What is PureOS Byzantium's default firewall and rules?

Aswang · February 10, 2025, 6:13am

Within the software application I can only download “firewall” & “firewall builder”

What is the default installed firewall manager within the OS? Is there even one? if so what are the rules by default? deny all incoming / allow all outgoing?

FranklyFlawless · February 10, 2025, 12:45pm

Aswang · February 11, 2025, 3:31am

Interesting enough I looked through “apt list --installed”… nftables is no where to be found. it is NOT the default firewall. I did however find iptables within the list.

Is there a difference in kernel and OS versions between PureOS as a linux distro for normal desktop/laptop use (Byzantium) vs what the Librem5 phone uses? I’m specifically talking about Byzantium which is the .iso available for download for PC use.

unfortunately according to the list-rules command iptables by default doest not look like it deny’s any incoming traffic:

$ sudo iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

What gui do you guys recommend for IPtables? I have to research CLI commands to change these rules as the --help is a little to vague for me to know how to set it up as a simple firewall

JR-Fi · February 11, 2025, 3:50am

That is interesting - the possibility didn’t occur to me. I’m running at the moment L5 with non standard byzantium and have nftables and iptables controling the firewall. It may be that original byz is iptables and the updates have been pushed at some point. Checking pureos.net may tell more (it lists packages at Repositories & Suites - PureOS Software). There may be differences, but as I haven’t used other devices with it, I’m not sure.

As for the iptables GUI, I remember using some fork of Firestarter with it (it’s been a while). But as you mentioned GUFW before, if that’s more familiar to you, over all it might be a route to follow.

[These two threads should be merged https://forums.puri.sm/t/ufw-gufw-not-working-correctly]

Aswang · February 11, 2025, 4:43am

Yeah… it makes me a little worried that there are some not obvious differences between their flagship Librem Pure OS and their normal PC Pure OS. I’m worndering how active updates (security and otherwise) get pushed to it if they aren’t even keeping the firewall management the same.

I ended up installing GUFW again without UFW, just using it to manage IP tables and it configured it with a simple toggle.

The only issue now is that GUFW will not hold an ACTIVE toggle for the firewall past a reboot or shutdown. This leads me to believe that even if I went through the more complex IPtables setup through the terminal, that none of the changes will be held past reboot or shutdown.

I’m wondering if the PC iso of byzantium is even configurable in this state for network security. Is there a way to ping this thread to devs?

Its almost acting like an immutable distro (any changes to my firewall are reset to original settings after any reboot or shutdown)

Aswang · February 10, 2025, 6:01am

So I was unaware if there was a firewall preinstalled with PureOS (Byzantium). Is there? I couldn’t find one, so I installed UFW and GUFW.

They both work when opened and activated (ie enabling ufw via terminal or opening gufw and clicking to activate the firewall).

The problem is that they wont stay active after a log out or reboot. It’s like UFW wont save any status updates coded to it though CLI nor through the GUI.

This causes issues when rebooting/powering up as there is no internet access UNTIL ufw is either activated through terminal or gufw.

I uninstalled the apps and all is working well, but I want to put a decent firewall up as a bare minimum and the only firewalls listed in the software store is fwbuilder (firewall builder) or firewall (firewall configuration).

This is why I just installed UFW since it was an easier setup. But not really sure if the two listed apps in the software store are really worth downloading and using. I read in a past post that IPtables might be preinstalled and used as the firewall, but i’m unsure how it is configured out of the box.

JR-Fi · February 10, 2025, 6:47am

You’ll get good info on setting up persistent firewall with from those links, which ever you choose to use. For understanding nftables and firewalling, this article with process diagrams may help too. Debian wiki does suggest not directly editing nftables (ref) and to use firewalld [as opposed to GUFW, which is not intended as an appropriate example for nft GUI], although it may not work with L5 screen, if that’s what you are using.

As for the defaults, I’m not sure, as I don’t have them left anymore (all kinds of edits over the years). Check to see yours with sudo nft list tables and then sudo nft list table <name of table, like ip nat>.

Also, there are some notes in the old threads, like this: Firewall and Librem 5 and Not recommended to use a firewall? - #16 by Kyle_Rankin and:

Not recommended to use a firewall?

You do have a firewall, the Linux kernel networking stack basically doesn’t exist without one. What you don’t have is a fancy frontend to that firewall. There is a non-fancy frontend, called iptables. You can use it to block traffic.

That said, the default state on Linux for the firewall is permissive, that is you have to blacklist anything you want blocked, rather than restrictive with a whitelist. Windows is the opposite. The reason is that Linux doesn’t by default listen with dangerous services on ports, unlike Windows (no remote shutdown, for example). I hear that Windows is less bad than it used to be, but back in the Vista days, the mean time to infection for an un-firewalled windows PC was about 10 minutes…

If you use lsof, you can get a list of all ports which are accepting connections. On an out of the box linux machine, you’ll find the list is rather short, and all of the ports require authentication. If you start adding services without authentication, then you’ll need to configure a firewall, either at your network edge (router) or on your local machine. If you take your computer to the local coffee shop, you’ll want to configure your firewall if you have any unauthenticated services. Also, if you don’t control your house router (if it’s not OpenWRT or similar), you can’t trust your local network as much as you’d like to.

JR-Fi · February 11, 2025, 7:11am

The behavior maybe related to rules preventing iptables and ufw conflicting, take a look at: Can UFW work with iptables-persistent? - Unix & Linux Stack Exchange and Possible conflict between ufw and iptables-persistent · Issue #414 · pivpn/pivpn · GitHub

Moldybook · February 11, 2025, 1:35pm

Geez, what a major miss from PureOS. Thanks for the firewall JR, definitely useful information. I used the

Blockquote

sudo apt-get install gufw

Blockquote

that you suggested. As I am not great with programming yet I’ll just check to make sure it is turned to deny for incoming and allow for outgoing when I reboot my phone each time. Too bad I can’t use the alarm app to remind me unless I reboot at a specific time every single day.

Glad to have some security in place, not sure how good it is but it is a start. I’ll read your guides and blog posts after work. Thank you

Gotta retrain that blockquote use.

FranklyFlawless · February 11, 2025, 9:08pm

Markdown:

```
sudo apt-get install gufw
```

Moldybook · February 11, 2025, 9:50pm

FranklyFlawless · February 11, 2025, 10:01pm

The Markdown for the code should look like this:

sudo apt-get install gufw

When using blockquotes, change the text:

Blockquote → Content

Alternative Markdown for blockquotes:

[quote]
Blockquote -> Content
[/quote]

irvinewade · February 11, 2025, 10:25pm

While every customer should be able to find out what firewall, if any, is installed by default, and, if so, what the default firewall configuration is, there are other considerations.

What is the attack surface? What network-facing services are running? Are they all needed? i.e. as a belt-and-braces approach to network security aka defence-in-depth?
Have individual services been configured to filter by source IP address i.e. as a belt-and-braces approach to network security?
Is the device mainly used behind an internet gateway that is doing IPv4 NAT? or, similarly, behind CGNAT?
Is IPv6 even available and, if so, is it enabled?

So, yes, given Purism’s emphasis on “the power of defaults” the default firewall situation should be clarified and improved, but a firewall is not the end of the story and is not set-and-forget.

As such therefore it definitely matters what kind of device we are talking about e.g. Mini v. laptop v. phone.