Hi all, I’m looking to Aeon more and more to be the OS on my laptop.
But there is one thing that has got me concerned. And that is the absence of a firewall. Especially firewalld that can enable a profile per network connection. Thus is a must have for me on my laptop.
I cannot find much info about the status of firewall tools on MicroOS. I just saw 1 post somewhere saying that firewalld is causing problems for containers.
Is that true? Is that the reason there is no firewall enabled?
If so, I think this should be mentioned on the Opensuse MicroOS portal. This is an absolute a showstopper for me.
I’ve been using SuSE/Opensuse since 2001 and it allways came with strict firewall settings. Therefore I was kinda taking for granted that firewalld was just there.
This is so un-Opensuse!
I know this is still a work in progress and still a very young OS. So I don’t want to bash to hard. I have very much respect for the developers of these projects.
But I like opensource software because it is honest. On project pages you can ussually read what does and does not work.
So in the spirit of opensource, if there is a problem enabeling a firewall on MicroOS this should be mentioned upfront.
This is a whole new concept to me. Thank you for your reply and informative links.
I’m not a network specialist.
But from what I understand with my limited knowledge is that the OS is secure by not running services that open ports. And applications are restricted in accessing the net by rules that are set by the container that they run in.
And therefore firewalld would double the work that is allready done by the containers.
OK, thank you.
I still need some time to wrap my brain around this.
Like how do I control those per container network settings?
In flatseal only see an option to allow or disallow network acces for apps.
I just don’t know what to think of this.
By all means, just use transactional-update (i.e. zypper for read-only installations) to install firewalld. Don’t let a default system configuration stop you.
That’s anecdotal. You’ll find such posts for about any software. I have been using containers alongside firewalld for years without breakages.
While it makes sense for MicroOS non-desktop to not include firewalld, this concept doesn’t transfer cleanly to a desktop system (Aeon) where it should be expected apps will be opening ports freely. It also doesn’t help that that anecdotal issue is from Aeon main contributor.
AFAIK, any issues with regards with firewalld & containers will be experienced on any distro.
I just realize that I have been mixing MicroOS and MicroOS/Aeon through my comments.
Anyway, if I would install Aeon I would use firewalld. Eventhough it is said that this could cause problems. But what kind of problems? I just enabled and configured firewalld on Aeon running in a vm and see what happens.
O yeah, I did read that. It could cause network problems for contained apps. What just doesn’t feel right to me is that I’m used to control what can connect to the net and what not. Now every app will have their own rules on what is allowed and what not. And I do not have any control over that. All I can do as far as I know with flatpaks is to enable networking or not.
Maybe I’m being paranoid, or I’m just having trouble feeling comfortable with the ‘new world’, I don’t know. It just feels weird.
Linux firewalls typically aren’t egress firewalls - they are ingress firewalls (ie, they aren’t used to control what connects out from your system - but rather what can connect to your system).
When using containerized software you define - in the Dockerfile or docker-compose file (or other definition file), what ports are open to the container. If the port’s not exposed or forwarded, nothing can connect to it.
I installed MicroOS Kalpa not long ago and remember reading a thread similar to this before installation. During install, it showed the firewall choice, and for grins, I selected to enable it .
… no warnings from installer
It’s still flawed. Of course you need a firewall!! I really don’t get this reasoning. Apps can open ports, also in Flatpak… The reason there is no firewall is because ‘they’ think it’s better because in some situations you may have issues with containers. Which is bonkers. If someone encounters issues, then someone has to deal with it then. It’s not a reason to just remove one of the most effective security tools in a layered defense model. Otherwise you could also argue that SELinux should be off by default, “because it doesn’t need it”, or it creates issues for Steam (according to the OpenSUSE wiki). For me it’s just a red flag to stay away from this distro, it’s not designed by knowledgeable people. Proof me wrong…
The people behind the project also seem to have some issues with criticism. My bugreport about the lack of a firewall apparently got removed, my comment on a YouTube video once got removed where I asked about the firewall, a bugreport about the lack of even man pages on Aeon got instant prioritized as low. Not because it is a low issue, it clearly is not, documentation is key. But it was because I made the comparison to another immutable OS called Fedora Silverblue. I wouldn’t be surprised if I get a ban for just saying this on this forum. Really not a professional bunch that maintain this distro.
For many years, I used slackware linux without a firewall. I never ran into a problem. This was because I was careful to not run any services that I did not actually need. I only ran “sshd”, and I configured that to only allow public key authentication. Yes, I got log messages for breakin attempts with “ssh”, but no actual intrusion.
I am not currently using Aeon, but I’m not seeing a problem here.
With current openSUSE (Leap 15.5), I do use the firewall since it is part of a default setup.
Facepalm. Just install and enable that firewall by default. Defense in depth is a real thing. Ask the Ukrainians how nasty something like that can be. It’s not the 90s anymore. Anyway, I only got dragged into this because someone tagged my reply as an answer that “it’s easy to install a firewall so it’s okay if things are designed like this”. It’s not… It really is not…
Life is too short to argue about this and there are alternatives (Silverblue). So if you guys think this is great, enjoy!