How to firewall

[GS3]

I have been using Linux Mint for some years now and I an very slowly learning the ropes. Very slowly. So far I have not used a firewall and I would like to look into it.

UFW seems too simple and too complicated and not focused the way I analyze things. Maybe there is something else more suited to my wants and needs.

I would like something that discriminates by program or application. Basically every program is blocked from communicating with the outside unless explicitly authorized by my rules.

Basically each program would have four yes/no authorizations:

- LAN Access
- LAN Server
- Internet Access
- Internet Server

Some programs, like Firefox, Thunderbird, and Google Earth, would be authorized to access the Internet but not to accept connections and act as server.

Nemo would be allowed to access and act as server only to the LAN but not the Internet.

A videoconference program or a remote desktop program might need to be granted server rights to the Internet.

What is the simplest way to achieve this? Because from I see UFW uses port numbers and IP addresses all of which are meaningless to me. I want to discriminate mainly by program.

[t42]

I would like something that discriminates by program or application.

It was discussed (not once), for eg.
Firewall suggestions and here

[GS3]

So, the answer to my question is that what I am looking for does not exist.

In WinXP I have Zonealarm which does exactly what I want and it blocks all those updaters and other programs that like to call home and the only effective way to discriminate is by program. Treating all programs alike is not effective in the least.

I do not understand why there is nothing similar for Linux. I consider this to be a serious point against Linux.

Even a program which I can run in Windows blocked by the firewall there I cannot run it blocked in WINE? Or is there a way to block WINE separately from the rest? Can I cripple WINE so it cannot communicate on the network?

[Moonstone Man]

UFW seems too simple and too complicated and not focused the way I analyze things. Maybe there is something else more suited to my wants and needs.

The problem isn't the software, it's your understand that's wonky. Your requirements are replete with Windows thinking and Windows terminology, and a fundamental lack of understanding of all things Linux, like nemo and other non-server software acting as 'servers'. There are links in the threads that t42 gave you. Those links go to resources about how firewalls work in Linux, and they go to lists of different alternatives.

Since we have no way of knowing 'the way [you] analyze things' because psychological services are out of scope for the forum, it is now up to you to go and read and learn and research and find something that approaches 'the way [you] analyze things', because, really, we can't do that for you.

Yours isn't a technical problem so there are no fixes, and the best that can be done with your 'wants and needs' is to point you in the right direction, and that has been done.

I do not understand why there is nothing similar for Linux. I consider this to be a serious point against Linux.

Yes, well, on the plus side for Linux, it's very convenient that we can all blame it for our misunderstandings and shortcomings.

[newlyminted7]

Hi GS3,

You might consider taking a look at OpenSnitch:
https://github.com/evilsocket/opensnitch
(It might be in the Software Manager, but I'm not sure)

It runs in the background, requires no configuration to start with, and watches for every outbound request made by any and all applications in real-time. It gives you the ability to block or allow any outbound requests sent by any application as they are made (in a handy little popup), for a set period of time, temporarily or permanently. It also comes with a UI that runs in the panel.

I've found it to be an incredibly handy tool to block all kinds of telemetry, "phoning-home", and otherwise unnecessary requests being sent by all kinds of applications (including Linux OS features), things I had no idea were even being sent. This includes applications many people "trust", like Firefox, which sends out a boatload of telemetry and "update checks" by default each time it is run, for example - there are a fair number of applications sending out requests that you may not be aware of, and OpenSnitch lets you see them. It also allows you to block requests in multiple ways, such as blocking only some requests of a certain application (say you don't want an applications checking for an update to a certain server, but you do want it to access content off of another server, etc). For example, if you use any "Electron JS"-based apps, they are built using Chrome, which phones home, even if the app doesn't, but it also usually does, too. This way you can just use the app and block all that.

It's also helped me learn more about how Linux works, too, as well as what certain applications and OS features are actually up to.

But I'd highly advise letting the built-in Mint Firewall block all incoming connections to your system, however, and keep that turned on all the time. Set Incoming to "Deny", and Outgoing to "Allow" in Prefs->Firewall Config. And let OpenSnitch handle your outbound requests. My 2c, anyway.

[GS3]

You might consider taking a look at OpenSnitch:
https://github.com/gustavo-iniguez-goya/opensnitch/wiki
(also available in the Software Manager, along with its UI)

Thanks for the recommendation. I had a quick look but it looks more complicated than I would like or can deal with right now. I will have a closer look when I have more time, energy and predisposition.

I do not see it in my Software Manager or in my favorite, Synaptic and my experience installing things manually is not good. I like to use Synaptic because it has always worked well for me.

It runs in the background, requires no configuration to start with, and watches for every outbound request made by any and all applications in real-time. It gives you the ability to block or allow any outbound requests sent by any application as they are made (in a handy little popup), for a set period of time, temporarily or permanently. It also comes with a UI that runs in the panel.

I've found it to be an incredibly handy tool to block all kinds of telemetry, "phoning-home", and otherwise unnecessary requests being sent by all kinds of applications (including Linux OS features), things I had no idea were even being sent. This includes applications many people "trust", like Firefox, which sends out a boatload of telemetry and "update checks" by default each time it is run, for example - there are a fair number of applications sending out requests that you may not be aware of, and OpenSnitch lets you see them. It also allows you to block requests in multiple ways, such as blocking only some requests of a certain application (say you don't want an applications checking for an update to a certain server, but you do want it to access content off of another server, etc). For example, if you use any "Electron JS"-based apps, they are built using Chrome, which phones home, even if the app doesn't, but it also usually does, too. This way you can just use the app and block all that.

It's also helped me learn more about how Linux works, too, as well as what certain applications and OS features are actually up to.

This is much closer to what I want than the UFW that comes included. For a community like Linux that puts so much stress on security I do not understand how what I am looking for does not already exist. As you say, by being informed of every connection attempt you can gain a lot of knowledge and information and control what programs can access the outside world.

But I'd highly advise letting the built-in Mint Firewall block all incoming connections to your system, however, and keep that turned on all the time. Set Incoming to "Deny", and Outgoing to "Allow" in Prefs->Firewall Config. And let OpenSnitch handle your outbound requests. My 2c, anyway.

The way I see it the built-in UFW is very close to worthless and I would need to keep the system wide open. Some programs need access which others don't and giving them all the same rule is going to cause more harm than good. To me that is close to saying "just don't connect to the internet". Well, yes, that will keep your computer safe but it will not let me do what I want to do.

I have been using ZoneAlarm with Windows for about twenty years now and I like the way it works. It is simple and easy to understand and configure. When a program tries to connect with LAN or Internet, I get a popup asking me what to do and check a box if I want that action to be remembered. That's it.It seems pretty simple to use but also to create a program that does it.

I do not understand how there is not something similar for Linux. So much talk about Linux security and there is not a basic firewall which I have been using with Windows for twenty years. Security... my foot!

[t42]

The way I see it the built-in UFW is very close to worthless and I would need to keep the system wide open. Some programs need access which others don't and giving them all the same rule is going to cause more harm than good. To me that is close to saying "just don't connect to the internet". Well, yes, that will keep your computer safe but it will not let me do what I want to do.

I have been using ZoneAlarm with Windows for about twenty years now and I like the way it works. It is simple and easy to understand and configure. When a program tries to connect with LAN or Internet, I get a popup asking me what to do and check a box if I want that action to be remembered. That's it.It seems pretty simple to use but also to create a program that does it.

I do not understand how there is not something similar for Linux. So much talk about Linux security and there is not a basic firewall which I have been using with Windows for twenty years. Security... my foot!

So why don't you go back to handy Windows back if that's what you want?

Network architecture of Linux is very different and doesn't need ZoneAlarm. Every Windows application can be vulnerable, infected or be unfriendly to the owner by design - so you need certain control measures. But Linux environment is not hostile by definition. Why suddenly being paranoid towards well known open source applications? Do you want to apply the same invigilation measures to family members as to some criminals happen to live nearby?

As to newlyminted7 informative comment, it is interesting to analyze traffic if you are interested in such things. But there is no need to harass Firefox or Chrome, because they need for your security to connect in the background to get harmful links info, revoked certificates and constant stream of malicious add-ons.

[GS3]

So why don't you go back to handy Windows back if that's what you want?

Sigh. Here we go again with the ever present defensive attitude that Linux is perfect in every sense and if I don't agree I am just not worthy of using Linux and should go back to the gutter.

I do not need to "go back to handy Windows" because I never left and it is what I use for most of my computing, including posting right now. And by now I would have transitioned to Linux to a greater degree I was not finding so many hurdles and difficulties along the way.

The rest of your post is empty hogwash so I will not even comment. Linux is subject to exactly the same type of exploits as Windows and I have explained why I like to know what programs are trying to communicate with the outside and be the one to decide and approve. The attitude of "the OS knows best and you are not qualified to have an opinion " is pure Microsoft, not the Linux philosophy. It is my computer and I want to be in control. If I just wanted to let the OS take care of everything I'd be using Apple products, not Linux.

[cliffcoggin]

UFW seems too simple and too complicated and not focused the way I analyze things. Maybe there is something else more suited to my wants and needs.

I would like something that discriminates by program or application. Basically every program is blocked from communicating with the outside unless explicitly authorized by my rules.

Wouldn't Ufw (or Gufw) do that if you blocked all traffic initially, then made rules to except just what you chose? It would not be a practical solution for me, but if you want total control...

[t42]

Linux is subject to exactly the same type of exploits as Windows

"exactly"?
Type of exploits or type of vulnerabilities?
Examples of occurrence in the course of normal day-to-day operations?

[GS3]

Wouldn't Ufw (or Gufw) do that if you blocked all traffic initially, then made rules to except just what you chose? It would not be a practical solution for me, but if you want total control...

I do not know much about UFW but it seems to me just a bit of routing configuration rather than a true firewall. It seems to me I can use it to open and close ports and routes, like I used to do manually but that is more complicated than need be and not totally effective because if you know a program only uses a certain port or a certain destination IP you can block those but many programs, especially malicious programs, will randomly choose ports and several IPs. I remember manually modifying the routing table in Windows in order to block MS IPs. I can also block specific IP destinations at the router as I am using OpenWRT.

In other words, what I would like is a firewall that tells me which program is trying to access the outside, regardless of port or IP. For me it is the program that counts.

Most programs just do not need access at all. A printer driver does not need to call home. A program updater does not need to call home. I see my Zonealarm logs and they are full of blocked attempts.

Another reason to block unnecessary traffic is that I am on an expensive metered connection and do not want to be wasting valuable bandwidth.

There are programs that obviously need access like a browser, Google Earth, an email client but they are a tiny fraction of the total. In Windows I might have a couple hundred programs installed and only about half dozen have any access rights. Most of the rest do not attempt to access the Internet but I have about a dozen or so blocked. Some updaters, some suspicious printer-spooler programs, some just like Media Player, Sketchup... Sketchup spends way too much effort calling home and seriously needs blocking.

In summary, for me the discrimination should ideally be on a per program basis and not on ports or IPs. I do not think that can be done with UFW but I am willing to be corrected and learn.

[Hoser Rob]

So why don't you go back to handy Windows back if that's what you want?

Sigh. Here we go again with the ever present defensive attitude that Linux is perfect in every sense and if I don't agree I am just not worthy of using Linux and should go back to the gutter. ...

What nonsense. The truth is you are unwilling or unable to learn Linux enough to differentiate the two properly. And if you aren't willing or able to do so then yes, you should use Windows.

Are you aware that Linux doesn't leave unused ports open like Windows does? That actually makes using a firewall MUCH simpler. The vast majority of desktop users are just fine installing gufw (which really should come installed) and using the default rules. That's clearly all you can handle so that's my suggestion.

[Moem]

The vast majority of desktop users are just fine installing gufw (which really should come installed)

It does now.

[GS3]

The vast majority of desktop users are just fine installing gufw (which really should come installed) and using the default rules.

Great! I am awfully happy for you. But I am not you and I would like something different which is why I asked. If you have nothing that can help me resolve what I am trying to do then I would ask you to take your tangents about how great Linux is to some other thread, maybe in Chat. I don't tell you what you should do and I ask that you grant me the same consideration. Please.

I still believe I am entitled to control what connects to my computer and how and I am in search of a solution. Please stop cluttering this thread with your opinions that I do not need it. My opinion is different.

This is worth repeating. This is what I am after:

I've found it to be an incredibly handy tool to block all kinds of telemetry, "phoning-home", and otherwise unnecessary requests being sent by all kinds of applications (including Linux OS features), things I had no idea were even being sent. This includes applications many people "trust", like Firefox, which sends out a boatload of telemetry and "update checks" by default each time it is run, for example - there are a fair number of applications sending out requests that you may not be aware of, and OpenSnitch lets you see them. It also allows you to block requests in multiple ways, such as blocking only some requests of a certain application (say you don't want an applications checking for an update to a certain server, but you do want it to access content off of another server, etc). For example, if you use any "Electron JS"-based apps, they are built using Chrome, which phones home, even if the app doesn't, but it also usually does, too. This way you can just use the app and block all that.

It's also helped me learn more about how Linux works, too, as well as what certain applications and OS features are actually up to.

In general I like to keep an eye and know what's going on in the system. I don't just blindly trust that things will work and are working as I expect them to. Not only with the network but with memory, processor load, temperatures etc. Knowing how these things are doing helps me detect problems and helps me identify the source of those problems.

Years ago I bought some WIFI-controlled switch which did not work very well and soon the Internet server it was supposed to connect to disappeared and it would not work at all from the Internet.

After a couple years I thought I'd try it with Linux and I found some intelligent home control program [cursesopenhab] which I installed on LM19 and it worked... except that the program would load itself no matter what and there was no way to kill it. It had many instances running and if I killed one it would sprout several more. And it would be connecting to the Internet continually and wasting precious bandwidth. That is one important reason I decided to install LM20; to get rid of that program.

Just because one program should be able to connect to the Internet does not mean all programs should be able to connect to the Internet. It does not follow. At all.

I suppose I could mention other cases of people who had their webcams hacked or other similar things. Such things are not supposed to happen but I like to have some control and know that if it did happen I would detect it.

[newlyminted7]

You might consider taking a look at OpenSnitch:
https://github.com/gustavo-iniguez-goya/opensnitch/wiki
(also available in the Software Manager, along with its UI)

Thanks for the recommendation. I had a quick look but it looks more complicated than I would like or can deal with right now. I will have a closer look when I have more time, energy and predisposition.

I do not see it in my Software Manager or in my favorite, Synaptic and my experience installing things manually is not good. I like to use Synaptic because it has always worked well for me.

Hi GS3,

It should be in the Software Manager. Search for "opensnitch", you should see two entries, one for the software and one for the UI. Install them both.

Also, it is very simple, actually (has zero configuration to get started, not complicated at all - don't be put off by the Github page). Click install and you're done. From there it works almost exactly like ZoneAlarm, with very similar popups.

[GS3]

It should be in the Software Manager. Search for "opensnitch", you should see two entries, one for the software and one for the UI. Install them both.

Nope. Not there. I am running LM20.1 and it does not show up in Software Manager nor in Synaptic. Maybe there is a way to add the repository so it will show up? Because I am looking at the install instructions in github and they are daunting. Every time I have tried something like that complicated it has ended in failure if not disaster. Is there some simple way to get it to show up in Software Manager?

[Pippin]

Deb package is here:
https://github.com/evilsocket/opensnitch/releases

That github repo is the correct one...

[1000]

The answer is almost immediately visible in the web search engine.
Problems
- I not tested. (It might not work)
- It use iptables. Not every newbies like terminal.

[GS3]

Deb package is here:
https://github.com/evilsocket/opensnitch/releases

That github repo is the correct one...

Thanks. I go to the installation page and it says
DEB - $ sudo dpkg -i opensnitch*.deb python3-opensnitch-ui*.deb; sudo apt -f install

Before I go copy-pasting things I do not understand at all, can anyone confirm I just need to paste that command into a terminal? Is it correct? Is it safe? Is that all or do I need to do more afterwards? Does that actually install the program or does it just include the information so I can install it from Linux Mint?

ETA: I downloaded the .deb and installed with GDebi Package Installer
It shows as installed in Synaptic but nothing is happening.
which opensnitch returns nothing. What else do I need to do?
..
I see it is opensnitchd and I see some lines in htop running but it is still not working and I do not see any GUI.
...
I finally have the GUI working. I think it is generally working now although I will have to learn all about configuring it. One thing I am noticing is that it does not seem to differentiate between incoming and outgoing connections but I am not sure and I will have to keep learning.

This firewall will probably work for me after much work and configuration but there is no way I can install it on all the family computers I am responsible for because it is way too complex for plain users. Too much clutter and confusion. One nice thing about Zonealarm is that it is pre-configured out of the box and asks very simple yes/no questions about connecting. Opensnitch is much more complicated. I will keep working on it.

[newlyminted7]

One thing I am noticing is that it does not seem to differentiate between incoming and outgoing connections but I am not sure and I will have to keep learning.

Opensnitch only intercepts outbound requests. And, as I mentioned, use your Linux Mint firewall (Prefs->Firewall Config) to block all incoming requests.

One nice thing about Zonealarm is that it is pre-configured out of the box and asks very simple yes/no questions about connecting. Opensnitch is much more complicated. I will keep working on it.

It isn't "much more complicated"...
Instead of "Yes/No", it provides "Allow/Deny", and then you just select for how long to "Allow/Deny" from the dropdown menu.
Give it a chance, and use it for a little while.
You'll figure it out.