JR-Fi
February 10, 2025, 6:47am
7
Linux distros as a general rule have a firewall. PureOS (L5’s operating system, which is based on Debian where they used to use iptables, but now) uses nftables . Powerful tool but more for command line use.
What PureOS/Librem 5 doesn’t have by default, is a GUI app (like the popular gufw, the Gui for Uncomplicated FireWall, which is one option - not perfect on L5 screen though, so it goes under “Show all apps”, and even there its name shows “Firewall Configuration”), if you don’t want to use terminal commands. Installing gufw is sudo apt-get install gufw and for more info on using it, I suggest Set Up Firewall with GUFW on Linux Desktop [Beginner Guide] or Gufw - Community Help Wiki
You’ll get good info on setting up persistent firewall with from those links, which ever you choose to use. For understanding nftables and firewalling, this article with process diagrams may help too. Debian wiki does suggest not directly editing nftables (ref ) and to use firewalld [as opposed to GUFW, which is not intended as an appropriate example for nft GUI], although it may not work with L5 screen, if that’s what you are using.
As for the defaults, I’m not sure, as I don’t have them left anymore (all kinds of edits over the years). Check to see yours with sudo nft list tables and then sudo nft list table <name of table, like ip nat>.
Also, there are some notes in the old threads, like this: Firewall and Librem 5 and Not recommended to use a firewall? - #16 by Kyle_Rankin and:
You do have a firewall, the Linux kernel networking stack basically doesn’t exist without one. What you don’t have is a fancy frontend to that firewall. There is a non-fancy frontend, called iptables. You can use it to block traffic.
That said, the default state on Linux for the firewall is permissive, that is you have to blacklist anything you want blocked, rather than restrictive with a whitelist. Windows is the opposite. The reason is that Linux doesn’t by default listen with dangerous services on ports, unlike Windows (no remote shutdown, for example). I hear that Windows is less bad than it used to be, but back in the Vista days, the mean time to infection for an un-firewalled windows PC was about 10 minutes…
If you use lsof, you can get a list of all ports which are accepting connections. On an out of the box linux machine, you’ll find the list is rather short, and all of the ports require authentication. If you start adding services without authentication, then you’ll need to configure a firewall, either at your network edge (router) or on your local machine. If you take your computer to the local coffee shop, you’ll want to configure your firewall if you have any unauthenticated services. Also, if you don’t control your house router (if it’s not OpenWRT or similar), you can’t trust your local network as much as you’d like to.
2 Likes