No firewall in Aeon/MicroOS

I like very much how Upperkees tells Brown that his main objection about this is: “Silverblue does”. Ok.

Browns talks about a “Chromebook experiencie” (or iOS or Android). These systems don’t use firewall, every app have their own rules. Well, in Aeon/Kalpa you can easily set a similar set of rules for each app.

In fact, Aeon/Kalpa doesn’t have in mind you can set a lot of different services in your net: is a system very desktop/app centric, like ChromeOS, iOS or Android. If you need other thing, maybe you need another version of openSUSE (happily you have Leap or Tumbleweed for that).

Maybe there’s a number of issues that fails in this system in order to use certain third apps, but now Aeon doesn’t need a firewall.

@Operius Sure you can control for example flatpaks, install flatseal and configure as required to give them some more freedom if required. Turn off network access and it will go nowhere…

Yeah I know. But I cannot specify to open a certain port or close it. It is all acces or nothing.
I just don’t fully understand yet how networking rules are set per container and how I can change/control that. With firewalld those settings are in a centralized place. Now I have to check/configure stuff per app. Flatpaks and stuff installed in distrobox. It just looks like a big mess if you ask me.

Wow, in the first comment Richard Brown said:

The presence of a firewall would lead to users workloads not working out of the box - eg. Minecraft flatpak being unable to host games without needing to unblock the port.

So Aeon is going full ease of use at the expense of security!?

@Operius I’m not sure of your point here, if the minecraft server is the only service that is running on the system, it’s the container that it’s running in that needs to be looked at, not the host operating system?

If no services are running on MicroOS (well maybe ssh, but that can be turned off), what can someone do that requires a firewall?

I suspect most folks connect via a router of some kind to the internet and would be covered by that firewall and even then it would require some sort of port forwarding on the router to reach your specific ip address…

1 Like

I looked into this.

What Silverblue does is it installs a firewall, and then opens every port above 1024:

[root@fedora ~]# firewall-cmd --list-ports
1025-65535/tcp 1025-65535/udp

So, the default configuration is install the firewall and then open all ports. Which is functionally the same as not installing a firewall. (Yes, it blocks privileged ports - ports that you have to jump through hoops to get something to listen on anyways unless you run the listening app as root.)

1 Like


A firewall blocking a port that nothing is listening on is pointless/useless. Because nothing is listening there.

Running something in a container (and flatpak uses container technology), you have to define the listener as part of the flatpak. Just like with Docker or Podman, you have to expose the port.

What is the point of needing to configure the port in the container definition AND in the firewall? Both serve the same purpose - allowing or denying traffic. If you want to block traffic getting to a containerized app, don’t expose the port.

This topic has been beaten to death; anyone wanting to discuss further should take it up with Richard - nobody here in these forums is involved in the design of MicroOS or Aeon (as far as I know), so unless Richard comes in here and tells y’all exactly what he’s already said in the Reddit thread, there’s nothing to be gained from further discussion. Topic closed.

1 Like