App-based firewall (opensnitch) in Aeon

Hi everyone,
Very new to Aeon and atomic distros in general and am still trying to find my way around it. I read a thread indicating that there was no (and need for a) firewall in Aeon. What about app-based firewalls, such as opensnitch? I have been using these since forever to check what my apps connect to.
Does this also make sense in Aeon? (and, if not, why not?) If so, should this, like a VPN, be installed via transnational update?
Thanks!
Paul

Obviously it makes sense, you want to track network connections, you want a piece of software that does that. It is still your machine.

Yes, everything that can’t be a container is installed with transactional-update.

I would also say the idea that no host based firewall is needed is wrong, but that’s what the developer has decided.

Thanks @mhurron!

If you care, happy to get your thoughts on the firewall situation.

1 Like

Just a quick search gave me this one: No firewall in Aeon/MicroOS

1 Like

No one actually cares what my opinions are, so you’re really just asking me to rant but the no firewall is necessary on Aeon boils down to to very wrong assertions:

  1. firewalld breaks containers networking
  2. you aren’t running services on aeon

The first assertion is just wrong, it doesn’t. You can dig deeper where the aeon developer says basically ‘just wait till you make a firewalld change and it breaks things’ which is true for everything that is configurable, so that is a nonsensical argument unless you are advocating for removing the ability for the system owner to do any changes.

The second is also incorrect. LOTS of applications also listen because any port above 1024 can be opened by any user, they don’t have to be an official ‘service.’ Without a firewall with a perfectly reasonable default ruleset, those apps are happy to listen and respond on the network without telling you.

Aeon is a desktop, the reasonable expectation is that it’s not listening to anything it shouldn’t be. Experience says if you don’t enforce reasonable expectations, they will be violated. To the best of my knowledge the only expected network service aeon might be running is avahi, and the only way to enforce that is to have a firewall only allowing zeroconf traffic.

@mhurron the expectation is your external facing device is firewalled, I have no firewalls running on local machines. Yes avahi service/socket is running on my Aeon setup. I have ssh running which nmap -vv -PE -p- hostname shows.

That is the idea for Aeon, let the system do what it does so you can concentrate on using the system for your tasks…

That expectation falls apart the moment you travel with a laptop. Again, any expectation will be violated without enforcement.

@mhurron Don’t know, I use a small device with ethernet/wifi (and a built in firewall) if needed, eg hotel.

My on the road laptop runs Leap 15.6, Aeon runs on a MiniPC here.

Likewise I never connect to unknown/public networks. I have access to an LTE router on the road (as in mobile) if needed, stuff I normally connect the laptop is air-gaped as well, so no internet :wink:

Thanks everyone for the input, always useful.

I am also using Aeon on a laptop and do not have an external device with a firewall on it. Which means a firewall might indeed come in handy.

@Paulito Hi, so devices you connect to forward ports to your device? Remember no services are running on the read-only host system. If your running distrobox and using a service, sure a firewall there then.

If concerned, browse to grc.com and run shields up to see if any ports are active/open…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.