However, since we have a feature in the Plasma settings that requires firewalld or ufw
I don't see any reason not to add one of them

4 members found this post helpful.

Additionally, the firewalld has full integration not only with Plasma5 (and Gnome3 for what's matters) but also with NetworkManager and also a cool and powerful graphical configurator tool - and of course, also the command line tools are available.

That's right, the firewalld permits to assign a security zone to each Ethernet interface and each WiFi connection on the NetworkManager. And each security zone is editable and you can define hundreds of security zones, and interconnect them as you like.

So, for example you can setup the "public" security zone for a public WiFi hotspot from a park or coffee shop, while assigning the "home" security zone for your connection to personal WiFi router from your own home and the "work" security zone for your office WiFi.

Try to do this on scripts and iptables, buddies!

I believe that's ironic that Slackware -current is already ready for firewalld - just to install it (along it's two small dependencies) and you get a super nice and powerful firewall made by RedHat for RHEL, and you people continue to slur around iptables and scripts...

Anyway, I believe that any firewall is better than no one. So sincerely I wish you guys all good luck with this thread and your Generic Firewall!

PS. In the attached screenshot, you can see the firewalld's systray applet on Plasma5, to understand what I mean by "firewalling for the regular users, not for Gurus!" ...

Attached Thumbnails

 

3 members found this post helpful.

It reminds me of the firewall I used with Windows 2000-7. It brings back memories of TinyWall (I bet that is its inspiration)! Yes Windows users would probably feel more comfortable with firewalld.

I believe if enough people beg for it, describing how they can't live without it (think PAM users) that it might be added to 15.1 or 15.2. It is like PAM, it does all these things but then it creates more vectors of attack. Only 1 CVE according to this website so it appears to be pretty secure.
"firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.
Publish Date : 2017-04-19 Last Update Date : 2017-04-25"
https://www.cvedetails.com/cve/CVE-2016-5410/

Until then how about something else with no dependencies like arno-iptables-firewall so that 15's release won't be delayed?

1 members found this post helpful.

Just because it has desktop integration?

Did you tried to install firewalld to see what offers? It has nothing to do with TinyWall interface.

Only the Windows users? You are kidding.

After installing it and using it several days, I started to believe that the firewalld is the best firewall available for Linux OS and it brings up an unprecedented convenience on handling a firewall.

The firewalld is not like PAM, to spread its tentacles on hundreds of packages.

It's just a rather small software written on Python3 and it can be installed and uninstalled at will. In fact, you have just to "chmod -x" its rc.firewalld and it will be put down, then to continue to iptables as you wish.

Well, this CVE from 2017 is for firewalld releases before 0.4.3.3 and if we are lucky, we will get on Slackware the latest version 1.0.1 so I guess we will not be probably affected by it.

No offense, but firewalld is light years away from this arno-iptables-firewall

I attached a screenshot with its Firewall Configuration tool and the System Setting's Network page from Plasma5 where is visible the new option to chose for Firewall Zone, which like LC said, is configurable per every Internet connection.

Only this feature is enough to make it vastly superior to any other available firewall solution, but there's much more.

And you have plenty of options to configure your very personal and ultra customized firewall. True, with checkboxes and input lines instead of myriads of ACCEPT/DROP/REJECT lines on a script, how the elder ones RTFMed in the last 50 years.

However, I think also for them is a nice and green place with the firewall-cmd tool for console.

The best thing is that nothing looks being hardcoded, the firewall uses some XML files for configuration. e.g. zones, etc.

So, Mr. Volkerding would be able to customize as he likes the default behavior of the shipped firewalld, if there will be one.

For example, the "home" zone looks like the following code

Attached Thumbnails

 

2 members found this post helpful.

I stated some months ago that I'd like to see Arno's Iptables Firewall included in Slackware. It's an excellent frontend, and in my opinion it fits the Slackware philosophy nicely. It doesn't have to be activated by default.

As for firewalld, yet another Red Hat contribution? Please spare me.

2 members found this post helpful.

No, I haven't tried it. Firewall zones sound interesting but I don't have a need for them at the moment. Can you configure and operate it without the GUI? Some may not want to use Wayland or X. Is it activated by default? You guys are doing good at explaining stuff.

Excuse my ignorance, but I understand that until now, the Slackware philosophy for firewalls is: go and RTFM until you get your MBA.

Is something more there?

Anyway, the Arno's Iptables Firewall has no abilities of integration with NetworkManager and have presets per connection, which in my eyes made it to loose 1 trillion points.

Well, at least does not hard depend on systemd, even I think that there are supplementary features available only when it's used.

And it have also a command line tool, the firewall-cmd I think is quite traditional with, well... Slackware's console philosophy.

Apologies for the suggestion. I don't use Network Manager, so I've no idea how far short Arno's firewall falls on that score.

I'm sorry for you loss. You missed something really cool.

Think about them about being sets of presets from what you can chose the one you like most.

Yes, like I said, it have a command line tool named firewall-cmd which works without GUI. I do not tried to use it yet, but there is plenty of documentation on Internet.

Also, its configuration files are human readable, in the form of XML files, which can be eventually edited by hand.

The firewalld is basically a daemon written on Python3 and controlled by an init script named "/etc/rc.d/rc.firewalld" which script comes as non-executable, at least with the build made from SBo.

So, nope. It's not activated by default.

Thanks you.

2 members found this post helpful.

I apologize too, but as someone who "wears" his laptop from home to job (school, I am teacher) and on various other places like parks, events, etc., I started to love the Network Manager and I consider it quite useful to connect to various WiFi hotspots.

And while using Linux on it, I had always lingering regrets for the Windows abilities to configure its firewall per Internet connection. Thanks for the discussion on this forum, I've found also this feature.

Honestly, I think that not all things invented by Microsoft or RedHat are bad, they also had many good ideas. Dynamic Firewall is one of them, and even one exceptionally useful.

3 members found this post helpful.

Certainly some of the software firewalls that were written FOR Microsoft Windows were great. Look 'n' Stop was a little gem ; then the developer just vanished.

As far as Red Hat are concerned, they talk the talk, but they were only ever interested in the RH profit margin. Anything they contributed to Open Source they contributed with one eye on their margin. They also left software in a half-finished state, while they tried to decide exactly what they were and who they were catering to.

2 members found this post helpful.

Do you alter your firewall much depending on location and purpose? How so?

arno-iptables-firewall is made of bash scripts and doesn't require a GUI to be easy to use. firewall-cmd looks cumbersome at a glance.

I don't see why both couldn't be added. arno-iptables-firewall's source is less than 200 kb and it has no dependencies. I don't think there is a competition between the two firewall solutions.

Interesting that some posters who seem to be at levels comfortably above the average user are complaining about the perceived complexity of iptables. While it can cause some fun when adding bells and whistles, it's not so difficult to grasp. That said, if someone prefers to use firewalld, ufw, or arno-iptables-firewall, there's nothing wrong with that and I'd support such an addition to Slackware. After all, by my count if I want to browse the web I have the choice of no less than six web browsers, for email there are seven options, countless text editors, and so forth, so adding another firewall option really doesn't seem worth objecting to. It doesn't in any way impinge on the freedom to use iptables or nftables, and if it makes it easier for someone to avoid their machine being sucked into a botnet, it's better for the rest of us.

Including a basic initial iptables ruleset also seems to be more than reasonable, again we have the freedom to change it at will. The installer could even detect when it's being run from an SSH connection and open inbound connections to port 22, to deal with concerns raised by those who install on remote machines.

From the perspective of security starting before we get to the firewall, the era of running sshd by default should be behind us, and I suggest that the installer should default to not enabling it. It's easy to enable when we know we need it, and not enabling it by default might just result in a few fewer instances of sshd listening to anyone who wants to connect.

4 members found this post helpful.

@SCerovec
LOL - Beat you to it over nine years ago.

1 members found this post helpful.

Give them time, and it will.