G'day mates! I'm having some issues with ufw that I might start another thread on later, but I want to go ahead and get an idea of what my options are. So...
Do you know of good alternatives to ufw?
(No, gufw doesn't count.)
I'm open to either graphical or command line options. I would like something with reasonable documentation and that doesn't take too much work to figure out (so iptables are probably out at the moment). It would also be nice if it is a mature program... some-random-chap's firewall project that has less than 4 months of coding behind it is probably too unstable and insecure for me to trust, for example.
But that aside, I'd rather be given too many options, even if they don't meet my restrictions. It's better to have too many options and have to weed out what won't work than to have no suggestions at all.
Personal experiences or knowledge would be especially valuable so I can get an idea of which options are reputable and might meet my needs as well as any pitfalls to expect/avoid.
Thanks!
Fred
EDIT: Many of the alternatives I've found online seem to be aimed more at home networks with NASboxes or corporate use... I'm just looking for something for my personal laptop and desktop.
Alternatives to ufw
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Alternatives to ufw
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Alternatives to ufw
Please note: I do not use LMDE so I don't know if it's available in the repositories or if it works as it does in Ubuntu.
firewalld : viewtopic.php?f=238&t=221159&hilit=firewalld
firewalld : viewtopic.php?f=238&t=221159&hilit=firewalld
altair4 wrote:It most certainly does have a gui: firewall-appletAnd it ties into the network manager which is what I think Gufw is striving for with it's "profiles" but it's not implemented right. This is a spooky process I suppose since you need to remove ufw and gufw then install firewalld and firewall-applet. I did this on Ubuntu 15.10 because I could rather than because I wanted or needed it. WIll it work on Mint let alone LMDE - I have no idea.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Alternatives to ufw
Thanks altair4. Firewalld is working well in LMDE and looks nice--it's going to take me a bit to get used to it though.
I do like how well it integrates with Network Manager.
I do like how well it integrates with Network Manager.
Re: Alternatives to ufw
Disclaimer: I now run 18 mate and never tried LMDE.
I've spent hours looking as well. You would think a basic, application-based firewall (one that blocks network access to specific apps and not just pre-defined ports) readily exists since windows has had one for a long time.
Douane and lpfw are the only (non-abandonware) ones I've found that appear to be relevant to Debian -- both of which require manual compiling. I've tried Douane in XFCE 17.3 -- it worked terribly, perhaps because gtk3 apps don't exactly "work" in XFCE...the author mentioned it was "GNOME only" but didn't specify if it worked on the forks. Perhaps it might work correctly on 18 mate since I've had other gtk3 apps work succesfully that weren't even listed in the 17.3 repo -- like Corebird (a satisfying 3rd-party twitter app.)
I haven't tried lpfw, I instead settled on firejail since that really solved the extremely-granular level of app control I was looking for. In 18 mate (16.04 Ubuntu codebase), it breaks pulseaudio, but there's a fix thankfully.
@altair4 or @Fred Barclay, let me know if FirewallD is a proper application-based firewall. Briefly looking at the documentation, I'm guessing "no"...but wanted to be sure.
I've spent hours looking as well. You would think a basic, application-based firewall (one that blocks network access to specific apps and not just pre-defined ports) readily exists since windows has had one for a long time.
Douane and lpfw are the only (non-abandonware) ones I've found that appear to be relevant to Debian -- both of which require manual compiling. I've tried Douane in XFCE 17.3 -- it worked terribly, perhaps because gtk3 apps don't exactly "work" in XFCE...the author mentioned it was "GNOME only" but didn't specify if it worked on the forks. Perhaps it might work correctly on 18 mate since I've had other gtk3 apps work succesfully that weren't even listed in the 17.3 repo -- like Corebird (a satisfying 3rd-party twitter app.)
I haven't tried lpfw, I instead settled on firejail since that really solved the extremely-granular level of app control I was looking for. In 18 mate (16.04 Ubuntu codebase), it breaks pulseaudio, but there's a fix thankfully.
@altair4 or @Fred Barclay, let me know if FirewallD is a proper application-based firewall. Briefly looking at the documentation, I'm guessing "no"...but wanted to be sure.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Alternatives to ufw
Yeah, firejail is really great for restricting certain programmes.
Firewalld doesn't seem to be an application-based firewall, at least based on my understanding of the term. It's more of a "traditional" firewall (again, this is based on my limited understanding of the terms. Networking is not my strong suite.) There again, I don't really understand the need for an application-based firewall, and threads like viewtopic.php?f=157&t=216978 leave my poor brain behind in the dust... for now.
On the positive side, firewalld is going quite nicely on my machine.
Firewalld doesn't seem to be an application-based firewall, at least based on my understanding of the term. It's more of a "traditional" firewall (again, this is based on my limited understanding of the terms. Networking is not my strong suite.) There again, I don't really understand the need for an application-based firewall, and threads like viewtopic.php?f=157&t=216978 leave my poor brain behind in the dust... for now.
On the positive side, firewalld is going quite nicely on my machine.
Re: Alternatives to ufw
Many applications don't "need" network access so what's the point of granting them this luxury but rather treating them as security risks that they are? Take VLC for example. Here's a cool story that's not implausible:Fred Barclay wrote:Yeah, firejail is really great for restricting certain programmes.
Firewalld doesn't seem to be an application-based firewall, at least based on my understanding of the term. It's more of a "traditional" firewall (again, this is based on my limited understanding of the terms. Networking is not my strong suite.) There again, I don't really understand the need for an application-based firewall, and threads like viewtopic.php?f=157&t=216978 leave my poor brain behind in the dust... for now.
On the positive side, firewalld is going quite nicely on my machine.
You download funnyCatVideo.avi thinking it's a harmless video file that "for sure" isn't going to do anything harmful on your Linux box. The extension ".avi" is nothing more than a spoof since the file MIME type is actually a playlist file with a hidden payload designed to exploit an old memory-access vulnerability patched in VLC 2.2.2. VLC doesn't care if the file is named wrong, it will still open it as normal upon double-click and treat the file as a playlist file and then (silently) initiate an outgoing connection to "North Korea bad guy servers" while you sit looking at a blank screen. In 1 second, the Koreans have your external IP and restricted memory access on your box because you're still running 17.3 and haven't updated VLC to the latest version yet. It may not be full-blown virus-level in Windows, but they got quite a bit from your 17.3 install. Plus you didn't bother with a VPN on your home connection, so they'll probably keep probing your IP for a while looking for goodies since they know it's now active.
Here's where firejail fits in -- memory access is heavily restricted and with the
net none
flag, the app isn't going to be making any of those outbound connections. Similarly on an app-based firewall, you can put a "deny" specifically on VLC and the same situation probably wouldn't occur (or at least prompt you to "really connect to [strange IP] requested from VLC?")