Alternatives to ufw

[Fred Barclay]

G'day mates! I'm having some issues with ufw that I might start another thread on later, but I want to go ahead and get an idea of what my options are. So...
Do you know of good alternatives to ufw?
(No, gufw doesn't count.)

I'm open to either graphical or command line options. I would like something with reasonable documentation and that doesn't take too much work to figure out (so iptables are probably out at the moment). It would also be nice if it is a mature program... some-random-chap's firewall project that has less than 4 months of coding behind it is probably too unstable and insecure for me to trust, for example.

But that aside, I'd rather be given too many options, even if they don't meet my restrictions. It's better to have too many options and have to weed out what won't work than to have no suggestions at all.

Personal experiences or knowledge would be especially valuable so I can get an idea of which options are reputable and might meet my needs as well as any pitfalls to expect/avoid.

Thanks!
Fred

EDIT: Many of the alternatives I've found online seem to be aimed more at home networks with NASboxes or corporate use... I'm just looking for something for my personal laptop and desktop.

[altair4]

Please note: I do not use LMDE so I don't know if it's available in the repositories or if it works as it does in Ubuntu.

firewalld : viewtopic.php?f=238&t=221159&hilit=firewalld

It most certainly does have a gui: firewall-applet

Firewalld-firewall-applet.png

And it ties into the network manager which is what I think Gufw is striving for with it's "profiles" but it's not implemented right.

firewalld-nm.png

This is a spooky process I suppose since you need to remove ufw and gufw then install firewalld and firewall-applet. I did this on Ubuntu 15.10 because I could rather than because I wanted or needed it. WIll it work on Mint let alone LMDE - I have no idea.

[Fred Barclay]

Thanks altair4. Firewalld is working well in LMDE and looks nice--it's going to take me a bit to get used to it though.
I do like how well it integrates with Network Manager.

[ostracized]

Disclaimer: I now run 18 mate and never tried LMDE.

I've spent hours looking as well. You would think a basic, application-based firewall (one that blocks network access to specific apps and not just pre-defined ports) readily exists since windows has had one for a long time.

Douane and lpfw are the only (non-abandonware) ones I've found that appear to be relevant to Debian -- both of which require manual compiling. I've tried Douane in XFCE 17.3 -- it worked terribly, perhaps because gtk3 apps don't exactly "work" in XFCE...the author mentioned it was "GNOME only" but didn't specify if it worked on the forks. Perhaps it might work correctly on 18 mate since I've had other gtk3 apps work succesfully that weren't even listed in the 17.3 repo -- like Corebird (a satisfying 3rd-party twitter app.)

I haven't tried lpfw, I instead settled on firejail since that really solved the extremely-granular level of app control I was looking for. In 18 mate (16.04 Ubuntu codebase), it breaks pulseaudio, but there's a fix thankfully.

@altair4 or @Fred Barclay, let me know if FirewallD is a proper application-based firewall. Briefly looking at the documentation, I'm guessing "no"...but wanted to be sure.

[Fred Barclay]

Yeah, firejail is really great for restricting certain programmes.

Firewalld doesn't seem to be an application-based firewall, at least based on my understanding of the term. It's more of a "traditional" firewall (again, this is based on my limited understanding of the terms. Networking is not my strong suite.) There again, I don't really understand the need for an application-based firewall, and threads like viewtopic.php?f=157&t=216978 leave my poor brain behind in the dust... for now.

On the positive side, firewalld is going quite nicely on my machine.

[ostracized]

Yeah, firejail is really great for restricting certain programmes.

Firewalld doesn't seem to be an application-based firewall, at least based on my understanding of the term. It's more of a "traditional" firewall (again, this is based on my limited understanding of the terms. Networking is not my strong suite.) There again, I don't really understand the need for an application-based firewall, and threads like viewtopic.php?f=157&t=216978 leave my poor brain behind in the dust... for now.

On the positive side, firewalld is going quite nicely on my machine.

Many applications don't "need" network access so what's the point of granting them this luxury but rather treating them as security risks that they are? Take VLC for example. Here's a cool story that's not implausible:

You download funnyCatVideo.avi thinking it's a harmless video file that "for sure" isn't going to do anything harmful on your Linux box. The extension ".avi" is nothing more than a spoof since the file MIME type is actually a playlist file with a hidden payload designed to exploit an old memory-access vulnerability patched in VLC 2.2.2. VLC doesn't care if the file is named wrong, it will still open it as normal upon double-click and treat the file as a playlist file and then (silently) initiate an outgoing connection to "North Korea bad guy servers" while you sit looking at a blank screen. In 1 second, the Koreans have your external IP and restricted memory access on your box because you're still running 17.3 and haven't updated VLC to the latest version yet. It may not be full-blown virus-level in Windows, but they got quite a bit from your 17.3 install. Plus you didn't bother with a VPN on your home connection, so they'll probably keep probing your IP for a while looking for goodies since they know it's now active.

Here's where firejail fits in -- memory access is heavily restricted and with the net none flag, the app isn't going to be making any of those outbound connections. Similarly on an app-based firewall, you can put a "deny" specifically on VLC and the same situation probably wouldn't occur (or at least prompt you to "really connect to [strange IP] requested from VLC?")