Firewall and firewalld or Other?

Hi guys,
I have been looking the forum about fire wall and securing my system.
I came across several posts talking about installing different firewalls but I came across this interesting post by our friend @dalto FirewallD on Apollo ISO - #11 by dalto that had a link to https://discovery.endeavouros.com/applications/firewalld/2022/03/

Reading this page I conclude that it is already done by the wonderfull developers and no need to bother with trying any other firewall.

As my rule of thumb I always prefer to stick to the defaults, so there is no need to try or attempt anything else.

As far as I understand, it is just installed but not configured or active and I should manually configure it to be effective.

My question is did I get it correct?
Is there any “default” setting perhaps instead of playing with it and mess things up?

I see 2 apps, one saying control your network rules and the other saying Firewall configuration.

Honestly I never thought of attended to firewalls before that and I do not know what is this and what s that?

Which one to start with, what to do and what not to do.

As any home user, I am browsing the web, downloading some stuff (PDFs and books mainly), and I am using Brave browser. Sometimes I use torrents to download some other distros to play with on some old laptops I have.

As firewall is for me a serious business and Ido not want to be locked out or having an app that needs the internet like pCloud or similar, or VLC sometimes need internet, so I do not want to lock my self out. (again I am not that techie, and never bothered with firewall)

I won;t need anything other than firewalld to have a good firewall? Will it automatically make all ports stealth or I need to do it manually?

Any hints or guidance will be highly appreciated as I said I see it a serious business and I do not want to ignorantly do something that locks me out or disable something I need.

Thank you in advance for your hints and guidance.

Edit: Reading about firewalls and searching I cam across some suggestions somewhere suggesting to use nftables instead. Honestly as for now I do not know what is the difference from firewalld. I will appreciate hints about it as well.

We ship the firewall enabled and the default config is sane for most desktop users.

You don’t need to modify the firewall config unless something is not working for you.

Thanks @dalto
surprisingly I found it is not enabled. I swear I did nothing. I just installed and followed the defaults.
I did sudo systemctl enable --now firewalld.service as in the link, and returned back to the apps and still couldn’t enable it.

I noticed there are some services and ports next to it somewhere, are these ports open and not stealth?

I will appreciate further guidance, and hopefull answers to my questions in my first post whether from @dalto or experienced users.

fw21235×809 57.3 KB

fw11002×759 68.4 KB

While this won’t help here, I disabled the firewall on my main computer (desktop) during installation. I rely on the firewall in my router. However, my old Dell Latitude (test computer only) is running firewalld, which comes with EOS.

Thanks @Darius
Just curious, why? And why on the other?

I read by the way that routers have their own firewall, but I don’t know if this is enough. What if on a laptop somewhere else or used hotspot?

I’d be interested to hear your thoughts on this too @Darius.

Speaking generally, because I’m not familiar with your setup obviously, the router firewall, and a PC firewall, are not redundant, they protect against at least two different threat vectors.

The router firewall in most setups, protects LAN users from WAN based attacks. In more advanced setups, the router may also be fire-walling aspects of the routed internal networks.

A PC firewall protects the PC from LAN based attacks. Of course, we can typically trust our families not to hack our PC… typically. But perhaps the greater risk comes from unmanageable devices, or even un-vetted software that family may install on other systems. In a nutshell, anything connected to your LAN, whether it’s TV, fridge, hot water heater, solar panels, someone’s smart watch, security cameras, washing machine, or your click bait prone uncle’s laptop. You name it, any of these devices can in themselves present potential back-doors into your network, providing a would be hacker a launching point against an unprotected system.

You don’t use nftables instead of firewalld. When you are using firewalld, you are using nftables as back-end.

https://wiki.archlinux.org/title/Nftables#Front-ends
https://wiki.archlinux.org/title/Firewalld

Is your installation rather old? If yes it is OK. Former ISOs were shipped without firewalld. Only my installations during the last approx. 3 years do have firewalld installed by default.
See also: date 2022.04.06 in https://gitlab.com/endeavouros-filemirror/Important-news/blob/main/README.md

So can we take it to mean that firewalld is based on nftables and not iptables? Does using nftables confer some advantages to firewalld?

Would love to know the reason why firewalld was chosen? There are other alternatives that are there, ufw being one prominent example.

Thanks @cactux
So doing nftables alone would be the same as activating and using firewald, that is firewald is a frontend or GUI for nftables?

Same question as @Archie1

@limotux , @Bink : There’s a simple reason for this: The desktop PC is permanently connected to the router (including the firewall). The laptop (being mobile) is (less so in my case, as it’s only a test device) NOT always within range of my router’s Wi-Fi. Thus, the router’s firewall isn’t always effective for the laptop. Hence, I have my own firewall (software) for it. But ultimately, that’s irrelevant, because the laptop never leaves my house anyway.

At least that’s my thoughts on the matter.

I understand now. That is smart and practical.

Somewhere in this forum, the question of whether a software firewall is even useful was discussed. I think it was back when a firewall was introduced in EOS. The main point was that a firewall only really makes sense on a mobile device, since they are often on other people’s Wi-Fi networks and therefore need this protection. Ultimately, it’s about preventing anything harmful from reaching the computer through network traffic. A router firewall (in the NAT router) can intercept this before it reaches the computer. A software firewall, which is located ON THE COMPUTER, is already too late in this regard…
But for when I’m on the go, when I’m on other Wi-Fi networks with my laptop, it’s better than nothing.

But I’m just a user…

firewalld supports both but will prioritize nftables if it is available. nftables is a replacement for the legacy iptables.

• firewalld is a more modern solution than ufw
• firewalld is integrated with NetworkManager to support different rules for different zones which has benefits for users who move between networks or have sophisticated networks
• firewalld includes a GUI management tool as part of the package
• firewalld abstracts the concept of understanding individual ports to services that are more easily understood. i.e. If you want to enable kde-connect, you don’t have to research what ports and protocols it uses, you just click the box that reads “kde-connect”.

Firewalld, UFW etc, are also intended to protect the system form the traffic in your local network if I understood the argument. That is not done by your router’s firewall.

Sorry, of course… I forgot to mention that I’m alone here at home on my local network.

The only scenario in which this is true is if you have only a single device on your network. As soon as you add a second device, this concept is completely invalid.

A huge percentage of successful compromises are initiated from inside your network.

Thinking that you don’t need a local firewall because you have a network firewall is a fallacy for the vast majority of people.

Do you have a phone, tablet, second computer, connected devices or anything else on your network? If you do, you should be using a local firewall.

EDIT: Also, if you only have a single device on your network, there should be no downsides to enabling the local firewall since there is no other traffic on your network.

I am using UFW mainly because it is quite straight forward to set up a kill switch for my vpn that I configure with NetworkManager/openvpn (no vendor app). Could a kills switch be configured for firewalld easily as well or is it complicated?

It can be done but it is more complicated than ufw.

One thing that ufw is better at is blocking outbound traffic. For most desktop use cases that isn’t an issue but for your specific use case it is.