuff I've seen so far is more about a framework for setting dynamic iptables rules, so to put it mildly, more automation to wrap around iptables and/or nftables.
This'll bring complexity for no reason, and also redundancy. If such a daemon were auto-started on a system already using iptables, it'd flush local rules.
Because of the above, I don't think it'll make writing rules any easier. It'd just change the format of a rule set.
It might make rule set management easier, but there's the cost of increased complexity and possibility of failure where there was none.
But I ended with all pit-bulls from neighborhood running after my sorry arse...
There will probably be resistance to something that is setup, ready to go, and feels intrusive. I think arno-iptables-firewall would have a better chance because it doesn't do anything unless you run the script and finish setting it up, but I'm no network security guru and I am using Slackware as a desktop, so I'm not certain how good this firewall that has been maintained for ~2 decades is. The source is less than 200 kb. It has no dependencies and installing the package doesn't do anything by itself. You have to run the scripts and set it up so I don't see what the problem would be in having it in Slackware.
There will probably be resistance to something that is setup, ready to go, and feels intrusive.
Neither the firewalld is intrusive, BTW...
It's a firewall daemon with presets and capable to talk over DBUS. Our NetworksManager and Plasma5 already have support for its integration and n the end it's just a daemon started with /etc/rc.d/rc.firewalld .
You do not wanna it? Just blacklist this particular package and uninstall it, then you can iptables this and that, and even that, AS YOU LIKE.
Regarding it being "already setup, ready to go" I confess: I'm guilty!
Last edited by LuckyCyborg; 11-15-2021 at 05:34 PM.
Been thinking about this too, and I don't think it's possible to find a middle ground here.
Yep, a Generic Firewall would be probably useful for newbs or regular users. Seems like that you forgot the days when you have been a newb too...
Quote:
Originally Posted by elcore
At first I figured it was about generic rule set, which is kinda like proposing a generic rifle there's no way it'd have sufficient range, or arc, or rate of fire.
The stuff I've seen so far is more about a framework for setting dynamic iptables rules, so to put it mildly, more automation to wrap around iptables and/or nftables.
This'll bring complexity for no reason, and also redundancy. If such a daemon were auto-started on a system already using iptables, it'd flush local rules.
Because of the above, I don't think it'll make writing rules any easier. It'd just change the format of a rule set.
It might make rule set management easier, but there's the cost of increased complexity and possibility of failure where there was none.
What "increased complexity" is a 0644 chmoded /etc/rc.d/rc.firewall as discussed by those guys on this thread?
Eventually, it could be put in a separate package for your pleasure to blacklist it and to come as /etc/rc.d/rc.firewall.new to never overriding your precious hand made tailored firewall.
Everything else is some nice FUD. Well, unless we talk also about a NetworkManager integration - but big bad guys like you does not use it, right?
Last edited by LuckyCyborg; 11-15-2021 at 05:34 PM.
It's a firewall daemon with presets and capable to talk over DBUS. Our NetworksManager and Plasma5 already have support for its integration and n the end it's just a daemon started with /etc/rc.d/rc.firewalld .
You do not wanna it? Just blacklist this particular package and uninstall it, then you can iptables this and that, and even that, AS YOU LIKE.
Regarding it being "already setup, ready to go" I confess: I'm guilty!
It has required dependencies that need to be added. Detractors would say go to Slackbuilds and install it for yourself. Why is firewalld better than other firewall offerings?
Yep, a Generic Firewall would be probably useful for newbs or regular users. Seems like that you forgot the days when you have been a newb too...
That is not true, it's just that toolkit was much simpler when I started looking into it.
So I'm used to the idea of doing everything by hand, while you on the other hand seem to rely on automation.
How do you fix broken automation if you're not able to fix it by hand, do you rely on the bot author to fix breakage caused by misconfigured bot?
Quote:
Originally Posted by LuckyCyborg
What "increased complexity" is a 0644 chmoded /etc/rc.d/rc.firewall as discussed by those guys on this thread?
It's not, I thought we're talking here about re-inventing firewalld, because that is what you originally requested.
If this was all about requesting a rc script you could've just said so at the start, there's plenty of rc scripts around.
Quote:
Originally Posted by LuckyCyborg
Eventually, it could be put in a separate package for your pleasure to blacklist it
No worries, I don't use slackpkg blacklist to deny a package, but a slackpkg template to accept a package.
And you're right about NetworkManager there is no such thing here.
I think people are getting bogged down in the weeds with this one.
Rather than setup the firewall rules in rc.firewall, IMO rc.firewall should just run:
iptables-restore /var/lib/iptables/rules
ip6tables-restore /var/lib/iptables/rules6
Leave the admin to populate those rulesets themselves, or if you want to be helpful, perhaps expand the netconfig dialog to present the admin with a choice of some of the more commonly used rulesets when it is run.
As others have pointed out, rulesets are a very personal/site-specific thing. You're not going to find one ruleset that appeases everyone.
I think people are getting bogged down in the weeds with this one.
Rather than setup the firewall rules in rc.firewall, IMO rc.firewall should just run:
iptables-restore /var/lib/iptables/rules
ip6tables-restore /var/lib/iptables/rules6
Leave the admin to populate those rulesets themselves, or if you want to be helpful, perhaps expand the netconfig dialog to present the admin with a choice of some of the more commonly used rulesets when it is run.
As others have pointed out, rulesets are a very personal/site-specific thing. You're not going to find one ruleset that appeases everyone.
Admin? What admin, GazL?
People today wants to watch movies on Youtube, chat on Facebook, and read news. And mainly to watch porn, according with the statistics.
Nope, someone who install Linux on his computer is not instantly an admin, and may pass many years until he will have a vague idea 'bout how to do admin things. And 99,99% of them does not care about those iptables thingies.
This elitist attitude of "admin to do that and this and that" and making the Slackware usage like following an University is in my humble opinion the main cause of this ever shrinking of Slackware community.
People just wants to securely watch their favorite porn, not to mess with your "rulesets" buddy!
PS. Some friends of mine says: Slackware is a very nice Linux distribution, where you can even do anything you can do on Ubuntu, and it's only thousand times harder to learn it.
This way looks many people to Slackware today. I wonder why?
Last edited by LuckyCyborg; 11-16-2021 at 07:58 AM.
As long as you are in a local network, and you are not directly connected to the internet (yes, I know it means the same thing )
Standard users don't need a firewall
GazL forgot to put a smiley in that post demonstrating another personal twist
Scripts can do more than setup rulesets. They can also output information when run and contain comments on what a rule does.
Quote:
People just wants to securely watch their favorite porn
Good luck with that.
Quote:
PS. Some friends of mine says: Slackware is a very nice Linux distribution, where you can even do anything you can do Ubuntu, and it's only thousand times harder to learn it.
As long as you are in a local network, and you are not directly connected to the internet (yes, I know it means the same thing )
Standard users don't need a firewall
Security is built in layers.
You may be behind an ISP provided modem/router, but the device may have a flaw. There have been real world examples. Do a web search for 'modem exploit' and 'modem exploit brazil'.
The possibility of wifi password leakage is very real. A friend comes to visit, you handover the wifi password so they can use their phone, then the phone goes missing.
Silly mistakes can happen. You open a port on the modem/router to experiment, then fail to close it. Try that with port 443 and see how long it takes for a bot to sniff it {inside 30 seconds in my experience).
I agree that standard users don't _need_ a firewall, but it does not hurt.
I feel like a ministry of defense meeting with several arms dealers - gentlemen we seem to be:
1. overly enjoying challenging each other intellectually
2. defending each own's "added complexity layer" against one quite simple additional complexity layer (intentionally avoiding to call it "trivial complexity layer")
3. forgetting the basic thing:
Out of the box Slackware is quite resilient and safe even without a running firewall as long as it is set up per the installer defaults and advice:
short of a ssh service there is no open port and your browser is one supposedly open source and secure browser updated in a timely manner (heavy sigh towards vivaldi and ungoogled chromium (very very much Kudos to AlienBOB)).
So from the start, a typical Slackware system out of the box isn't quite a disaster waiting to happen really as far as I could tell.
That aside, A default firewall, accepting only --state ESTABLISHED,RELATED connections would only bolster the otherwise flawless track record - we're not fighting a to save a sinking ship really.
Yes, a default firewall is that simple - no fancy services, no special ifs, caveats or unfathomable exotic circumstances or unforeseeable dangers!
And by all means i really like that Network Manager wrapper,(@GazL) my bad i meant @allend , pardon my french but i'm off to steal it shamelessly right away!
Gentleman?
Last edited by SCerovec; 11-16-2021 at 03:13 PM.
Reason: bad user mention
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.