SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
As long as you are in a local network, and you are not directly connected to the internet (yes, I know it means the same thing )
Standard users don't need a firewall
However, since we have a feature in the Plasma settings that requires firewalld or ufw
I don't see any reason not to add one of them
Last edited by marav; 11-17-2021 at 04:12 PM.
Reason: typo
However, since we have a feature in the Plasma settings that requires firewalld or ufw
I don't see any reason not to add one of the two
Additionally, the firewalld has full integration not only with Plasma5 (and Gnome3 for what's matters) but also with NetworkManager and also a cool and powerful graphical configurator tool - and of course, also the command line tools are available.
That's right, the firewalld permits to assign a security zone to each Ethernet interface and each WiFi connection on the NetworkManager. And each security zone is editable and you can define hundreds of security zones, and interconnect them as you like.
So, for example you can setup the "public" security zone for a public WiFi hotspot from a park or coffee shop, while assigning the "home" security zone for your connection to personal WiFi router from your own home and the "work" security zone for your office WiFi.
Try to do this on scripts and iptables, buddies!
I believe that's ironic that Slackware -current is already ready for firewalld - just to install it (along it's two small dependencies) and you get a super nice and powerful firewall made by RedHat for RHEL, and you people continue to slur around iptables and scripts...
Anyway, I believe that any firewall is better than no one. So sincerely I wish you guys all good luck with this thread and your Generic Firewall!
PS. In the attached screenshot, you can see the firewalld's systray applet on Plasma5, to understand what I mean by "firewalling for the regular users, not for Gurus!" ...
Last edited by LuckyCyborg; 11-16-2021 at 03:22 PM.
PS. In the attached screenshot, you can see the firewalld's systray applet on Plasma5, to understand what I mean by "firewalling for the regular users, not for Gurus!" ...
It reminds me of the firewall I used with Windows 2000-7. It brings back memories of TinyWall (I bet that is its inspiration)! Yes Windows users would probably feel more comfortable with firewalld.
I believe if enough people beg for it, describing how they can't live without it (think PAM users) that it might be added to 15.1 or 15.2. It is like PAM, it does all these things but then it creates more vectors of attack. Only 1 CVE according to this website so it appears to be pretty secure.
"firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.
Publish Date : 2017-04-19 Last Update Date : 2017-04-25" https://www.cvedetails.com/cve/CVE-2016-5410/
Until then how about something else with no dependencies like arno-iptables-firewall so that 15's release won't be delayed?
It reminds me of the firewall I used with Windows 2000-7.
Just because it has desktop integration?
Quote:
Originally Posted by RadicalDreamer
It brings back memories of TinyWall (I bet that is its inspiration)!
Did you tried to install firewalld to see what offers? It has nothing to do with TinyWall interface.
Quote:
Originally Posted by RadicalDreamer
Yes Windows users would probably feel more comfortable with firewalld.
Only the Windows users? You are kidding.
After installing it and using it several days, I started to believe that the firewalld is the best firewall available for Linux OS and it brings up an unprecedented convenience on handling a firewall.
Quote:
Originally Posted by RadicalDreamer
I believe if enough people beg for it, describing how they can't live without it (think PAM users) that it might be added to 15.1 or 15.2. It is like PAM, it does all these things but then it creates more vectors of attack. Only 1 CVE according to this website so it appears to be pretty secure.
The firewalld is not like PAM, to spread its tentacles on hundreds of packages.
It's just a rather small software written on Python3 and it can be installed and uninstalled at will. In fact, you have just to "chmod -x" its rc.firewalld and it will be put down, then to continue to iptables as you wish.
Code:
root@darkstar:/root/firewalld# ls -lh *.t?z
-rw-r--r-- 1 root root 19K Nov 16 20:35 decorator-5.0.7-x86_64-2ponce.tgz
-rw-r--r-- 1 root root 1.6M Nov 16 20:44 firewalld-1.0.1-x86_64-1_SBo.tgz
-rw-r--r-- 1 root root 59K Nov 16 20:35 python-slip-0.6.5-x86_64-1ponce.tgz
Quote:
Originally Posted by RadicalDreamer
"firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.
Publish Date : 2017-04-19 Last Update Date : 2017-04-25" https://www.cvedetails.com/cve/CVE-2016-5410/
Well, this CVE from 2017 is for firewalld releases before 0.4.3.3 and if we are lucky, we will get on Slackware the latest version 1.0.1 so I guess we will not be probably affected by it.
Quote:
Originally Posted by RadicalDreamer
Until then how about something else with no dependencies like arno-iptables-firewall so that 15's release won't be delayed?
No offense, but firewalld is light years away from this arno-iptables-firewall
I attached a screenshot with its Firewall Configuration tool and the System Setting's Network page from Plasma5 where is visible the new option to chose for Firewall Zone, which like LC said, is configurable per every Internet connection.
Only this feature is enough to make it vastly superior to any other available firewall solution, but there's much more.
And you have plenty of options to configure your very personal and ultra customized firewall. True, with checkboxes and input lines instead of myriads of ACCEPT/DROP/REJECT lines on a script, how the elder ones RTFMed in the last 50 years.
However, I think also for them is a nice and green place with the firewall-cmd tool for console.
The best thing is that nothing looks being hardcoded, the firewall uses some XML files for configuration. e.g. zones, etc.
So, Mr. Volkerding would be able to customize as he likes the default behavior of the shipped firewalld, if there will be one.
For example, the "home" zone looks like the following code
Code:
?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Home</short>
<description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
<forward/>
</zone>
Last edited by ZhaoLin1457; 11-16-2021 at 05:24 PM.
I stated some months ago that I'd like to see Arno's Iptables Firewall included in Slackware. It's an excellent frontend, and in my opinion it fits the Slackware philosophy nicely. It doesn't have to be activated by default.
As for firewalld, yet another Red Hat contribution? Please spare me.
No, I haven't tried it. Firewall zones sound interesting but I don't have a need for them at the moment. Can you configure and operate it without the GUI? Some may not want to use Wayland or X. Is it activated by default? You guys are doing good at explaining stuff.
I stated some months ago that I'd like to see Arno's Iptables Firewall included in Slackware. It's an excellent frontend, and in my opinion it fits the Slackware philosophy nicely. It doesn't have to be activated by default.
Excuse my ignorance, but I understand that until now, the Slackware philosophy for firewalls is: go and RTFM until you get your MBA.
Is something more there?
Anyway, the Arno's Iptables Firewall has no abilities of integration with NetworkManager and have presets per connection, which in my eyes made it to loose 1 trillion points.
Quote:
Originally Posted by Gerard Lally
As for firewalld, yet another Red Hat contribution? Please spare me.
Well, at least does not hard depend on systemd, even I think that there are supplementary features available only when it's used.
And it have also a command line tool, the firewall-cmd I think is quite traditional with, well... Slackware's console philosophy.
Excuse my ignorance, but I understand that until now, the Slackware philosophy for firewalls is: go and RTFM until you get your MBA.
Is something more there?
Anyway, the Arno's Iptables Firewall has no abilities of integration with NetworkManager and have presets per connection, which in my eyes made it to loose 1 trillion points.
Apologies for the suggestion. I don't use Network Manager, so I've no idea how far short Arno's firewall falls on that score.
I'm sorry for you loss. You missed something really cool.
Quote:
Originally Posted by RadicalDreamer
Firewall zones sound interesting but I don't have a need for them at the moment.
Think about them about being sets of presets from what you can chose the one you like most.
Quote:
Originally Posted by RadicalDreamer
Can you configure and operate it without the GUI? Some may not want to use Wayland or X.
Yes, like I said, it have a command line tool named firewall-cmd which works without GUI. I do not tried to use it yet, but there is plenty of documentation on Internet.
Also, its configuration files are human readable, in the form of XML files, which can be eventually edited by hand.
Quote:
Originally Posted by RadicalDreamer
Is it activated by default?
The firewalld is basically a daemon written on Python3 and controlled by an init script named "/etc/rc.d/rc.firewalld" which script comes as non-executable, at least with the build made from SBo.
So, nope. It's not activated by default.
Quote:
Originally Posted by RadicalDreamer
You guys are doing good at explaining stuff.
Thanks you.
Last edited by ZhaoLin1457; 11-16-2021 at 06:09 PM.
Apologies for the suggestion. I don't use Network Manager, so I've no idea how far short Arno's firewall falls on that score.
I apologize too, but as someone who "wears" his laptop from home to job (school, I am teacher) and on various other places like parks, events, etc., I started to love the Network Manager and I consider it quite useful to connect to various WiFi hotspots.
And while using Linux on it, I had always lingering regrets for the Windows abilities to configure its firewall per Internet connection. Thanks for the discussion on this forum, I've found also this feature.
Honestly, I think that not all things invented by Microsoft or RedHat are bad, they also had many good ideas. Dynamic Firewall is one of them, and even one exceptionally useful.
Last edited by ZhaoLin1457; 11-16-2021 at 05:58 PM.
Honestly, I think that not all things invented by Microsoft or RedHat are bad, they also had many good ideas.
Certainly some of the software firewalls that were written FOR Microsoft Windows were great. Look 'n' Stop was a little gem ; then the developer just vanished.
As far as Red Hat are concerned, they talk the talk, but they were only ever interested in the RH profit margin. Anything they contributed to Open Source they contributed with one eye on their margin. They also left software in a half-finished state, while they tried to decide exactly what they were and who they were catering to.
I apologize too, but as someone who "wears" his laptop from home to job (school, I am teacher) and on various other places like parks, events, etc., I started to love the Network Manager and I consider it quite useful to connect to various WiFi hotspots.
Do you alter your firewall much depending on location and purpose? How so?
arno-iptables-firewall is made of bash scripts and doesn't require a GUI to be easy to use. firewall-cmd looks cumbersome at a glance.
I don't see why both couldn't be added. arno-iptables-firewall's source is less than 200 kb and it has no dependencies. I don't think there is a competition between the two firewall solutions.
Interesting that some posters who seem to be at levels comfortably above the average user are complaining about the perceived complexity of iptables. While it can cause some fun when adding bells and whistles, it's not so difficult to grasp. That said, if someone prefers to use firewalld, ufw, or arno-iptables-firewall, there's nothing wrong with that and I'd support such an addition to Slackware. After all, by my count if I want to browse the web I have the choice of no less than six web browsers, for email there are seven options, countless text editors, and so forth, so adding another firewall option really doesn't seem worth objecting to. It doesn't in any way impinge on the freedom to use iptables or nftables, and if it makes it easier for someone to avoid their machine being sucked into a botnet, it's better for the rest of us.
Including a basic initial iptables ruleset also seems to be more than reasonable, again we have the freedom to change it at will. The installer could even detect when it's being run from an SSH connection and open inbound connections to port 22, to deal with concerns raised by those who install on remote machines.
From the perspective of security starting before we get to the firewall, the era of running sshd by default should be behind us, and I suggest that the installer should default to not enabling it. It's easy to enable when we know we need it, and not enabling it by default might just result in a few fewer instances of sshd listening to anyone who wants to connect.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.