 DistroWatch Weekly |
| DistroWatch Weekly, Issue 946, 6 December 2021 |
|
Welcome to this year's 48th issue of DistroWatch Weekly!
The Internet is full of lurking threats. Malicious actors are constantly scanning for vulnerabilities, seeking out unpatched systems, and trying to guess passwords. One of the many tools we can use to protect ourselves from malicious attacks on-line is a firewall. Most Linux firewalls focus on locking down (or opening up) specific ports on our machine, regardless of which software is running. OpenSnitch is a network filtering tool which takes a different approach and we talk about how it works to lock down and monitor specific processes in this week's Feature Story. Do you run a firewall tool like OpenSnitch or UFW on your computer? Let us know about it in this week's Opinion Poll. In our News section we talk about UBports gaining more native, mobile applications. We also talk about the T2 SDE project starting its own bug bounty program while Fedora 33 reaches the end of its supported life. A lot of power can be found in the Linux command line, but getting started with command line tools is not intuitive or easy. This week we share a book which explores the command line and shares examples of how multiple commands can be used together to handle simple tasks and manipulate data. Plus we are pleased to share the releases of the past week and list the torrents we are seeding. We wish you all a superb week and happy reading!
Content:
Listen to the Podcast edition of this week's DistroWatch Weekly in OGG (14MB) and MP3 (11MB) formats.
|
| Feature Story (by Jesse Smith) |
OpenSnitch - an application firewall for Linux
Recently I talked about the LockBox distribution which ships with a hardened network configuration and some network security tools. One utility stood out during my time with the distribution: OpenSnitch.
OpenSnitch is a rare tool in the Linux ecosystem. It is a service with a friendly graphical desktop application which assists the user in blocking network connections based on which daemon or application is making the connection attempt. Most Linux firewall tools focus on blocking access to specific network ports or remote servers. OpenSnitch focuses on which program is trying to access the network or send network traffic to remote machines. The OpenSnitch service can monitor connection attempts, let us know which processes are trying to talk over the network, and to which remote servers. It's an interesting and powerful tool, one which I felt deserved more attention.
Installing
OpenSnitch provides a number of install options. Pre-built Deb and RPM packages are available and supported on most major distributions. The OpenSnitch software is open source (licensed under the GNU General Public License version 3) and the project provides instructions for building the software from its source code.
OpenSnitch -- Installing the OpenSnitch packages
(full image size: 121kB, resolution: 1125x863 pixels)
I decided to run OpenSnitch on Linux Mint. Following the documentation, I downloaded two packages, one for the OpenSnitch background service and one for the graphical interface. Installing these with the command "sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb" results in an error, which is expected. We then run "sudo apt -f install" to install the necessary dependencies. In all, the OpenSnitch software and its dependencies require about 200MB of downloaded packages.
Early impressions
Running the above installation commands added OpenSnitch to my application menu. Clicking the application's icon, which looks like a cloud, adds its icon to the system tray. We can right-click on the system tray entry to enable or disable the OpenSnitch service. This is essentially enabling and disabling a firewall, though it does not appear to interfere with any other existing firewalls, such as UFW. Left-clicking the OpenSnitch system tray icon opens the software's desktop application and this is where things get interesting.
While the OpenSnitch service is running, any time a new program tries to talk over the network, a pop-up window appears. This pop-up tells us the name of the process trying to communicate with the outside world. We are then given the chance to allow the program to form its network connection or deny it. The response is timed and we have about 15 seconds after the window appears to make our choice. The default action is to deny the network request, blocking the program from talking with the outside world.
OpenSnitch -- Notification of a new ping connection attempt
(full image size: 290kB, resolution: 1125x863 pixels)
We can choose how long OpenSnitch will remember our choice. By default, OpenSnitch will remember to block or allow the program until we restart the computer. However, it can also be told to remember our choice for a set number of minutes or indefinitely.
The defaults presented in these notification pop-ups can be adjusted in OpenSnitch's settings and I'll get to that later. For now I want to provide an overview of the OpenSnitch application window and how it presents us with information.
The OpenSnitch window
The OpenSnitch application is divided into eight tabs, though we will probably only ever need two of them. The first tab is called Events. Here we see a list of recent connection attempts made by software on our system. The Events tab lists the time, destination, protocol, and process name of each connection request. It also shows whether the request to connect through the network was allowed or denied. The Event tab is basically a dashboard showing what is happening on our system right now.
OpenSnitch -- Monitoring recent network events
(full image size: 291kB, resolution: 1125x863 pixels)
The third tab (yes, I'm skipping the second one for a moment) is called Rules. The Rules tab shows much the same information - the time a connection attempt was made and the name of the process making the attempt. We are also shown whether the action will be allowed or blocked along with an indicator of how long the current rule will last. We can right-click on a rule to change its duration (how long the rule stays in effect). We can also right-click to toggle the rule between allowing and blocking the connection attempt.
The other six tabs (Nodes, Hosts, Applications, Address, Ports, and Users) all show a summary of recent events, sorted by the name of the tab. For instance, the Address tab lists remote machines which our computer has tried to contact recently. We can double-click any entry to see more information (events) associated with one specific address. Likewise, the Applications tab shows a list of programs which have tried to communicate over the network. We can double-click the name of a program to see recent connection attempts made by that one program.
Basically, these six tabs all show a quick summary of recent events, organized by program name, remote address, remote network port, etc. Then selecting one grouped entry in the tab shows all the corresponding events. This makes it quite easy to see what is happening by digging down through layers. For instance, if I want to see all network connection attempts from my user, I can click on the Users tab. Then find my user name in the list, and double-click it to see all recent events associated with my account.
In short, the Events tab tells us what is happening now. The rules tab tells us how OpenSnitch reacts to what is happening. The other tabs sort events into groups to make it easier to track what a specific computer, user, or application is doing.
Proactively making rules
While OpenSnitch defaults to waiting for network connection attempts to happen and then asks us, via a pop-up window, whether to allow or block the network traffic, we can be proactive and make up rules ahead of time. There is a button near the top of the OpenSnitch window which allows us to craft our own rules.
We can use a variety of parameters to craft a rule, all of them nicely presented to us in a window. We can specify the name of an application to block, which protocols (TCP or UDP) we want to filter, how long the rule lasts, specific hosts or domains we want to filter. We can also specify whether the rule we are making should block or allow new connections.
OpenSnitch -- Creating a new rule to block IRC traffic
(full image size: 181kB, resolution: 1125x863 pixels)
The rule creation window is easy to navigate and I like how easy it is to make up new rules to allow or deny connections. I feel it is worth mentioning that new rules designed to block traffic do not appear to stop connections already in progress. For instance, if Firefox is downloading a file and I make a rule to stop Firefox from making connections, the existing connection continues to work. The rule will apply only to new connections being made in the future.
OpenSnitch -- Watching traffic from the HexChat IRC client get blocked
(full image size: 282kB, resolution: 1125x863 pixels)
Settings
Last, but not least, there is a small settings panel built into OpenSnitch to adjust how the application works. This settings panel allows us to adjust the default behaviour when new connections come along - allowing or denying them and for how long. We can also change the location of the OpenSnitch database. By default it is kept in memory, but we can save rules and data in a file for more permanent use. We can also make small adjustments to the user interface and what information is shown.
OpenSnitch -- Adjusting default rule settings
(full image size: 180kB, resolution: 1125x863 pixels)
The defaults appear to be set up to block new connections, but only until the system is restarted. If we are crafting long-term rules we will want to make a permanent file database and probably set new connection attempts to be denied "forever".
Conclusions
For years I've heard people new to Linux talk about how they would like a user friendly, application-focused firewall solution. Linux distributions typically focus on blocking traffic based on network ports and hostnames. The few solutions which have focused on process filtering tend to be either harder to set up or less friendly to use. OpenSnitch is one of the first tools I have encountered which provides both the rules and real-time monitoring that Windows tools (such as Zone Alarm) provide. The fact that OpenSnitch manages to be friendly, pretty easy to navigate, and flexible in how we manage both rules and new connections is fantastic. I'm really happy with how this tool work and how easy it is to set up.
What I particularly like about OpenSnitch is that it is not just useful for making new rules, the way traffic is sorted and cataloged in the various tabs is great. Even if you are not interested in locking down your network, I think it is well worth installing OpenSnitch to find out what processes are talking over your network and who they are talking with. For example, while I was running Linux Mint, some programs sent out signals to Canonical servers which appears to be used for connectivity checks and/or getting a count of how many users are on-line. You might be interested in seeing how many programs are phoning home or pinging remote servers in an effort to count users or check for news updates.
* * * * *
I would like to thank Shells.com for providing me with the test environment for this review. This made it faster for me to set up the test environment and use it while traveling. I've talked about Shells.com services in an earlier article.
|
| Miscellaneous News (by Jesse Smith) |
UBports gains new apps, T2 SDE starts bug bounty program, Fedora 33 reaches its end of life
The UBports team have published an update containing progress their mobile operating system is making. New applications are being added to the UBports app store and a number of bugs have been fixed in the new OTA-20 update. "In new apps, we have Simple Reader by Nicolas Colla. Just as it says, it is wildly simple. You just open an ePub file and there it is, including a very cool sepia rendering. Also from Nicolas is Headline, which is an RSS news reader. In addition to those we have a game, Costumemaster Reloaded. Finally there is a de-compressor for compressed files, called UT zipper but actually with the ability to handle a range of formats, not just Zip. This app is by LionelD. OTA-20 is now making its way out of the servers. The rollout should be complete by around Wednesday. As usual, this is something you can do on your phone. Just go to Settings: Updates having made sure all your apps are up-to-date. There was a nasty bug which prevented some users from granting permissions to new applications and there was another which blocked the use of calendar features which relied on LetsEncrypt." The report goes on to talk about upgrades to the base system and improvements planned for the default web browser.
* * * * *
The T2 SDE project projects a build kit for developing custom distributions using cutting edge packages. The project is inviting people to fix bugs in the project's issue tracker in exchange for small payments. "The T2 SDE project is thrilled to announce ExactCODE GmbH sponsoring features bounties for selected T2 Linux feature requests. We believe open source developers should be fairly paid for their restless and ongoing infrastructure work that most of the Internet, mobile and embedded platforms are based on nowadays. We are thrilled to join setting a good example and T2 being one of the first project that gives back and pays their contributors! As a growing project we start small paying 10, 20, 40, and 100 EUR for selected features requests marked as such in our git web issue tracking." The T2 SDE issue tracker lists the desired features. Additional details are presented in the project's YouTube video on this imitative.
* * * * *
The Fedora project has announced that version 33 of the Fedora distribution has reached the end of its supported life. People running Fedora 33 are encouraged to upgrade. "Fedora 33 will go end of life for updates and support on 30th of November 2021. No further updates, including security updates, will be available for Fedora 33 after the said date. All the updates of Fedora 33 being pushed to stable will be stopped as well. Fedora 34 will continue to receive updates until approximately one
month after the release of Fedora 36."
* * * * *
These and other news stories can be found on our Headlines page.
|
| Book Review (by Jesse Smith) |
Command Line Text Processing with GNU Coreutils
I am always excited to come across new learning resources and accessible education, especially when it's about open source software. I particularly like when an author can come up with examples which are well explained and provide practical information.
I recently came across one such resource which not only explores how to do things on Linux, but specifically explores using command line tools. The book is called Command Line Text Processing with GNU Coreutils by Sundeep Agarwal and I feel it deserves a recommendation. The coreutils package is a collection of low-level command line programs which are available on almost all Linux distributions. Many of these low level tools are used to generate, sort, or otherwise manipulate information.
While the book's title refers to text processing specifically, I feel it's important to bear in mind that in this case "text" refers to any information which can be easily displayed on a screen and read by people. We're talking about text as in characters made up of letters and numbers, not just text as in documents and word processing.
The book sets out to explain how to work with low level Linux command line programs. We generally start off by exploring how one program works, with an example or two. Then we are shown how to combine multiple programs together to create bigger and more complex tools. One of the great features of the Linux command line is its ability to glue (or "pipe") multiple programs together. This allows programs to work together and share functionality rather than have each program do multiple things.
As one example, the seq program can create a list of numbers, in order. The shuf command shuffles information given to it into a random order. The seq command therefore does not need to know how to shuffle numbers or generate numbers in a random order since another command can be paired with it to add any randomness we want.
In my opinion the book does a great job of quickly presenting examples of how commands can be used and then paired up to achieve new or interesting ways of manipulating data. Throughout the text there are little highlights offering tips on extra functionality or limitations of certain commands. For instance, when discussing the shuf command we're warned that shuf will not work with multiple files. However, we can merge multiple files together (using the cat command) and then pass them to shuf. These little gems of wisdom add a dimension to the book and will likely save the reader some time wondering why their scripts are not working as expected.
I quite enjoyed Command Line Text Processing with GNU Coreutils. It's an easy read with clear, and often useful, examples. The book is a light read which mostly focuses on how we can do things without getting bogged down in theory or background on where tools came from. It's a good starting point for anyone who wants to learn how to use common command line programs and get them to work together. I also like that the book is open source (licensed under the Creative Commons family with code snippets provided under the MIT license).
The book can be purchased on-line from Learn By Example and LeanPub. There is also a PDF containing a sample chapter for people who would like to get a feel for the book's style.
|
| Released Last Week |
4MLinux 38.0
The 4MLinux distribution is a minimal operating system with four focuses (on gaming, server utilities, system maintenance, and multimedia). The project's latest release is 4MLinux 38.0 which introduces several package upgrades and a few new features. "As always, the new major release has some new features. The following applications are now available out of the box: Audacity (audio editor), GQmpeg (music player), GRUB2 (boot loader), Minitube (YouTube player), Musique (audio player), wxCam (webcam application), xmp (command-line mod player). Basic support for 32-bit applications is now also included. PHP in the 4MLinux Server comes with the improved image handling via an external GD Graphics Library. And finally, the 4MLinux GamePack is now available as a downloadable extension. It includes a big collection of classic Linux games." Additional details can be found in the project's release announcement.
4MLinux 38.0 -- Running JWM
(full image size: 1.1MB, resolution: 1280x1024 pixels)
NixOS 21.11
NixOS is an independently developed GNU/Linux distribution that aims to improve the state of the art in system configuration management. In NixOS, the entire operating system, including the kernel, applications, system packages and configuration files, are built by the Nix package manager. The project's latest release is NixOS 21.11 which includes the following highlights: "The default Nix version remains at 2.3.16. Nix has not been updated to version 2.4 due to regressions in non-experimental behavior. To upgrade to 2.4, use the nixos-unstable branch or set the nix.package option to either of nixFlakes or nix_2_4 packages. The nixUnstable attribute is a pre-release of Nix 2.5. Read the release notes for more information on upcoming changes. Please help us improve Nix by providing any breakage reports. iptables now uses nf_tables backend. PHP now defaults to PHP 8.0, updated from 7.4. kops now defaults to 1.21.1, which uses containerd as the default runtime. python3 now defaults to Python 3.9, updated from Python 3.8. PostgreSQL now defaults to major version 13." Further information is available through the project's release annoucement and in the release notes.
CentOS 9
The CentOS project has published a new snapshot release, CentOS 9 Stream which acts as a middle ground between Fedora and the next version of Red Hat Enterprise Linux. The project's release announcement says: "Updates posted to Stream are identical to those posted to the unreleased minor version of RHEL. The aim? For CentOS Stream to be as fundamentally stable as RHEL itself. To achieve this stability, each major release of Stream starts from a stable release of Fedora Linux - In CentOS Stream 9, this begins with Fedora 34, which is the same code base from which RHEL 9 is built. As updated packages pass testing and meet standards for stability, they are pushed into CentOS Stream as well as the nightly build of RHEL. What CentOS Stream looks like now is what RHEL will look like in the near future." CentOS is available in x86_64, ARM64, and PowerPC64 flavours. At the time of writing, the release notes are not yet available.
EndeavourOS 21.4
EndeavourOS is a rolling release Linux distribution based on Arch Linux. The project's latest snapshot is version 21.4 which includes several new improvements and fixes. "NVIDIA users have a new sanity check for NVIDIA and kernel updates. The check helps preventing boot problems after update. Apps UpdateInTerminal, eos-update-notifier and welcome include this update check. Welcome has a new button DE: information (DE is the installed desktop name) and opens the browser to the dedicated DE info page. Our eos-apps-info is added by default. The eos-apps-info-helper is now capable of showing information about many more apps, and it supports using a web browser which can be configured by yourself. An addition to paccache-service-manager has been made, which now ships with a checkbox for deleting the cache of uninstalled packages. A new and improved schedule configuration window for eos-update-notifier. The function grub-tools now adds info and warnings when needed about variable GRUB_DISABLE_OS_PROBER in /etc/default/grub. An improvement on AKM that marks the current running kernel with the * symbol." These and other improvements can covered in the project's release announcement.
EndeavourOS 21.4 -- Displaying the welcome window and application menu
(full image size: 2.0MB, resolution: 1920x1080 pixels)
* * * * *
Development, unannounced and minor bug-fix releases
|
| Torrent Corner |
Weekly Torrents
The table below provides a list of torrents DistroWatch is currently seeding. If you do not have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.
Archives of our previously seeded torrents may be found in our Torrent Archive. We also maintain a Torrents RSS feed for people who wish to have open source torrents delivered to them. To share your own open source torrents of Linux and BSD projects, please visit our Upload Torrents page.
Torrent Corner statistics:
- Total torrents seeded: 2,657
- Total data uploaded: 41.1TB
|
| Upcoming Releases and Announcements |
|
Summary of expected upcoming releases
|
| Opinion Poll (by Jesse Smith) |
Do you run a firewall on your computer?
In this week's Feature Story we talked about OpenSnitch, an application which sets up firewall rules based on which application or process is making a network request. This approach is different from most Linux firewall tools which block specific ports rather than processes. Do you run a firewall on your personal computer and, if so, which approach do you prefer - managing network ports or managing processes?
You can see the results of our previous poll on running out of available RAM in last week's edition. All previous poll results can be found in our poll archives.
|
Do you run a firewall on your PC?
| Yes - I use a port blocking firewall: | 592 (39%) |
| Yes - I use a process blocking firewall: | 71 (5%) |
| Yes - I use a combination of both: | 201 (13%) |
| No - I do not run any firewall: | 653 (43%) |
|
|
| Website News |
New distributions added to waiting list
- Little-Psycho Linux. The Little-Psycho Linux distribution is an Ubuntu-based project featuring the KDE Plasma desktop. Little-Psycho has a focus on destructive and stress testing of both software and hardware and also included the overclocking and Stress testing tools, and securely erasing the entire contents of your disks.
* * * * *
DistroWatch database summary
* * * * *
This concludes this week's issue of DistroWatch Weekly. The next instalment will be published on Monday, 13 December 2021. Past articles and reviews can be found through our Article Search page. To contact the authors please send e-mail to:
|
|
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 1, value: US$23.49) |
|
|
|
 bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx  lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
| Extended Lifecycle Support by TuxCare |
|
|
| Reader Comments • Jump to last comment |
1 • no firewall on pc (by pappito on 2021-12-06 03:18:31 GMT from Australia)
handled at router level
should I be using one?
2 • Opensnitch (by anon on 2021-12-06 03:51:53 GMT from Venezuela)
Great tool! I wasn't aware such tools existed for linux.
3 • The Book Review (by Andy Figueroa on 2021-12-06 04:54:38 GMT from United States)
Looking at the sample chapter, which includes the table of contents, the book appears to be superficial. Back in the mid to late 1980s I was seriously in need of "book" to learn *nix text processing. My Unix system administrator suggested I get "Unix Primer Plus" by the Waite Group. This book (I have both the 1st and 2nd editions) laid the foundation by which I somewhat mastered the art of extreme text processing. The 3rd edition (recommended) is frequently available used via Amazon at the more or less $10 US price-point. I would buy it myself but I'm over that hump now.
Everything I learned in "Unix Primer Plus" is applicable to the same skills in Linux. I still frequently use it as a reference. I have a small library of Unix and Linux books, and this is the best of the bunch if you want to learn how to use cat, more, less, grep, awk, cut, paste, sed, search, sort, etc.
Just beware of sites that let you read this on-line with a "free" trial membership. There are numerous bait-and-switch sites for read on-line/download of books.
4 • Firewall (by Sam Crawford on 2021-12-06 05:05:21 GMT from United States)
I run UFW on my 3 debian based computers. I configure it both with GUFW and the command line. I open ports for Transmission, BOINC distributed computing and for VueScan, a scanner program.
Windows 11 uses the default Microsoft Defender firewall and anti-virus. My network uses Untangle, a commercial firewall.
Knock on wood, everything seems to be working OK as I haven't had any issues (that I'm aware of).
5 • Firewall (by harpia on 2021-12-06 05:13:02 GMT from Brazil)
Firewall on an OpenWrt router.
If you have ipv6, be extra careful. Unlike ipv4, it has no NAT. A firewall is the only way to block incoming traffic.
Some consumer-level routers block all incoming ipv6 traffic by default; some do not block anything. Go check yours.
6 • Qubes OS + Suricata (by Ro0t on 2021-12-06 07:01:34 GMT from Germany)
I use Qubes OS plus Suricata in IPS mode. Hardware firewall I do not have.
7 • Firewall (by Kazlu on 2021-12-06 09:15:02 GMT from France)
I am using ufw because it's standard and included on my distribution. I added a couple of custom rules and then forgot about it, which is what I want. The idea behind OpenSnitch is very interesting and I would like to see it more widely adopted in the future, but I do not have time to experiment with it myself considering the firewall job is already handled and I have no problem with it.
8 • Firewall (by DachshundMan on 2021-12-06 09:37:53 GMT from United Kingdom)
Like @7, I also use UFW on all my Linux computers as it is included in the distros. Generally I use the default setting of Incoming:deny, Outgoing:allow.
I also like the idea of OpenSnitch. It would be good to have the feature where the appropriate rules are added when software is installed on the machine. The corporate software I used to install before retiring did this on Windows although I did have to enable to appropriate version of the rule (domain or public/private) afterwards.
9 • OpenSnitch firewall (by Simon Plaistowe on 2021-12-06 11:30:52 GMT from New Zealand)
Well I wasn't using a firewall on my laptop because I wanted a process blocking one and could never find one. Thanks to the mention of OpenSnitch in last week's DW Weekly, I've now been using it for the past week (Linux Mint). Bloody brilliant, just what I've wanted all these years!
10 • Firewall (by Tim on 2021-12-06 12:29:57 GMT from United States)
I run nftables on Arch Linux and Fedora Linux.
11 • Open Snitch (by crayola-eater on 2021-12-06 13:17:12 GMT from United States)
After you mentioned it last week, I kept trying to remember the old Windows firewall I used that had the same MO, and this week you named it - Zone Alarm. That was the cat's meow when it first hit the scene (even had a very capable free version). Not so much after it got sold to whichever big player wanted to cut out the competition.
I liked how it tracked outgoing calls, and gave you the oportunity to say no to the phone home tendancy.
So at last I now have something to bring back what I consider the real way to handle things smartly (or at least after I get off my keister and actually get it installed and settled in).
Thanks Jesse for a great lead.
12 • OpenSnitch (by Jay on 2021-12-06 13:40:52 GMT from Poland)
I've been aware of OpenSnitch for some time, but let my attention lapse. (Life happens.) Thanks for the reminder of a worthy security application, Jesse. I'll be using it to augment my nf/iptables firewall.
13 • Firewall? Don't talk to me about a firewall. (by Bob McConnell on 2021-12-06 13:56:42 GMT from United States)
You missed an option in your poll. I don't use local firewalls on my servers or workstations, as there are too many to keep up. I do have a dual-port PC running OPNsense between my networks and the ISP. I can block known troublemakers there. Yes, networkS! I have both a G-bit Ethernet backbone and a dual band WiFi router running full time. The backbone supports three NAS boxes totaling 11 TB of storage, four workstations, an Apache/Nextcloud server, an entertainment server, a PostgreSQL server and three Raspberry Pi. All but one of those and the Pi are running Slackware64. The WD MyCloud is FreeBSD. The WiFi supports my wife's laptop and BlueRay player, a Wii, a Playstation, all-in-one printer, two phones and five tablets. It gets real busy when the grandchildren visit. Oh, yes; IPv6 is disabled on the firewall. I see no need for the excessive overhead at this time, and I trust NAT much more.
14 • Firewall Not Needed (by Rick on 2021-12-06 14:02:19 GMT from United States)
After using Ubuntu since 2006, I went full-time with Linux in 2011 because of Windows viruses and trojans which often destroyed my OS. Since then I've had absolutely no need for an
anti-virus or firewall on any of my 5 Thinkpads.
15 • firewall (by VE on 2021-12-06 16:42:00 GMT from United States)
A firewall sits between the local network and the internet. I've never understood the point of device level firewalls.
16 • Firewalls (by Robert on 2021-12-06 16:57:27 GMT from United States)
I did set up a port firewall on my Arch desktop, though I can't recall if it was iptables or nftables.
I used an application firewall on windows for a short time, but I found it very annoying being constantly interrupted to grant permission to this or that thing. I might try opensnitch though, because hopefully the Linux ecosystem will be better behaved and therefore less bothersome to deal with the interruptions.
17 • opensnitch (by a on 2021-12-06 19:22:46 GMT from France)
OpenSnitch seems great, I wanted to have such a tool a long time ago.
Nowadays I probably won’t bother as I got used to living without a firewall.
18 • Never used firewalls (by ostro on 2021-12-06 21:18:16 GMT from Poland)
I never used firewalls in any of my Linux boxes for last 17 years. And, since Windows 10, none of the Windows boxes either..
19 • OpenSnitch (by nobody on 2021-12-07 08:30:24 GMT from Finland)
I mentioned opesnitch on the comments for issue 940. Glad to see it get more attention.
Unfortunately it's not available in most repos yet but hopefully that changes when the project matures a bit.
The process locking and decision making being done with eBPF is also a bit unfortunate for those that would like to disable it for security reasons. Maybe this won't be the issue if in the future eBPF payloads can be signed and verified.
20 • Firewalls (by penguinx86 on 2021-12-07 09:44:31 GMT from United States)
I don't use a firewall on my Linux laptop at home. But my desktop computer at work has the built in Microsoft firewalls, our office has a local area network firewall, which goes through a remote corporate firewall. Funny how my 2ghz dual core i3 laptop with Linux on wifi runs SO MUCH FASTER than my 3ghz quad core i5 Windows computer on gigabit ethernet at work.
21 • Opensnitch (by hulondalo on 2021-12-07 11:19:30 GMT from Australia)
great article, thanks.
this is the reason i read distrowatch. like waydroid in the previous issue, saved me a lot of troubles and time. been wanting to try it but since xfce didn't support wayland so i thought it might be time to switch to kde but after reading DW review i think i'll stick to xfce and android x86 on qemu until xfce supports wayland and waydroid matures :) thanks.
apparently this is a brave new world, many ppl don't wanna firewall anymore or r their using adblock or host files?
22 • Firewall (by Matthew Evan on 2021-12-08 01:51:46 GMT from United States)
Definently have a firewall over things like your SSH and samba ports when you're in public, I suppose when you're on a NAT you are generally okay but it's never too safe if you got a router with proprietary firmware and a bad track record.
23 • firewells (by firewally on 2021-12-08 08:25:40 GMT from France)
* Agree with @16 that firewall alarms become annoying. Many warnings are over anonymous small apps running from the Temp folder. This can be legit when installing a larger app - or it can be malware. After a while you get the small Temp app warnings all the time - indicating malware infection. It would be interesting to see if Opensnitch is any better.
* PC's have controls that don't necessarily cut all wireless access - OS settings, key combos, or even removing the wireless module (because the NIC is still on the motherboard). This renders firewalls not very useful against hackers who target wireless hardware. Only BIOS deactivation or kill switches shut off the wireless completely. Hence the rise of Open Source hardware to provide better control over computers.
* Security ppl tell us that the TOR network is anonymous and encrypted, and so is safe. But it has now been found that bad actors have controlled thousands of Tor server nodes over the last few years. This deanonymises ppl on the network to track their surfing - and maybe even find personal details and hack computers. They were able to register the servers without providing contact details.
So there are hackers lacing websites and apps with malware, large groups fighting for control over Internet servers and networks - and you're at home with your dodgy computer, trusty OS, and whiz-bang firewall. Good luck with that.
24 • firewalls (by Tad Strange on 2021-12-08 17:55:27 GMT from Canada)
Not much to comment on this week. On a private LAN I see no point in device level firewalls - they belong at the gateway.
Maybe if you're always sitting on a public wifi in a coffee shop or something, but even those services are usually running some form of client isolation.
25 • Firewalls (by None of the above on 2021-12-09 12:21:35 GMT from Germany)
This was a great article about OpenSnitch. I could not take your survey because none of the answers matched what I do. I use IPTABLES and block IP ranges. I went years without any firewall on my home server and I was always worried, but it was probably unnecessary. If you only run safe software that is properly configured and keep everything updated you greatly reduce your risks.
Do you need to block ports? The port is only open by some software you are running. Do you need to block processes? Same answer. What is interesting about OpenSnitch is that it can help you figure out if your software is misbehaving. This would more likely be outbound traffic instead of inbound.
I do check my logs for bad actors and then ban them. I hope to reduce the chances of them actually succeeding in the future if there is some new exploit by just blocking them completely.
26 • No Opensnitch install files for my Linux Mint MATE 20.2 (by ROC on 2021-12-10 03:53:06 GMT from United States)
375-Lnx:~$ sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb
[sudo] password for [me]:
dpkg: error: cannot access archive 'opensnitch*.deb': No such file or directory
[me]@Dell--Lnx:~$ sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb
dpkg: error: cannot access archive 'opensnitch*.deb': No such file or directory
Copy/pasted from your article, Jesse, with above results (after running latest updates).
27 • opensnitch installation on opensuse (by Jack on 2021-12-10 09:58:15 GMT from Australia)
I tried to install opensnitch daemon and user interface packages on vanilla leap 15.3 vanilla but the installation process kept failing due to prerequisite packages. I kept going by reading the error messages, figuring out what packages were missing, installing one more package and ended up the list below:
libnetfilter_queue1
python3-inotify
python3-pyinotify
python3-qt5
python3-grpcio
python3-grpcio-gcp
python3-grpc-google-iam-v1
python3-python-slugify
Needless to say,, some of the the packages were also dependent on other packages which zypper installed automatically. When I finally got opensnitch working, there were more than 60 new packages added to the system!
28 • Installing OpenSnitch (by Jesse on 2021-12-10 14:58:43 GMT from Canada)
@26: "Copy/pasted from your article, Jesse, with above results (after running latest updates)."
It looks like you didn't follow the previous step which is to first download the opensnitch.deb packages. You need to do that before you try to install them.
Number of Comments: 28
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1119 (2025-04-28): Ubuntu MATE 25.04, what is missing from Linux, CachyOS ships OCCT, Debian enters soft freeze, Fedora discusses removing X11 session from GNOME, Murena plans business services, NetBSD on a Wii |
| • Issue 1118 (2025-04-21): Fedora 42, strange characters in Vim, Nitrux introduces new package tools, Fedora extends reproducibility efforts, PINE64 updates multiple devices running Debian |
| • Issue 1117 (2025-04-14): Shebang 25.0, EndeavourOS 2025.03.19, running applications from other distros on the desktop, Debian gets APT upgrade, Mint introduces OEM options for LMDE, postmarketOS packages GNOME 48 and COSMIC, Redox testing USB support |
| • Issue 1116 (2025-04-07): The Sense HAT, Android and mobile operating systems, FreeBSD improves on laptops, openSUSE publishes many new updates, Fedora appoints new Project Leader, UBports testing VoLTE |
| • Issue 1115 (2025-03-31): GrapheneOS 2025, the rise of portable package formats, MidnightBSD and openSUSE experiment with new package management features, Plank dock reborn, key infrastructure projects lose funding, postmarketOS to focus on reliability |
| • Issue 1114 (2025-03-24): Bazzite 41, checking which processes are writing to disk, Rocky unveils new Hardened branch, GNOME 48 released, generating images for the Raspberry Pi |
| • Issue 1113 (2025-03-17): MocaccinoOS 1.8.1, how to contribute to open source, Murena extends on-line installer, Garuda tests COSMIC edition, Ubuntu to replace coreutils with Rust alternatives, Chimera Linux drops RISC-V builds |
| • Issue 1112 (2025-03-10): Solus 4.7, distros which work with Secure Boot, UBports publishes bug fix, postmarketOS considers a new name, Debian running on Android |
| • Issue 1111 (2025-03-03): Orbitiny 0.01, the effect of Ubuntu Core Desktop, Gentoo offers disk images, elementary OS invites feature ideas, FreeBSD starts PinePhone Pro port, Mint warns of upcoming Firefox issue |
| • Issue 1110 (2025-02-24): iodeOS 6.0, learning to program, Arch retiring old repositories, openSUSE makes progress on reproducible builds, Fedora is getting more serious about open hardware, Tails changes its install instructions to offer better privacy, Murena's de-Googled tablet goes on sale |
| • Issue 1109 (2025-02-17): Rhino Linux 2025.1, MX Linux 23.5 with Xfce 4.20, replacing X.Org tools with Wayland tools, GhostBSD moving its base to FreeBSD -RELEASE, Redox stabilizes its ABI, UBports testing 24.04, Asahi changing its leadership, OBS in dispute with Fedora |
| • Issue 1108 (2025-02-10): Serpent OS 0.24.6, Aurora, sharing swap between distros, Peppermint tries Void base, GTK removinglegacy technologies, Red Hat plans more AI tools for Fedora, TrueNAS merges its editions |
| • Issue 1107 (2025-02-03): siduction 2024.1.0, timing tasks, Lomiri ported to postmarketOS, Alpine joins Open Collective, a new desktop for Linux called Orbitiny |
| • Issue 1106 (2025-01-27): Adelie Linux 1.0 Beta 6, Pop!_OS 24.04 Alpha 5, detecting whether a process is inside a virtual machine, drawing graphics to NetBSD terminal, Nix ported to FreeBSD, GhostBSD hosting desktop conference |
| • Issue 1105 (2025-01-20): CentOS 10 Stream, old Flatpak bundles in software centres, Haiku ports Iceweasel, Oracle shows off debugging tools, rsync vulnerability patched |
| • Issue 1104 (2025-01-13): DAT Linux 2.0, Silly things to do with a minimal computer, Budgie prepares Wayland only releases, SteamOS coming to third-party devices, Murena upgrades its base |
| • Issue 1103 (2025-01-06): elementary OS 8.0, filtering ads with Pi-hole, Debian testing its installer, Pop!_OS faces delays, Ubuntu Studio upgrades not working, Absolute discontinued |
| • Issue 1102 (2024-12-23): Best distros of 2024, changing a process name, Fedora to expand Btrfs support and releases Asahi Remix 41, openSUSE patches out security sandbox and donations from Bottles while ending support for Leap 15.5 |
| • Issue 1101 (2024-12-16): GhostBSD 24.10.1, sending attachments from the command line, openSUSE shows off GPU assignment tool, UBports publishes security update, Murena launches its first tablet, Xfce 4.20 released |
| • Issue 1100 (2024-12-09): Oreon 9.3, differences in speed, IPFire's new appliance, Fedora Asahi Remix gets new video drivers, openSUSE Leap Micro updated, Redox OS running Redox OS |
| • Issue 1099 (2024-12-02): AnduinOS 1.0.1, measuring RAM usage, SUSE continues rebranding efforts, UBports prepares for next major version, Murena offering non-NFC phone |
| • Issue 1098 (2024-11-25): Linux Lite 7.2, backing up specific folders, Murena and Fairphone partner in fair trade deal, Arch installer gets new text interface, Ubuntu security tool patched |
| • Issue 1097 (2024-11-18): Chimera Linux vs Chimera OS, choosing between AlmaLinux and Debian, Fedora elevates KDE spin to an edition, Fedora previews new installer, KDE testing its own distro, Qubes-style isolation coming to FreeBSD |
| • Issue 1096 (2024-11-11): Bazzite 40, Playtron OS Alpha 1, Tucana Linux 3.1, detecting Screen sessions, Redox imports COSMIC software centre, FreeBSD booting on the PinePhone Pro, LXQt supports Wayland window managers |
| • Issue 1095 (2024-11-04): Fedora 41 Kinoite, transferring applications between computers, openSUSE Tumbleweed receives multiple upgrades, Ubuntu testing compiler optimizations, Mint partners with Framework |
| • Issue 1094 (2024-10-28): DebLight OS 1, backing up crontab, AlmaLinux introduces Litten branch, openSUSE unveils refreshed look, Ubuntu turns 20
| | • Issue 1093 (2024-10-21): Kubuntu 24.10, atomic vs immutable distributions, Debian upgrading Perl packages, UBports adding VoLTE support, Android to gain native GNU/Linux application support |
| • Issue 1092 (2024-10-14): FunOS 24.04.1, a home directory inside a file, work starts of openSUSE Leap 16.0, improvements in Haiku, KDE neon upgrades its base |
| • Issue 1091 (2024-10-07): Redox OS 0.9.0, Unified package management vs universal package formats, Redox begins RISC-V port, Mint polishes interface, Qubes certifies new laptop |
| • Issue 1090 (2024-09-30): Rhino Linux 2024.2, commercial distros with alternative desktops, Valve seeks to improve Wayland performance, HardenedBSD parterns with Protectli, Tails merges with Tor Project, Quantum Leap partners with the FreeBSD Foundation |
| • Issue 1089 (2024-09-23): Expirion 6.0, openKylin 2.0, managing configuration files, the future of Linux development, fixing bugs in Haiku, Slackware packages dracut |
| • Issue 1088 (2024-09-16): PorteuX 1.6, migrating from Windows 10 to which Linux distro, making NetBSD immutable, AlmaLinux offers hardware certification, Mint updates old APT tools |
| • Issue 1087 (2024-09-09): COSMIC desktop, running cron jobs at variable times, UBports highlights new apps, HardenedBSD offers work around for FreeBSD change, Debian considers how to cull old packages, systemd ported to musl |
| • Issue 1086 (2024-09-02): Vanilla OS 2, command line tips for simple tasks, FreeBSD receives investment from STF, openSUSE Tumbleweed update can break network connections, Debian refreshes media |
| • Issue 1085 (2024-08-26): Nobara 40, OpenMandriva 24.07 "ROME", distros which include source code, FreeBSD publishes quarterly report, Microsoft updates breaks Linux in dual-boot environments |
| • Issue 1084 (2024-08-19): Liya 2.0, dual boot with encryption, Haiku introduces performance improvements, Gentoo dropping IA-64, Redcore merges major upgrade |
| • Issue 1083 (2024-08-12): TrueNAS 24.04.2 "SCALE", Linux distros for smartphones, Redox OS introduces web server, PipeWire exposes battery drain on Linux, Canonical updates kernel version policy |
| • Issue 1082 (2024-08-05): Linux Mint 22, taking snapshots of UFS on FreeBSD, openSUSE updates Tumbleweed and Aeon, Debian creates Tiny QA Tasks, Manjaro testing immutable images |
| • Issue 1081 (2024-07-29): SysLinuxOS 12.4, OpenBSD gain hardware acceleration, Slackware changes kernel naming, Mint publishes upgrade instructions |
| • Issue 1080 (2024-07-22): Running GNU/Linux on Android with Andronix, protecting network services, Solus dropping AppArmor and Snap, openSUSE Aeon Desktop gaining full disk encryption, SUSE asks openSUSE to change its branding |
| • Issue 1079 (2024-07-15): Ubuntu Core 24, hiding files on Linux, Fedora dropping X11 packages on Workstation, Red Hat phasing out GRUB, new OpenSSH vulnerability, FreeBSD speeds up release cycle, UBports testing new first-run wizard |
| • Issue 1078 (2024-07-08): Changing init software, server machines running desktop environments, OpenSSH vulnerability patched, Peppermint launches new edition, HardenedBSD updates ports |
| • Issue 1077 (2024-07-01): The Unity and Lomiri interfaces, different distros for different tasks, Ubuntu plans to run Wayland on NVIDIA cards, openSUSE updates Leap Micro, Debian releases refreshed media, UBports gaining contact synchronisation, FreeDOS celebrates its 30th anniversary |
| • Issue 1076 (2024-06-24): openSUSE 15.6, what makes Linux unique, SUSE Liberty Linux to support CentOS Linux 7, SLE receives 19 years of support, openSUSE testing Leap Micro edition |
| • Issue 1075 (2024-06-17): Redox OS, X11 and Wayland on the BSDs, AlmaLinux releases Pi build, Canonical announces RISC-V laptop with Ubuntu, key changes in systemd |
| • Issue 1074 (2024-06-10): Endless OS 6.0.0, distros with init diversity, Mint to filter unverified Flatpaks, Debian adds systemd-boot options, Redox adopts COSMIC desktop, OpenSSH gains new security features |
| • Issue 1073 (2024-06-03): LXQt 2.0.0, an overview of Linux desktop environments, Canonical partners with Milk-V, openSUSE introduces new features in Aeon Desktop, Fedora mirrors see rise in traffic, Wayland adds OpenBSD support |
| • Issue 1072 (2024-05-27): Manjaro 24.0, comparing init software, OpenBSD ports Plasma 6, Arch community debates mirror requirements, ThinOS to upgrade its FreeBSD core |
| • Issue 1071 (2024-05-20): Archcraft 2024.04.06, common command line mistakes, ReactOS imports WINE improvements, Haiku makes adjusting themes easier, NetBSD takes a stand against code generated by chatbots |
| • Issue 1070 (2024-05-13): Damn Small Linux 2024, hiding kernel messages during boot, Red Hat offers AI edition, new web browser for UBports, Fedora Asahi Remix 40 released, Qubes extends support for version 4.1 |
| • Issue 1069 (2024-05-06): Ubuntu 24.04, installing packages in alternative locations, systemd creates sudo alternative, Mint encourages XApps collaboration, FreeBSD publishes quarterly update |
| • Issue 1068 (2024-04-29): Fedora 40, transforming one distro into another, Debian elects new Project Leader, Red Hat extends support cycle, Emmabuntus adds accessibility features, Canonical's new security features |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Random Distribution | 
Exherbo
Exherbo is a source-based Linux distribution inspired by the flexibility found in Gentoo Linux (among others). Designed primarily for developers and advanced users who are expected to take an active role in the development of the distribution, Exherbo offers a decentralised development model, original code, and a fast and flexible package manager called Paludis.
Status: Active
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
