You are not logged in.
Hello everyone,
I am on KDE with plasma-firewall and firewalld installed.
By default it used "zone" public wich "denies incoming" and "allows outgoing".
So this means that nothing from the outside can access my laptop (e.g. if I SMB share some folders, no one in the network will be able to see them)?
At the same time, I should be able to access everything (e.g network printers, SMB shares folders on other devices, torrent downloads,...)?
I can add/allow services e.g. samba and samba-client.
I guess samba refers to the samba-server (as if I want to create a shared folder on my device to share with others) and samba-client refers to the app thats allows me to access other shared folders in the network?
In this case I won't even need to allow samba-client because all the "outgoing" is allowed anyway?
Basically I only need to allow packages that act like a "server" on my device e.g.:
Torrent client to seed
Media Server (minidlna, mpd,...)
SMB Shared Folder on my device
SSH Server
FTP Server
Printer Re-sharing
Syncthing
OpenVPN Server
...
?
But the client functions should work already, e.g.:
Torrent client to download
Connecting to other media servers
Connecting to smb shared folders
SSH client
FTP Client
Accessing network printers
OpenVPN Client
...
?
Am I understanding this correctly?
Thanks in advance!
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
Huh, really - no one? :S
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
Huh, really - no one? :S
Don't do that. Tell us more information, tell us what you have read since your last post.
I have a note that you may be running Parabola. Is that true?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Utini wrote:Huh, really - no one? :S
Don't do that. Tell us more information, tell us what you have read since your last post.
I have a note that you may be running Parabola. Is that true?
Okidoki - sorry.
Regarding your note:
Interesting that you have that noted
But not, I am not using parabola and also never used it before.
I had the parabola repo added to use their version of firefox, geoclue, webkit,..
But that was ages ago.
Regarding the firewall:
From what I read in the mean time, my assumption seems to be correct. But I am still unsure.
At home I am behind a configured router.
But in public wifis I might be vulnerable without a firewall.
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
Basically I only need to allow packages that act like a "server" on my device e.g.:
Torrent client to seed
Media Server (minidlna, mpd,...)
SMB Shared Folder on my device
SSH Server
FTP Server
Printer Re-sharing
Syncthing
OpenVPN Server[...]
At home I am behind a configured router.
But in public WiFis I might be vulnerable without a firewall.
I think I finally understood the root cause of your questions.
The "serving list" of your PC (which - according to your signature - is a notebook) reads like your PC is acting like a small workgroup server at home. If you take this PC on a ride you use it as a mobile client but then it's too exposed in a public Wi-Fi.
I see several possibilities with pros and cons:
1. Have you considered building a physical server or using a NAS? Depending on the transfer speeds this may even be something like a Raspberry Pi.
2. Use a dedicated network device. If your notebook doesn't have a LAN port you may consider a docking station or a USB LAN adapter. Bind your services only to this adapter and/or use a firewall profile.
3. Switch between dedicated firewall profiles ("home" and "public").
Offline
Utini wrote:Basically I only need to allow packages that act like a "server" on my device e.g.:
Torrent client to seed
Media Server (minidlna, mpd,...)
SMB Shared Folder on my device
SSH Server
FTP Server
Printer Re-sharing
Syncthing
OpenVPN Server[...]
At home I am behind a configured router.
But in public WiFis I might be vulnerable without a firewall.I think I finally understood the root cause of your questions.
The "serving list" of your PC (which - according to your signature - is a notebook) reads like your PC is acting like a small workgroup server at home. If you take this PC on a ride you use it as a mobile client but then it's too exposed in a public Wi-Fi.
I see several possibilities with pros and cons:
1. Have you considered building a physical server or using a NAS? Depending on the transfer speeds this may even be something like a Raspberry Pi.
2. Use a dedicated network device. If your notebook doesn't have a LAN port you may consider a docking station or a USB LAN adapter. Bind your services only to this adapter and/or use a firewall profile.
3. Switch between dedicated firewall profiles ("home" and "public").
Hi, well yes basically a small workgroup server with basic services running (samba, printer share, whatever).
So in a random public wifi I could expose all that freely to others.
I have a 500/110mbit connection at home and run a OpenVPN server on my router.
I use that OpenVPN usually when at an public network.
So yes, I am already following your solution #1. But that causes a bit more battery drain and slows down the network.
Your solution #3 is what I was thinking about.
Regarding #3:
So basically use a firewall and have two profiles: home and public
Use "home" whenever I am in a safe network (e.g. home or at work).
Use "public" everywhere else.
I guess "home" basically doesn't restrict at all, kinda like not having a firewall at all.
While "public" denies everything from the outside that wants to access my laptop while allowing everything from my laptop to go outside?
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
Regarding your note:
Interesting that you have that noted
But not, I am not using parabola and also never used it before.
I had the parabola repo added to use their version of firefox, geoclue, webkit,..
But that was ages ago.
Note removed.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Your solution #3 is what I was thinking about.
Those two zones already exist in firewalld's default configuration: "trusted" and "public" - the latter only allowing DHCPv6 and SSH. I can't say anything about plasma-firewall.
Last edited by -thc (2023-03-20 06:31:30)
Offline
Alright, sounds exactly what I want.
I installed firewalld and plasma-firewall.
Plasma-firewall just acts as a GUI for integration into KDE.
According to "firewall-cmd --list-all-zones" several zones are more or less the same:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0u1u3u4
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Basically:
home = internal
public = work
.. and then there is external and trusted.
1. Basically I would use public as automatic default zone for every new network that gets connected?
2. For my home network I will use "home". That should allow all connections,port forwarding,... basically just the same as if no firewall would be enabled?
3. Which firewall zone should I use for my OpenVPN connection? Home as well or public?
Ofcourse I could further configure the zones if recommended.
Those are the standard settings:
public:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0u1u3u4
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Last edited by Utini (2023-03-20 09:59:08)
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
1. Basically I would use public as automatic default zone for every new network that gets connected?
That's a good idea.
2. For my home network I will use "home". That should allow all connections,port forwarding,... basically just the same as if no firewall would be enabled?
No - this zone only allows the listed services. "trusted" allows everything.
3. Which firewall zone should I use for my OpenVPN connection? Home as well or public?
If you did setup your VPN as a full tunnel (your VPN endpoint is the default gateway and everything will be routed through the tunnel) you can also use "trusted". In case of a split tunnel VPN that would be unwise.
Offline
Thanks! I actually use a split tunnel VPN:
All traffic is going through VPN except two IP's from my office that can only be connected via local connection.
So I guess "Public" is the right zone for my OpenVPN profile then.
Alternatively I could add another OpenVPN profile which doesn't have the split tunnel configured and uses zone "trusted".
I could then bind "Work VPN" with "public" to my work network and all other networks get the "Full VPN with "trusted".
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
Follow up question:
Which zone should the "loopback" interface (lo) have?
Shouldn't this be trusted as well? By default it is public.
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline