FirewallD on Apollo ISO

Hi,
just installed the new apollo iso, when i check iptables version installed it’s the legacy one (no iptables nft), when i list nftables ruleset it works, when i list iptables ruleset, all is set to default (mean accept), firewallD is set on public mode and i m unable to set it to permanent.

Please help me to understand why still iptables-legacy, why i can’t set it to permanent and if there a way to disable or uninstall firewallD?

Thank you

sorry i cant help but i had a similar problem, decided to get rid of firewalld and replace it with ufw, cos ufw i understand, but i dont know what went wrong, i was left with pacman not being able to connect anywhere so i couldnt undo it either, even after a reboot.

a quick simple howto on how to successfully replace firewalld with ufw would be appreciated

2 Likes

I’ll chime in here: I agree with the OP: Why bring something pre-installed here again, which you then have to remove again? If I have to reinstall my EOS on my computer at some point for whatever reason, I also have to think about how I can cleanly remove this useless for me Firrewall No good decision from you. There are not ONLY users of mobile devices. We with our desktop computers are also still there :wink: .

I believe that firewalld uses nftables natively so iptables shouldn’t be getting used at all in this case. That being said, I do agree that installing iptables-nft by default makes sense.

Can you explain what you mean by this? What is happening that stops you from making permanent changes?

Disable temporarily:

sudo systemctl stop firewalld

Disable permanently:

sudo systemctl disable --now firewalld

Remove:

sudo pacman -R firewalld
4 Likes

Sorry @dalto, your reply overlapped with my post. Thanks for the tutorial!

1 Like

In the current world we live in, for most people having a local firewall enabled is a critical security protection, even if you are using a PC which isn’t mobile. Given the nature of modern attacks, having a firewall at the edge of your network is no longer sufficient protection in most cases.

However, if your personal situation is such that you have designed your network in a way that you believe a local firewall isn’t needed, it is easy to remove.

IMO, the firewall is one thing that should be installed and enabled by default.

6 Likes

All right, let’s leave it at that …
Thank you for your comments.

1 Like

100% agree, have been wanting to respond but just didn’t have the words. tales 2 seconds to remove if you dont want it if not less

1 Like

you can also untag firewall to get installed inside installer already:

7 Likes

OK, now if I am to post-install firewalld on someone who has an existing installation of EOS running , what do I need to do to configure it?

Open the gui from the tray icon and click on the services you want to allow through.

5 Likes

How do I know what those are though? I’ve literally never used a firewall that I’m aware of. Everytime I have tried, I see a bunch of options I’ve never heard of and just don’t touch anything.

1 Like

If you don’t know, then the default configuration should work fine. By default it allows anything to go out and nothing to come in.

If you need to allow something in, it should be something you are doing deliberately. For example, if you want to host a samba server, you would need to allow that through the firewall. Another example would be if you ssh into your machine from other machines. In this case, you would need to let ssh in.

If you are just using your machine as desktop, the default may be all you need. Other distros ship firewalls enabled by default(Fedora, Ubuntu, etc) and people often don’t even know there is a firewall running.

4 Likes

So, just install, and the settings are done for you? That seems easy enough- there’s just miles of settings and since I never touched anything as none of it made sense, I never bothered intsalling them.

so firewalld → start service → and that’s it?

1 Like

Yes, just install, start and enable service.

1 Like

good read

1 Like

It shows a bunch of stuff about iptables and what not. I’m an idiot, I use my computer at home. I don’t even know what an iptable is.

Install > Start > don’t touch anything. If that’s all I need to know, then that’s all I need to know. I don’t understand 90+% of that.

3 Likes

mainly on common usage you do not need to set up anything and adding stuff if you may want to torrent EndeavourOS release ISO is way easier to set up on the FirewallD GUI as on GUFW.
It only looks a little intimidating on the first view.

And I will add stuff to our wiki for it when I find something interesting on it.
Like I just added the info on how to remove it :wink:

10 Likes

Keep in mind that:

It won’t block anything coming from the Internet, only if you have a portforward in router router/gateway.
In case you decide to forward something to your PC, you would have to create a portforward in your gateway and then create a policy in the FirewallD.

This is specially useful for people that are always connecting to strange networks… You don’t want the guy in the table near to you, or in the room of the hotel near to yours trying to access your SSH port and etc…

There are things we can control, and others we cannot.
In case of these public wifi networks, there is an option to isolate devices so they can’t speak to each other, this is something we can’t control, its defined by the network administrator.

In case you don’t trust anyone in that WIFI network, not even the administrator, you could just use a VPN…
Not speaking about VPN providers here, you can connect to your own VPN service hosted in your house and use the Internet from there…

The VPN would make sure that if you connect to a fake SSID, get an IP from a rogue DHCP server, or even an ARP poisoning attack in which people becomes the gateway (all of these can be categorized as a MITM attack), your data would be protected because everything is encrypted.

What you need to know is that a firewall is not perfect, the user must be aware as well.
There are bad network administrators, and most of all, there are bad people out there.

In my situation:

I have a desktop, so I’m not connecting to strange networks, only my home network.
My router/gateway is a firewall in which I have policies in place, no portforwards what so ever…
My network is divided in VLANs, and my PC is in a different VLAN than the other devices are, LAN in which my PC is, the WIFI and the GUEST vlans.
All these VLANs have their own rules, LAN can speak to everyone, WIFI and GUEST networks can go only to the Internet and nothing else.

Also, I’m not a big fan of zone based firewalls, so I decided to disable it.

Just an example here on how is easy to perform a MITM attack:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
arping -c 4 -A -I eth1 1.2.3.4

In which eth1 is your interface and 1.2.3.4 is the IP you want to broadcast as having your MAC address now…

You are attacking a LDAP server, if its using port 389 (without encryption), just fire up a fake LDAP server and start to receive users passwords… This is just an example…