What firewall best with Librem 14 on PureOS?

Hi all I am new to Linux so bear with me.
I’m in the process of setting up my Librem 14 which is running Pure OS.
I was thinking to use Gufw Uncomplicated fire wall with it, because it looks simple and I need a little that in my life.
So my questian is if you are running a Librem 14 with Pure OS what fire wall do you use and how did you install it ?

I have looked at the sofeware center and have not seem any fire walls there to install unless I missed it.
Thank you for time.

hi @nicholas77 most Linux system including PureOS based on Debian come with iptables respectively the successor nftables preinstalled as the low level firewall and those base configuration have quite good basic settings, so as a normal user you probably don’t have to change much.
On top of those there are a lot of frontends for the user if they need to change something, like ufw for example on top of which gufw can be used as GUI. Use what ever GUI interface you like the OS already comes with the actual firewall installed you just decide which GUI you want the actual Firewall is already there.

1 Like

I don’t really think a regular firewall is necessary for your average use case since PureOS doesn’t have any services listening to begin with. That said if you do want to protect your desktop, a better approach is to detect outgoing traffic in my opinion before you worry about incoming traffic. OpenSnitch is good at that. It is not yet packaged for PureOS but if you follow the installation steps for Debian here you should be able to install it:

A good firewall should be able to have both incoming and outgoing rules. I agree that monitoring traffic is a good way to gather data to use for creating those rules, but isn’t exactly a substitute.

Personally, I use pf because I like pain. I would not recommend that for the majority of people. ufw is popular so, probably a better fit as there will be more guides on this than most other firewall options.

Since Bynzantium firewalld is installed by default. So there is no need for an additional firewall management program.
The default setup is using nftables.
firewalld comes with a set of default rules which pretty much block anything. This can be confusing when you try to install any kind of service without usijng the package system (dpkg). Most deb packages for services include rules for firewalld, so if installed the service is automagically available, e.g. shhd opens the port 22 on all external interfaces to all source addresses.


HI and thank you all for your replies.
I had been watching “techlore” youtube vid on linux harding which is where I started to think I should have one on Librem to be on the safe side.
my mac came with a firewall which is switched on and I thought I would have to install one on my new Librem 14.

So reading the above replies I see that I just don’t need one and that there is one on the laptop already!!
Do I need to switch it on?
Is it on already?
Sorry for the very basic quesians I’m not tech savy so alot of your answer might go over my head.
Once again thank you all.

thanks @hfollmann for the info regarding the firewalld installation, that means the GUI for that should be firewall-config which can be installed with sudo apt install firewall-config but firewalld should be able to tell you if it’s running with the comand sudo firewall-cmd --state and with sudo firewall-cmd --list-all it should tell you it’s configuration.

With those commands you should be able to figure out if it’s running or not and how it’s configured.
this can also be done with the firewall-config if you want to install it.

But I’d also repeat @Kyle_Rankin advice to install OpenSnitch even though that can be quite confusing for new users since a wrong click can more or less disconnect you from the net at least it’s gonna look like that, best advice to keep that from happening is to initial set all OpenSnitch configs to next reboot that you everything setting is gone after a reboot.

And please be aware that most of the hardening guidelines for Linux on the web are for remote controlled Server not end user devices.

1 Like