You are not logged in.

#1 2018-12-24 10:52:38

Utini
Member
Registered: 2015-09-28
Posts: 452
Website

Does UFW make any sense without per-app settings?

Hello everyone,

I am currently setting up ufw/gufw and while doing so I realized that I do not have many ports for in/out opened.
How ever, I do have the system-wide opened which basically means my firewall is useless as any package/malware will be able to simple communication via port 80/443/...?

To my understanding a firewall should block unwanted traffic in/out.
With system wide settings I could either cripple down my whole system unless its not usable anymore or allow every package free access to the internet.
Or is there something I am missing? hmm

Thanks in advance!

@edit:
A simple example would be to block network access for geoclue, webgtkit2,....

Last edited by Utini (2018-12-24 10:56:19)


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#2 2018-12-24 11:57:53

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Does UFW make any sense without per-app settings?

To my understanding a firewall should block unwanted traffic in/out

Determining what is unwanted is much easier for incoming traffic then for outgoing traffic.
In my opinion a firewall main job is preventing unwanted traffic from coming in.
Some OSes are designed in ways that make that a very tough job, for those OSes distinguishing between good / bad outgoing traffic based on applications may make sense.
For an OS like linux where blocking incoming is rather easy, I prefer the approach used in Simple stateful firewall over per-app rules.


I never used ufw, but some things that caught my attention :

- no mention of nftables support (the successor of iptables)
- it has built in rules for special cases, but there doesn't appear to be a simple way to see ALL rules that are in effect.
- ufw is a frontend for iptables.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2018-12-24 16:36:57

Utini
Member
Registered: 2015-09-28
Posts: 452
Website

Re: Does UFW make any sense without per-app settings?

Lone_Wolf wrote:

To my understanding a firewall should block unwanted traffic in/out

Determining what is unwanted is much easier for incoming traffic then for outgoing traffic.
In my opinion a firewall main job is preventing unwanted traffic from coming in.
Some OSes are designed in ways that make that a very tough job, for those OSes distinguishing between good / bad outgoing traffic based on applications may make sense.
For an OS like linux where blocking incoming is rather easy, I prefer the approach used in Simple stateful firewall over per-app rules.


I never used ufw, but some things that caught my attention :

- no mention of nftables support (the successor of iptables)
- it has built in rules for special cases, but there doesn't appear to be a simple way to see ALL rules that are in effect.
- ufw is a frontend for iptables.

I am less worried about something entering my system than leaving it.
I am behind a router. Also I dont run any services that would allow other to access my system and even if so, they are password secured or disabled (and only temporarily enabled when needed).
On the other hand everything on my system can send everything they want to wherever they want.

ufw has a simple way of showing all rules (ufw status, by using the GUI frontend GUFW).

Is nftables any better/superior?


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#4 2018-12-25 12:36:24

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Does UFW make any sense without per-app settings?

archlinux wiki page on ufw[/quote wrote:

Finally, query the rules being applied via the status command:

# ufw status

Status: active
To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
Deluge                     ALLOW       Anywhere
SSH                        LIMIT       Anywhere

The status report shows the rules added by the user. For most cases this will be what is needed, but it is good to be aware that builtin-rules do exist. These include filters to allow UPNP, AVAHI and DHCP replies. In order to see all rules setup

# ufw show raw

may be used, as well as further reports listed in the manpage. Since these reports also summarize traffic, they may be somewhat difficult to read. Another way to check for accepted traffic:

# iptables -S | grep ACCEPT

Using a GUI to get a report for a commandline oriented utility is not what I call simple.
Also ufw status doesn't show all rules, ufw show raw should.
Again not what I call simple.
Keep in mind though that's my subjective opinion.


--------------------------------------------------------

The framework we usually call iptables actually consists of several parts : iptables , ip6tbables , arptables and ebtables.
Nftables aims to replace all of them with one framework.
https://wiki.archlinux.org/index.php/Nftables


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#5 2018-12-25 14:11:08

Maniaxx
Member
Registered: 2014-05-14
Posts: 732

Re: Does UFW make any sense without per-app settings?

Per-app blocking is somewhat possible on Linux though. There are afaik no frontends/guis though and thus no "interactive" popups on SYN connections as on Windows apps. Linux is way behind on that.

You can create a usergroup, block it by iptables and start your app within that group (sudo -g myblockedgroup myapp). Better than nothing.


sys2064

Offline

#6 2018-12-25 14:54:49

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: Does UFW make any sense without per-app settings?

Maniaxx wrote:

You can create a usergroup, block it by iptables and start your app within that group (sudo -g myblockedgroup myapp). Better than nothing.

The other way round is more effective IMHO: totally block from web your normal user, allow web access to a user account dedicated for working with web and start web related programs from that dedicated user.


bing different

Offline

#7 2018-12-29 18:10:36

ralvez
Member
From: Canada
Registered: 2005-12-06
Posts: 1,694
Website

Re: Does UFW make any sense without per-app settings?

If applications are your concern maybe you want to take a look at firejail.
The short explanation is that you can run your applications in a sandbox.
Take a look at Firejail
It is in the repos and the wiki has very good information as well.

Hope this helps.

R.

Offline

#8 2018-12-29 22:01:32

Utini
Member
Registered: 2015-09-28
Posts: 452
Website

Re: Does UFW make any sense without per-app settings?

Yep but firejail wont help me to e.g. block network access for geoclue.


Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF

Offline

#9 2018-12-29 22:13:23

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: Does UFW make any sense without per-app settings?

The way I described in #6 I used myself and it's pretty efficient: it totally blocks all unauthorized phoning home from programs running by a normal user. I kept in a menu a list of shortcuts for internet allowed programs which were started from the internet dedicated user. But now I'm intending to set up a full blown local network firewall on a separate machine. (There are also Android and Windows 10 clients in the network that want to perform silently any world-wide broadcasting they want. )


bing different

Offline

#10 2018-12-30 00:50:18

sammiev
Member
Registered: 2018-12-22
Posts: 84

Re: Does UFW make any sense without per-app settings?

As I have traveled for years and use my laptop daily in Hotels and so on, I use a firewall.
I deny incoming and outgoing.
Then use tun0 outgoing once connected to the VPN.
Worked for me over the years.

Offline

#11 2019-01-02 02:21:19

RainmakerRaw
Member
Registered: 2015-03-30
Posts: 11

Re: Does UFW make any sense without per-app settings?

Maniaxx wrote:

Per-app blocking is somewhat possible on Linux though. There are afaik no frontends/guis though and thus no "interactive" popups on SYN connections as on Windows apps. Linux is way behind on that.

You can create a usergroup, block it by iptables and start your app within that group (sudo -g myblockedgroup myapp). Better than nothing.

I haven't used it personally, but there's OpenSnitch? It's in the AUR.

Offline

#12 2019-01-02 20:37:47

Maniaxx
Member
Registered: 2014-05-14
Posts: 732

Re: Does UFW make any sense without per-app settings?

Good find, thanks. Will definitely test it.


sys2064

Offline

Board footer

Powered by FluxBB