 DistroWatch Weekly |
| DistroWatch Weekly, Issue 946, 6 December 2021 |
Welcome to this year's 48th issue of DistroWatch Weekly!
The Internet is full of lurking threats. Malicious actors are constantly scanning for vulnerabilities, seeking out unpatched systems, and trying to guess passwords. One of the many tools we can use to protect ourselves from malicious attacks on-line is a firewall. Most Linux firewalls focus on locking down (or opening up) specific ports on our machine, regardless of which software is running. OpenSnitch is a network filtering tool which takes a different approach and we talk about how it works to lock down and monitor specific processes in this week's Feature Story. Do you run a firewall tool like OpenSnitch or UFW on your computer? Let us know about it in this week's Opinion Poll. In our News section we talk about UBports gaining more native, mobile applications. We also talk about the T2 SDE project starting its own bug bounty program while Fedora 33 reaches the end of its supported life. A lot of power can be found in the Linux command line, but getting started with command line tools is not intuitive or easy. This week we share a book which explores the command line and shares examples of how multiple commands can be used together to handle simple tasks and manipulate data. Plus we are pleased to share the releases of the past week and list the torrents we are seeding. We wish you all a superb week and happy reading!
Content:
Listen to the Podcast edition of this week's DistroWatch Weekly in OGG (14MB) and MP3 (11MB) formats.
|
| Feature Story (by Jesse Smith) |
OpenSnitch - an application firewall for Linux
Recently I talked about the LockBox distribution which ships with a hardened network configuration and some network security tools. One utility stood out during my time with the distribution: OpenSnitch.
OpenSnitch is a rare tool in the Linux ecosystem. It is a service with a friendly graphical desktop application which assists the user in blocking network connections based on which daemon or application is making the connection attempt. Most Linux firewall tools focus on blocking access to specific network ports or remote servers. OpenSnitch focuses on which program is trying to access the network or send network traffic to remote machines. The OpenSnitch service can monitor connection attempts, let us know which processes are trying to talk over the network, and to which remote servers. It's an interesting and powerful tool, one which I felt deserved more attention.
Installing
OpenSnitch provides a number of install options. Pre-built Deb and RPM packages are available and supported on most major distributions. The OpenSnitch software is open source (licensed under the GNU General Public License version 3) and the project provides instructions for building the software from its source code.
OpenSnitch -- Installing the OpenSnitch packages
(full image size: 121kB, resolution: 1125x863 pixels)
I decided to run OpenSnitch on Linux Mint. Following the documentation, I downloaded two packages, one for the OpenSnitch background service and one for the graphical interface. Installing these with the command "sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb" results in an error, which is expected. We then run "sudo apt -f install" to install the necessary dependencies. In all, the OpenSnitch software and its dependencies require about 200MB of downloaded packages.
Early impressions
Running the above installation commands added OpenSnitch to my application menu. Clicking the application's icon, which looks like a cloud, adds its icon to the system tray. We can right-click on the system tray entry to enable or disable the OpenSnitch service. This is essentially enabling and disabling a firewall, though it does not appear to interfere with any other existing firewalls, such as UFW. Left-clicking the OpenSnitch system tray icon opens the software's desktop application and this is where things get interesting.
While the OpenSnitch service is running, any time a new program tries to talk over the network, a pop-up window appears. This pop-up tells us the name of the process trying to communicate with the outside world. We are then given the chance to allow the program to form its network connection or deny it. The response is timed and we have about 15 seconds after the window appears to make our choice. The default action is to deny the network request, blocking the program from talking with the outside world.
OpenSnitch -- Notification of a new ping connection attempt
(full image size: 290kB, resolution: 1125x863 pixels)
We can choose how long OpenSnitch will remember our choice. By default, OpenSnitch will remember to block or allow the program until we restart the computer. However, it can also be told to remember our choice for a set number of minutes or indefinitely.
The defaults presented in these notification pop-ups can be adjusted in OpenSnitch's settings and I'll get to that later. For now I want to provide an overview of the OpenSnitch application window and how it presents us with information.
The OpenSnitch window
The OpenSnitch application is divided into eight tabs, though we will probably only ever need two of them. The first tab is called Events. Here we see a list of recent connection attempts made by software on our system. The Events tab lists the time, destination, protocol, and process name of each connection request. It also shows whether the request to connect through the network was allowed or denied. The Event tab is basically a dashboard showing what is happening on our system right now.
OpenSnitch -- Monitoring recent network events
(full image size: 291kB, resolution: 1125x863 pixels)
The third tab (yes, I'm skipping the second one for a moment) is called Rules. The Rules tab shows much the same information - the time a connection attempt was made and the name of the process making the attempt. We are also shown whether the action will be allowed or blocked along with an indicator of how long the current rule will last. We can right-click on a rule to change its duration (how long the rule stays in effect). We can also right-click to toggle the rule between allowing and blocking the connection attempt.
The other six tabs (Nodes, Hosts, Applications, Address, Ports, and Users) all show a summary of recent events, sorted by the name of the tab. For instance, the Address tab lists remote machines which our computer has tried to contact recently. We can double-click any entry to see more information (events) associated with one specific address. Likewise, the Applications tab shows a list of programs which have tried to communicate over the network. We can double-click the name of a program to see recent connection attempts made by that one program.
Basically, these six tabs all show a quick summary of recent events, organized by program name, remote address, remote network port, etc. Then selecting one grouped entry in the tab shows all the corresponding events. This makes it quite easy to see what is happening by digging down through layers. For instance, if I want to see all network connection attempts from my user, I can click on the Users tab. Then find my user name in the list, and double-click it to see all recent events associated with my account.
In short, the Events tab tells us what is happening now. The rules tab tells us how OpenSnitch reacts to what is happening. The other tabs sort events into groups to make it easier to track what a specific computer, user, or application is doing.
Proactively making rules
While OpenSnitch defaults to waiting for network connection attempts to happen and then asks us, via a pop-up window, whether to allow or block the network traffic, we can be proactive and make up rules ahead of time. There is a button near the top of the OpenSnitch window which allows us to craft our own rules.
We can use a variety of parameters to craft a rule, all of them nicely presented to us in a window. We can specify the name of an application to block, which protocols (TCP or UDP) we want to filter, how long the rule lasts, specific hosts or domains we want to filter. We can also specify whether the rule we are making should block or allow new connections.
OpenSnitch -- Creating a new rule to block IRC traffic
(full image size: 181kB, resolution: 1125x863 pixels)
The rule creation window is easy to navigate and I like how easy it is to make up new rules to allow or deny connections. I feel it is worth mentioning that new rules designed to block traffic do not appear to stop connections already in progress. For instance, if Firefox is downloading a file and I make a rule to stop Firefox from making connections, the existing connection continues to work. The rule will apply only to new connections being made in the future.
OpenSnitch -- Watching traffic from the HexChat IRC client get blocked
(full image size: 282kB, resolution: 1125x863 pixels)
Settings
Last, but not least, there is a small settings panel built into OpenSnitch to adjust how the application works. This settings panel allows us to adjust the default behaviour when new connections come along - allowing or denying them and for how long. We can also change the location of the OpenSnitch database. By default it is kept in memory, but we can save rules and data in a file for more permanent use. We can also make small adjustments to the user interface and what information is shown.
OpenSnitch -- Adjusting default rule settings
(full image size: 180kB, resolution: 1125x863 pixels)
The defaults appear to be set up to block new connections, but only until the system is restarted. If we are crafting long-term rules we will want to make a permanent file database and probably set new connection attempts to be denied "forever".
Conclusions
For years I've heard people new to Linux talk about how they would like a user friendly, application-focused firewall solution. Linux distributions typically focus on blocking traffic based on network ports and hostnames. The few solutions which have focused on process filtering tend to be either harder to set up or less friendly to use. OpenSnitch is one of the first tools I have encountered which provides both the rules and real-time monitoring that Windows tools (such as Zone Alarm) provide. The fact that OpenSnitch manages to be friendly, pretty easy to navigate, and flexible in how we manage both rules and new connections is fantastic. I'm really happy with how this tool work and how easy it is to set up.
What I particularly like about OpenSnitch is that it is not just useful for making new rules, the way traffic is sorted and cataloged in the various tabs is great. Even if you are not interested in locking down your network, I think it is well worth installing OpenSnitch to find out what processes are talking over your network and who they are talking with. For example, while I was running Linux Mint, some programs sent out signals to Canonical servers which appears to be used for connectivity checks and/or getting a count of how many users are on-line. You might be interested in seeing how many programs are phoning home or pinging remote servers in an effort to count users or check for news updates.
* * * * *
I would like to thank Shells.com for providing me with the test environment for this review. This made it faster for me to set up the test environment and use it while traveling. I've talked about Shells.com services in an earlier article.
|
| Miscellaneous News (by Jesse Smith) |
UBports gains new apps, T2 SDE starts bug bounty program, Fedora 33 reaches its end of life
The UBports team have published an update containing progress their mobile operating system is making. New applications are being added to the UBports app store and a number of bugs have been fixed in the new OTA-20 update. "In new apps, we have Simple Reader by Nicolas Colla. Just as it says, it is wildly simple. You just open an ePub file and there it is, including a very cool sepia rendering. Also from Nicolas is Headline, which is an RSS news reader. In addition to those we have a game, Costumemaster Reloaded. Finally there is a de-compressor for compressed files, called UT zipper but actually with the ability to handle a range of formats, not just Zip. This app is by LionelD. OTA-20 is now making its way out of the servers. The rollout should be complete by around Wednesday. As usual, this is something you can do on your phone. Just go to Settings: Updates having made sure all your apps are up-to-date. There was a nasty bug which prevented some users from granting permissions to new applications and there was another which blocked the use of calendar features which relied on LetsEncrypt." The report goes on to talk about upgrades to the base system and improvements planned for the default web browser.
* * * * *
The T2 SDE project projects a build kit for developing custom distributions using cutting edge packages. The project is inviting people to fix bugs in the project's issue tracker in exchange for small payments. "The T2 SDE project is thrilled to announce ExactCODE GmbH sponsoring features bounties for selected T2 Linux feature requests. We believe open source developers should be fairly paid for their restless and ongoing infrastructure work that most of the Internet, mobile and embedded platforms are based on nowadays. We are thrilled to join setting a good example and T2 being one of the first project that gives back and pays their contributors! As a growing project we start small paying 10, 20, 40, and 100 EUR for selected features requests marked as such in our git web issue tracking." The T2 SDE issue tracker lists the desired features. Additional details are presented in the project's YouTube video on this imitative.
* * * * *
The Fedora project has announced that version 33 of the Fedora distribution has reached the end of its supported life. People running Fedora 33 are encouraged to upgrade. "Fedora 33 will go end of life for updates and support on 30th of November 2021. No further updates, including security updates, will be available for Fedora 33 after the said date. All the updates of Fedora 33 being pushed to stable will be stopped as well. Fedora 34 will continue to receive updates until approximately one
month after the release of Fedora 36."
* * * * *
These and other news stories can be found on our Headlines page.
|
| Book Review (by Jesse Smith) |
Command Line Text Processing with GNU Coreutils
I am always excited to come across new learning resources and accessible education, especially when it's about open source software. I particularly like when an author can come up with examples which are well explained and provide practical information.
I recently came across one such resource which not only explores how to do things on Linux, but specifically explores using command line tools. The book is called Command Line Text Processing with GNU Coreutils by Sundeep Agarwal and I feel it deserves a recommendation. The coreutils package is a collection of low-level command line programs which are available on almost all Linux distributions. Many of these low level tools are used to generate, sort, or otherwise manipulate information.
While the book's title refers to text processing specifically, I feel it's important to bear in mind that in this case "text" refers to any information which can be easily displayed on a screen and read by people. We're talking about text as in characters made up of letters and numbers, not just text as in documents and word processing.
The book sets out to explain how to work with low level Linux command line programs. We generally start off by exploring how one program works, with an example or two. Then we are shown how to combine multiple programs together to create bigger and more complex tools. One of the great features of the Linux command line is its ability to glue (or "pipe") multiple programs together. This allows programs to work together and share functionality rather than have each program do multiple things.
As one example, the seq program can create a list of numbers, in order. The shuf command shuffles information given to it into a random order. The seq command therefore does not need to know how to shuffle numbers or generate numbers in a random order since another command can be paired with it to add any randomness we want.
In my opinion the book does a great job of quickly presenting examples of how commands can be used and then paired up to achieve new or interesting ways of manipulating data. Throughout the text there are little highlights offering tips on extra functionality or limitations of certain commands. For instance, when discussing the shuf command we're warned that shuf will not work with multiple files. However, we can merge multiple files together (using the cat command) and then pass them to shuf. These little gems of wisdom add a dimension to the book and will likely save the reader some time wondering why their scripts are not working as expected.
I quite enjoyed Command Line Text Processing with GNU Coreutils. It's an easy read with clear, and often useful, examples. The book is a light read which mostly focuses on how we can do things without getting bogged down in theory or background on where tools came from. It's a good starting point for anyone who wants to learn how to use common command line programs and get them to work together. I also like that the book is open source (licensed under the Creative Commons family with code snippets provided under the MIT license).
The book can be purchased on-line from Learn By Example and LeanPub. There is also a PDF containing a sample chapter for people who would like to get a feel for the book's style.
|
| Released Last Week |
4MLinux 38.0
The 4MLinux distribution is a minimal operating system with four focuses (on gaming, server utilities, system maintenance, and multimedia). The project's latest release is 4MLinux 38.0 which introduces several package upgrades and a few new features. "As always, the new major release has some new features. The following applications are now available out of the box: Audacity (audio editor), GQmpeg (music player), GRUB2 (boot loader), Minitube (YouTube player), Musique (audio player), wxCam (webcam application), xmp (command-line mod player). Basic support for 32-bit applications is now also included. PHP in the 4MLinux Server comes with the improved image handling via an external GD Graphics Library. And finally, the 4MLinux GamePack is now available as a downloadable extension. It includes a big collection of classic Linux games." Additional details can be found in the project's release announcement.
4MLinux 38.0 -- Running JWM
(full image size: 1.1MB, resolution: 1280x1024 pixels)
NixOS 21.11
NixOS is an independently developed GNU/Linux distribution that aims to improve the state of the art in system configuration management. In NixOS, the entire operating system, including the kernel, applications, system packages and configuration files, are built by the Nix package manager. The project's latest release is NixOS 21.11 which includes the following highlights: "The default Nix version remains at 2.3.16. Nix has not been updated to version 2.4 due to regressions in non-experimental behavior. To upgrade to 2.4, use the nixos-unstable branch or set the nix.package option to either of nixFlakes or nix_2_4 packages. The nixUnstable attribute is a pre-release of Nix 2.5. Read the release notes for more information on upcoming changes. Please help us improve Nix by providing any breakage reports. iptables now uses nf_tables backend. PHP now defaults to PHP 8.0, updated from 7.4. kops now defaults to 1.21.1, which uses containerd as the default runtime. python3 now defaults to Python 3.9, updated from Python 3.8. PostgreSQL now defaults to major version 13." Further information is available through the project's release annoucement and in the release notes.
CentOS 9
The CentOS project has published a new snapshot release, CentOS 9 Stream which acts as a middle ground between Fedora and the next version of Red Hat Enterprise Linux. The project's release announcement says: "Updates posted to Stream are identical to those posted to the unreleased minor version of RHEL. The aim? For CentOS Stream to be as fundamentally stable as RHEL itself. To achieve this stability, each major release of Stream starts from a stable release of Fedora Linux - In CentOS Stream 9, this begins with Fedora 34, which is the same code base from which RHEL 9 is built. As updated packages pass testing and meet standards for stability, they are pushed into CentOS Stream as well as the nightly build of RHEL. What CentOS Stream looks like now is what RHEL will look like in the near future." CentOS is available in x86_64, ARM64, and PowerPC64 flavours. At the time of writing, the release notes are not yet available.
EndeavourOS 21.4
EndeavourOS is a rolling release Linux distribution based on Arch Linux. The project's latest snapshot is version 21.4 which includes several new improvements and fixes. "NVIDIA users have a new sanity check for NVIDIA and kernel updates. The check helps preventing boot problems after update. Apps UpdateInTerminal, eos-update-notifier and welcome include this update check. Welcome has a new button DE: information (DE is the installed desktop name) and opens the browser to the dedicated DE info page. Our eos-apps-info is added by default. The eos-apps-info-helper is now capable of showing information about many more apps, and it supports using a web browser which can be configured by yourself. An addition to paccache-service-manager has been made, which now ships with a checkbox for deleting the cache of uninstalled packages. A new and improved schedule configuration window for eos-update-notifier. The function grub-tools now adds info and warnings when needed about variable GRUB_DISABLE_OS_PROBER in /etc/default/grub. An improvement on AKM that marks the current running kernel with the * symbol." These and other improvements can covered in the project's release announcement.
EndeavourOS 21.4 -- Displaying the welcome window and application menu
(full image size: 2.0MB, resolution: 1920x1080 pixels)
* * * * *
Development, unannounced and minor bug-fix releases
|
| Torrent Corner |
Weekly Torrents
The table below provides a list of torrents DistroWatch is currently seeding. If you do not have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.
Archives of our previously seeded torrents may be found in our Torrent Archive. We also maintain a Torrents RSS feed for people who wish to have open source torrents delivered to them. To share your own open source torrents of Linux and BSD projects, please visit our Upload Torrents page.
Torrent Corner statistics:
- Total torrents seeded: 2,657
- Total data uploaded: 41.1TB
|
| Upcoming Releases and Announcements |
|
Summary of expected upcoming releases
|
| Opinion Poll (by Jesse Smith) |
Do you run a firewall on your computer?
In this week's Feature Story we talked about OpenSnitch, an application which sets up firewall rules based on which application or process is making a network request. This approach is different from most Linux firewall tools which block specific ports rather than processes. Do you run a firewall on your personal computer and, if so, which approach do you prefer - managing network ports or managing processes?
You can see the results of our previous poll on running out of available RAM in last week's edition. All previous poll results can be found in our poll archives.
|
Do you run a firewall on your PC?
| Yes - I use a port blocking firewall: | 592 (39%) |
| Yes - I use a process blocking firewall: | 71 (5%) |
| Yes - I use a combination of both: | 201 (13%) |
| No - I do not run any firewall: | 653 (43%) |
|
|
| Website News |
New distributions added to waiting list
- Little-Psycho Linux. The Little-Psycho Linux distribution is an Ubuntu-based project featuring the KDE Plasma desktop. Little-Psycho has a focus on destructive and stress testing of both software and hardware and also included the overclocking and Stress testing tools, and securely erasing the entire contents of your disks.
* * * * *
DistroWatch database summary
* * * * *
This concludes this week's issue of DistroWatch Weekly. The next instalment will be published on Monday, 13 December 2021. Past articles and reviews can be found through our Article Search page. To contact the authors please send e-mail to:
|
|
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 1, value: US$23.49) |
|
|
|
 bc1qtede6f7adcce4kjpgx0e5j68wwgtdxrek2qvc4  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le |
|
| Linux Foundation Training |
|
| Reader Comments • Jump to last comment |
1 • no firewall on pc (by pappito on 2021-12-06 03:18:31 GMT from Australia)
handled at router level
should I be using one?
2 • Opensnitch (by anon on 2021-12-06 03:51:53 GMT from Venezuela)
Great tool! I wasn't aware such tools existed for linux.
3 • The Book Review (by Andy Figueroa on 2021-12-06 04:54:38 GMT from United States)
Looking at the sample chapter, which includes the table of contents, the book appears to be superficial. Back in the mid to late 1980s I was seriously in need of "book" to learn *nix text processing. My Unix system administrator suggested I get "Unix Primer Plus" by the Waite Group. This book (I have both the 1st and 2nd editions) laid the foundation by which I somewhat mastered the art of extreme text processing. The 3rd edition (recommended) is frequently available used via Amazon at the more or less $10 US price-point. I would buy it myself but I'm over that hump now.
Everything I learned in "Unix Primer Plus" is applicable to the same skills in Linux. I still frequently use it as a reference. I have a small library of Unix and Linux books, and this is the best of the bunch if you want to learn how to use cat, more, less, grep, awk, cut, paste, sed, search, sort, etc.
Just beware of sites that let you read this on-line with a "free" trial membership. There are numerous bait-and-switch sites for read on-line/download of books.
4 • Firewall (by Sam Crawford on 2021-12-06 05:05:21 GMT from United States)
I run UFW on my 3 debian based computers. I configure it both with GUFW and the command line. I open ports for Transmission, BOINC distributed computing and for VueScan, a scanner program.
Windows 11 uses the default Microsoft Defender firewall and anti-virus. My network uses Untangle, a commercial firewall.
Knock on wood, everything seems to be working OK as I haven't had any issues (that I'm aware of).
5 • Firewall (by harpia on 2021-12-06 05:13:02 GMT from Brazil)
Firewall on an OpenWrt router.
If you have ipv6, be extra careful. Unlike ipv4, it has no NAT. A firewall is the only way to block incoming traffic.
Some consumer-level routers block all incoming ipv6 traffic by default; some do not block anything. Go check yours.
6 • Qubes OS + Suricata (by Ro0t on 2021-12-06 07:01:34 GMT from Germany)
I use Qubes OS plus Suricata in IPS mode. Hardware firewall I do not have.
7 • Firewall (by Kazlu on 2021-12-06 09:15:02 GMT from France)
I am using ufw because it's standard and included on my distribution. I added a couple of custom rules and then forgot about it, which is what I want. The idea behind OpenSnitch is very interesting and I would like to see it more widely adopted in the future, but I do not have time to experiment with it myself considering the firewall job is already handled and I have no problem with it.
8 • Firewall (by DachshundMan on 2021-12-06 09:37:53 GMT from United Kingdom)
Like @7, I also use UFW on all my Linux computers as it is included in the distros. Generally I use the default setting of Incoming:deny, Outgoing:allow.
I also like the idea of OpenSnitch. It would be good to have the feature where the appropriate rules are added when software is installed on the machine. The corporate software I used to install before retiring did this on Windows although I did have to enable to appropriate version of the rule (domain or public/private) afterwards.
9 • OpenSnitch firewall (by Simon Plaistowe on 2021-12-06 11:30:52 GMT from New Zealand)
Well I wasn't using a firewall on my laptop because I wanted a process blocking one and could never find one. Thanks to the mention of OpenSnitch in last week's DW Weekly, I've now been using it for the past week (Linux Mint). Bloody brilliant, just what I've wanted all these years!
10 • Firewall (by Tim on 2021-12-06 12:29:57 GMT from United States)
I run nftables on Arch Linux and Fedora Linux.
11 • Open Snitch (by crayola-eater on 2021-12-06 13:17:12 GMT from United States)
After you mentioned it last week, I kept trying to remember the old Windows firewall I used that had the same MO, and this week you named it - Zone Alarm. That was the cat's meow when it first hit the scene (even had a very capable free version). Not so much after it got sold to whichever big player wanted to cut out the competition.
I liked how it tracked outgoing calls, and gave you the oportunity to say no to the phone home tendancy.
So at last I now have something to bring back what I consider the real way to handle things smartly (or at least after I get off my keister and actually get it installed and settled in).
Thanks Jesse for a great lead.
12 • OpenSnitch (by Jay on 2021-12-06 13:40:52 GMT from Poland)
I've been aware of OpenSnitch for some time, but let my attention lapse. (Life happens.) Thanks for the reminder of a worthy security application, Jesse. I'll be using it to augment my nf/iptables firewall.
13 • Firewall? Don't talk to me about a firewall. (by Bob McConnell on 2021-12-06 13:56:42 GMT from United States)
You missed an option in your poll. I don't use local firewalls on my servers or workstations, as there are too many to keep up. I do have a dual-port PC running OPNsense between my networks and the ISP. I can block known troublemakers there. Yes, networkS! I have both a G-bit Ethernet backbone and a dual band WiFi router running full time. The backbone supports three NAS boxes totaling 11 TB of storage, four workstations, an Apache/Nextcloud server, an entertainment server, a PostgreSQL server and three Raspberry Pi. All but one of those and the Pi are running Slackware64. The WD MyCloud is FreeBSD. The WiFi supports my wife's laptop and BlueRay player, a Wii, a Playstation, all-in-one printer, two phones and five tablets. It gets real busy when the grandchildren visit. Oh, yes; IPv6 is disabled on the firewall. I see no need for the excessive overhead at this time, and I trust NAT much more.
14 • Firewall Not Needed (by Rick on 2021-12-06 14:02:19 GMT from United States)
After using Ubuntu since 2006, I went full-time with Linux in 2011 because of Windows viruses and trojans which often destroyed my OS. Since then I've had absolutely no need for an
anti-virus or firewall on any of my 5 Thinkpads.
15 • firewall (by VE on 2021-12-06 16:42:00 GMT from United States)
A firewall sits between the local network and the internet. I've never understood the point of device level firewalls.
16 • Firewalls (by Robert on 2021-12-06 16:57:27 GMT from United States)
I did set up a port firewall on my Arch desktop, though I can't recall if it was iptables or nftables.
I used an application firewall on windows for a short time, but I found it very annoying being constantly interrupted to grant permission to this or that thing. I might try opensnitch though, because hopefully the Linux ecosystem will be better behaved and therefore less bothersome to deal with the interruptions.
17 • opensnitch (by a on 2021-12-06 19:22:46 GMT from France)
OpenSnitch seems great, I wanted to have such a tool a long time ago.
Nowadays I probably won’t bother as I got used to living without a firewall.
18 • Never used firewalls (by ostro on 2021-12-06 21:18:16 GMT from Poland)
I never used firewalls in any of my Linux boxes for last 17 years. And, since Windows 10, none of the Windows boxes either..
19 • OpenSnitch (by nobody on 2021-12-07 08:30:24 GMT from Finland)
I mentioned opesnitch on the comments for issue 940. Glad to see it get more attention.
Unfortunately it's not available in most repos yet but hopefully that changes when the project matures a bit.
The process locking and decision making being done with eBPF is also a bit unfortunate for those that would like to disable it for security reasons. Maybe this won't be the issue if in the future eBPF payloads can be signed and verified.
20 • Firewalls (by penguinx86 on 2021-12-07 09:44:31 GMT from United States)
I don't use a firewall on my Linux laptop at home. But my desktop computer at work has the built in Microsoft firewalls, our office has a local area network firewall, which goes through a remote corporate firewall. Funny how my 2ghz dual core i3 laptop with Linux on wifi runs SO MUCH FASTER than my 3ghz quad core i5 Windows computer on gigabit ethernet at work.
21 • Opensnitch (by hulondalo on 2021-12-07 11:19:30 GMT from Australia)
great article, thanks.
this is the reason i read distrowatch. like waydroid in the previous issue, saved me a lot of troubles and time. been wanting to try it but since xfce didn't support wayland so i thought it might be time to switch to kde but after reading DW review i think i'll stick to xfce and android x86 on qemu until xfce supports wayland and waydroid matures :) thanks.
apparently this is a brave new world, many ppl don't wanna firewall anymore or r their using adblock or host files?
22 • Firewall (by Matthew Evan on 2021-12-08 01:51:46 GMT from United States)
Definently have a firewall over things like your SSH and samba ports when you're in public, I suppose when you're on a NAT you are generally okay but it's never too safe if you got a router with proprietary firmware and a bad track record.
23 • firewells (by firewally on 2021-12-08 08:25:40 GMT from France)
* Agree with @16 that firewall alarms become annoying. Many warnings are over anonymous small apps running from the Temp folder. This can be legit when installing a larger app - or it can be malware. After a while you get the small Temp app warnings all the time - indicating malware infection. It would be interesting to see if Opensnitch is any better.
* PC's have controls that don't necessarily cut all wireless access - OS settings, key combos, or even removing the wireless module (because the NIC is still on the motherboard). This renders firewalls not very useful against hackers who target wireless hardware. Only BIOS deactivation or kill switches shut off the wireless completely. Hence the rise of Open Source hardware to provide better control over computers.
* Security ppl tell us that the TOR network is anonymous and encrypted, and so is safe. But it has now been found that bad actors have controlled thousands of Tor server nodes over the last few years. This deanonymises ppl on the network to track their surfing - and maybe even find personal details and hack computers. They were able to register the servers without providing contact details.
So there are hackers lacing websites and apps with malware, large groups fighting for control over Internet servers and networks - and you're at home with your dodgy computer, trusty OS, and whiz-bang firewall. Good luck with that.
24 • firewalls (by Tad Strange on 2021-12-08 17:55:27 GMT from Canada)
Not much to comment on this week. On a private LAN I see no point in device level firewalls - they belong at the gateway.
Maybe if you're always sitting on a public wifi in a coffee shop or something, but even those services are usually running some form of client isolation.
25 • Firewalls (by None of the above on 2021-12-09 12:21:35 GMT from Germany)
This was a great article about OpenSnitch. I could not take your survey because none of the answers matched what I do. I use IPTABLES and block IP ranges. I went years without any firewall on my home server and I was always worried, but it was probably unnecessary. If you only run safe software that is properly configured and keep everything updated you greatly reduce your risks.
Do you need to block ports? The port is only open by some software you are running. Do you need to block processes? Same answer. What is interesting about OpenSnitch is that it can help you figure out if your software is misbehaving. This would more likely be outbound traffic instead of inbound.
I do check my logs for bad actors and then ban them. I hope to reduce the chances of them actually succeeding in the future if there is some new exploit by just blocking them completely.
26 • No Opensnitch install files for my Linux Mint MATE 20.2 (by ROC on 2021-12-10 03:53:06 GMT from United States)
375-Lnx:~$ sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb
[sudo] password for [me]:
dpkg: error: cannot access archive 'opensnitch*.deb': No such file or directory
[me]@Dell--Lnx:~$ sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*deb
dpkg: error: cannot access archive 'opensnitch*.deb': No such file or directory
Copy/pasted from your article, Jesse, with above results (after running latest updates).
27 • opensnitch installation on opensuse (by Jack on 2021-12-10 09:58:15 GMT from Australia)
I tried to install opensnitch daemon and user interface packages on vanilla leap 15.3 vanilla but the installation process kept failing due to prerequisite packages. I kept going by reading the error messages, figuring out what packages were missing, installing one more package and ended up the list below:
libnetfilter_queue1
python3-inotify
python3-pyinotify
python3-qt5
python3-grpcio
python3-grpcio-gcp
python3-grpc-google-iam-v1
python3-python-slugify
Needless to say,, some of the the packages were also dependent on other packages which zypper installed automatically. When I finally got opensnitch working, there were more than 60 new packages added to the system!
28 • Installing OpenSnitch (by Jesse on 2021-12-10 14:58:43 GMT from Canada)
@26: "Copy/pasted from your article, Jesse, with above results (after running latest updates)."
It looks like you didn't follow the previous step which is to first download the opensnitch.deb packages. You need to do that before you try to install them.
Number of Comments: 28
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1039 (2023-10-02): Zenwalk Current, finding the duration of media files, Peppermint OS tries out new edition, COSMIC gains new features, Canonical reports on security incident in Snap store |
| • Issue 1038 (2023-09-25): Mageia 9, trouble-shooting launchers, running desktop Linux in the cloud, New documentation for Nix, Linux phasing out ReiserFS, GNU celebrates 40 years |
| • Issue 1037 (2023-09-18): Bodhi Linux 7.0.0, finding specific distros and unified package managemnt, Zevenet replaced by two new forks, openSUSE introduces Slowroll branch, Fedora considering dropping Plasma X11 session |
| • Issue 1036 (2023-09-11): SDesk 2023.08.12, hiding command line passwords, openSUSE shares contributor survery results, Ubuntu plans seamless disk encryption, GNOME 45 to break extension compatibility |
| • Issue 1035 (2023-09-04): Debian GNU/Hurd 2023, PCLinuxOS 2023.07, do home users need a firewall, AlmaLinux introduces new repositories, Rocky Linux commits to RHEL compatibility, NetBSD machine runs unattended for nine years, Armbian runs wallpaper contest |
| • Issue 1034 (2023-08-28): Void 20230628, types of memory usage, FreeBSD receives port of Linux NVIDIA driver, Fedora plans improved theme handling for Qt applications, Canonical's plans for Ubuntu |
| • Issue 1033 (2023-08-21): MiniOS 20230606, system user accounts, how Red Hat clones are moving forward, Haiku improves WINE performance, Debian turns 30 |
| • Issue 1032 (2023-08-14): MX Linux 23, positioning new windows on the desktop, Linux Containers adopts LXD fork, Oracle, SUSE, and CIQ form OpenELA |
| • Issue 1031 (2023-08-07): Peppermint OS 2023-07-01, preventing a file from being changed, Asahi Linux partners with Fedora, Linux Mint plans new releases |
| • Issue 1030 (2023-07-31): Solus 4.4, Linux Mint 21.2, Debian introduces RISC-V support, Ubuntu patches custom kernel bugs, FreeBSD imports OpenSSL 3 |
| • Issue 1029 (2023-07-24): Running Murena on the Fairphone 4, Flatpak vs Snap sandboxing technologies, Redox OS plans to borrow Linux drivers to expand hardware support, Debian updates Bookworm media |
| • Issue 1028 (2023-07-17): KDE Connect; Oracle, SUSE, and AlmaLinux repsond to Red Hat's source code policy change, KaOS issues media fix, Slackware turns 30; security and immutable distributions |
| • Issue 1027 (2023-07-10): Crystal Linux 2023-03-16, StartOS (embassyOS 0.3.4.2), changing options on a mounted filesystem, Murena launches Fairphone 4 in North America, Fedora debates telemetry for desktop team |
| • Issue 1026 (2023-07-03): Kumander Linux 1.0, Red Hat changing its approach to sharing source code, TrueNAS offers SMB Multichannel, Zorin OS introduces upgrade utility |
| • Issue 1025 (2023-06-26): KaOS with Plasma 6, information which can leak from desktop environments, Red Hat closes door on sharing RHEL source code, SUSE introduces new security features |
| • Issue 1024 (2023-06-19): Debian 12, a safer way to use dd, Debian releases GNU/Hurd 2023, Ubuntu 22.10 nears its end of life, FreeBSD turns 30 |
| • Issue 1023 (2023-06-12): openSUSE 15.5 Leap, the differences between independent distributions, openSUSE lengthens Leap life, Murena offers new phone for North America |
| • Issue 1022 (2023-06-05): GetFreeOS 2023.05.01, Slint 15.0-3, Liya N4Si, cleaning up crowded directories, Ubuntu plans Snap-based variant, Red Hat dropping LireOffice RPM packages |
| • Issue 1021 (2023-05-29): rlxos GNU/Linux, colours in command line output, an overview of Void's unique features, how to use awk, Microsoft publishes a Linux distro |
| • Issue 1020 (2023-05-22): UBports 20.04, finding another machine's IP address, finding distros with a specific kernel, Debian prepares for Bookworm |
| • Issue 1019 (2023-05-15): Rhino Linux (Beta), checking which applications reply on a package, NethServer reborn, System76 improving application responsiveness |
| • Issue 1018 (2023-05-08): Fedora 38, finding relevant manual pages, merging audio files, Fedora plans new immutable edition, Mint works to fix Secure Boot issues |
| • Issue 1017 (2023-05-01): Xubuntu 23.04, Debian elects Project Leaders and updates media, systemd to speed up restarts, Guix System offering ground-up source builds, where package managers install files |
| • Issue 1016 (2023-04-24): Qubes OS 4.1.2, tracking bandwidth usage, Solus resuming development, FreeBSD publishes status report, KaOS offers preview of Plasma 6 |
| • Issue 1015 (2023-04-17): Manjaro Linux 22.0, Trisquel GNU/Linux 11.0, Arch Linux powering PINE64 tablets, Ubuntu offering live patching on HWE kernels, gaining compression on ex4 |
| • Issue 1014 (2023-04-10): Quick looks at carbonOS, LibreELEC, and Kodi, Mint polishes themes, Fedora rolls out more encryption plans, elementary OS improves sideloading experience |
| • Issue 1013 (2023-04-03): Alpine Linux 3.17.2, printing manual pages, Ubuntu Cinnamon becomes official flavour, Endeavour OS plans for new installer, HardenedBSD plans for outage |
| • Issue 1012 (2023-03-27): siduction 22.1.1, protecting privacy from proprietary applications, GNOME team shares new features, Canonical updates Ubuntu 20.04, politics and the Linux kernel |
| • Issue 1011 (2023-03-20): Serpent OS, Security Onion 2.3, Gentoo Live, replacing the scp utility, openSUSE sees surge in downloads, Debian runs elction with one candidate |
| • Issue 1010 (2023-03-13): blendOS 2023.01.26, keeping track of which files a package installs, improved network widget coming to elementary OS, Vanilla OS changes its base distro |
| • Issue 1009 (2023-03-06): Nemo Mobile and the PinePhone, matching the performance of one distro on another, Linux Mint adds performance boosts and security, custom Ubuntu and Debian builds through Cubic |
| • Issue 1008 (2023-02-27): elementary OS 7.0, the benefits of boot environments, Purism offers lapdock for Librem 5, Ubuntu community flavours directed to drop Flatpak support for Snap |
| • Issue 1007 (2023-02-20): helloSystem 0.8.0, underrated distributions, Solus team working to repair their website, SUSE testing Micro edition, Canonical publishes real-time edition of Ubuntu 22.04 |
| • Issue 1006 (2023-02-13): Playing music with UBports on a PinePhone, quick command line and shell scripting questions, Fedora expands third-party software support, Vanilla OS adds Nix package support |
| • Issue 1005 (2023-02-06): NuTyX 22.12.0 running CDE, user identification numbers, Pop!_OS shares COSMIC progress, Mint makes keyboard and mouse options more accessible |
| • Issue 1004 (2023-01-30): OpenMandriva ROME, checking the health of a disk, Debian adopting OpenSnitch, FreeBSD publishes status report |
| • Issue 1003 (2023-01-23): risiOS 37, mixing package types, Fedora seeks installer feedback, Sparky offers easier persistence with USB writer |
| • Issue 1002 (2023-01-16): Vanilla OS 22.10, Nobara Project 37, verifying torrent downloads, Haiku improvements, HAMMER2 being ports to NetBSD |
| • Issue 1001 (2023-01-09): Arch Linux, Ubuntu tests new system installer, porting KDE software to OpenBSD, verifying files copied properly |
| • Issue 1000 (2023-01-02): Our favourite projects of all time, Fedora trying out unified kernel images and trying to speed up shutdowns, Slackware tests new kernel, detecting what is taking up disk space |
| • Issue 999 (2022-12-19): Favourite distributions of 2022, Fedora plans Budgie spin, UBports releasing security patches for 16.04, Haiku working on new ports |
| • Issue 998 (2022-12-12): OpenBSD 7.2, Asahi Linux enages video hardware acceleration on Apple ARM computers, Manjaro drops proprietary codecs from Mesa package |
| • Issue 997 (2022-12-05): CachyOS 221023 and AgarimOS, working with filenames which contain special characters, elementary OS team fixes delta updates, new features coming to Xfce |
| • Issue 996 (2022-11-28): Void 20221001, remotely shutting down a machine, complex aliases, Fedora tests new web-based installer, Refox OS running on real hardware |
| • Issue 995 (2022-11-21): Fedora 37, swap files vs swap partitions, Unity running on Arch, UBports seeks testers, Murena adds support for more devices |
| • Issue 994 (2022-11-14): Redcore Linux 2201, changing the terminal font size, Fedora plans Phosh spin, openSUSE publishes on-line manual pages, disabling Snap auto-updates |
| • Issue 993 (2022-11-07): Static Linux, working with just a kernel, Mint streamlines Flatpak management, updates coming to elementary OS |
| • Issue 992 (2022-10-31): Lubuntu 22.10, setting permissions on home directories, Linux may drop i486, Fedora delays next version for OpenSSL bug |
| • Issue 991 (2022-10-24): XeroLinux 2022.09, learning who ran sudo, exploring firewall tools, Rolling Rhino Remix gets a fresh start, Fedora plans to revamp live media |
| • Issue 990 (2022-10-17): ravynOS 0.4.0, Lion Linux 3.0, accessing low numbered network ports, Pop!_OS makes progress on COSMIC, Murena launches new phone |
| • Issue 989 (2022-10-10): Ubuntu Unity, kernel bug causes issues with Intel cards, Canonical offers free Ubuntu Pro subscriptions, customizing the command line prompt |
| • Issue 988 (2022-10-03): SpiralLinux 11.220628, finding distros for older equipment and other purposes, SUSE begins releasing ALP prototypes, Debian votes on non-free firmware in installer |
| • Issue 987 (2022-09-26): openSUSE's MicroOS, converting people to using Linux, pfSense updates base system and PHP, Python 2 dropped from Arch |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Shells.com |
Your own personal Linux computer in the cloud, available on any device. Supported operating systems include Android, Debian, Fedora, KDE neon, Kubuntu, Linux Mint, Manjaro and Ubuntu, ready in minutes.
Starting at US$4.95 per month, 7-day money-back guarantee
|
| Random Distribution | 
Linux LiveCD Router
Linux LiveCD Router was a Linux distribution designed to share a broadband connection over WiFi. It can be used with DSL, cable modem, T1, ISDN, and dial-up connections. It can also be used it as a firewall, or as an access point for most WiFi cards. Linux LiveCD Router does not require any installation, but requires a dedicated computer to boot and run the CD.
Status: Discontinued
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
