Firewall and Librem 5

Whenever I bring up an new linux box, the first thing that I do is install ufw, close all ports and then selectively open the ports that I want open.

I checked the Librem 5 faq and didn’t see any entries pertaining to a firewall, so I was wondering how I should think about the relationship between the Librem 5 and a firewall.
Thanks!

4 Likes

It’s just a GNU/Linux computer, you’ll be able to set up firewalls in the exact same way as you do on your desktops.

4 Likes

Dzięki.

Are there any special ports that would need to be left open to make it work as a phone?

Nope, the communication with the modem happens over USB via QMI and AT protocols. You can consider its network interface as a regular Internet connection (at least until MMS support is implemented, depending on what you want to filter out that may require allowing some stuff - but it’s not there yet anyway).

1 Like

Many thanks!

Other than “sudo ufw enable” does any rule need to be set, enabled, or disabled? (I normally use gufw, the graphical interface for ufw, and that probably doesn’t work on the L5, right?)

Yes and to confirm that no ports are open sudo ufw status.

1 Like

It needs to be ran as root, which doesn’t play well with Wayland, but it appears to work via X11:

purism@dogwood:~$ DISPLAY=:0 xhost +
access control disabled, clients can connect from any host
purism@dogwood:~$ DISPLAY=:0 GDK_BACKEND=x11 sudo gufw

3 Likes

Never used this before. Do I just type “DISPLAY=:0 xhost +”
and hit return, then type “DISPLAY=:0 GDK_BACKEND=x11 sudo gufw”?

I also found the answer to my question, thanks!

1 Like

I get “xhost: command not found”. What am I doing wrong?

You need to install x11-xserver-utils .

1 Like

Nice! I obviously need to spend more time in the terminal. Thanks!
(Note for other readers: Don’t forget to install gufw first.)

I read that ufw is based on iptables, but iptables has a successor: nftables. Now I wonder if ufe is still a significant simplification compared with nftables and if ufw is still based on iptables or has switches to nfrables. AFAIK nftables has an iptables compatible cli for ease of migration.

It looks like firewallId would be the replacement, but the question for @dos is whether nftables and firewallId are already part of the distribution

firewalld is better integrated with GNOME-advanced-network-configuration

sudo apt install network-manager-gnome
sudo apt install firewall-config

then from terminal

nm-connection-editor

this is on the desktop/x86-64-arch not sure if it applies exactly to the L5. good topic though …

4 Likes

https://software.pureos.net/package/bin/amber/firewalld

AFAIK nftables should work.

2 Likes

Thank you!

And if you are setting up firewall rules, you need to think about the two different network interfaces (the WiFi and the cellular modem) and whether there is anything that you want to be allowed in one and not the other.

You raise an interesting point, especially with respect to the WiFi. One could conceivably want to have a firewall setting for the home (or safe network) and other WiFi networks.

1 Like