Kicksecure Firewall

SteveK1978 · February 15, 2024, 7:42pm

What is the Firewall comes with Kicksecure on CLI? ufw was not included anywhere in any metapackage.

Patrick · February 16, 2024, 7:11am

None yet. None has been developed yet.

SteveK1978 · February 16, 2024, 3:56pm

I am OK with current state, I don’t think we need extra Firewall.

Patrick · March 18, 2024, 1:21pm

While Kicksecure comes with no open ports by default, a firewall would be useful to protect the user from unwanted, unexpected ports opened by third-party software.

How this could be structured:

kicksecure-shared-firewall
kicksecure-desktop-firewall [block all ports by default]
kicksecure-server-firewall [open port 22, which is SSH’s default port by default]
- Maybe the server firewall should come last. If ever. Much later. Maybe not at all. Maybe server operators should take care of a firewall themselves.

SteveK1978 · March 25, 2024, 2:10pm

No worries.
I can use firewalld or ufw myself.

Patrick · May 28, 2024, 11:33am

Note on UFW by default in Kicksecure:
Still depends on iptables. This seems outdated. Waiting at least until it has been ported to nftables.

SteveK1978 · June 27, 2024, 2:35pm

Sorry for late reply, isn’t ufw just a front-end of iptables?

Patrick · June 28, 2024, 11:10am

Based on web search, seems newer ufw versions support also nftables.

Patrick · June 29, 2024, 12:37pm

Of course.

iptables is deprecated. iptables → nftables.

Patrick · September 14, 2024, 2:28pm

How could Kicksecure be configured to have a firewall enabled by default for Kicksecure desktop but at the same time do not enable the firewall by default for users installing using distribution morphing method?

Why not enable Kicksecure firewall by default for users installing using distribution morphing method? It’s a too intrusive change. Because if they are distribution morphing a server, they might lock themselves out from SSH and other services such as their webserver might become unreachable.

What’s the solution?

A Kicksecure systemd unit which comes disabled by default using systemd presets. It would be enabled by default for Kicksecure for desktop using calamares but users using distribution morphing would need to run sudo systemctl enable --now kicksecure-firewall (not yet implemented at time of writing).

SteveK1978 · September 17, 2024, 4:03pm

Thank you. I don’t really want this feature to be enabled by default. I mainly use Kicksecure as server or virtualization host.

Patrick · May 11, 2025, 9:03am

Desirable features:

restrict outgoing traffic to a configurable list of Linux users accounts
restrict outgoing traffic to a configurable list of IPs only

SteveK1978 · August 16, 2025, 2:12pm

We can have per-application level firewall control. I am currently using Kicksecure as virtual machines. I don’t think Tor is necessary for Kicksecure. We can have everything Tor into a separate package and allow user to not install it by default.

Patrick · August 16, 2025, 4:53pm

Not planned due to:
Protection from Targeted Malicious Updates

Quiksilver · August 16, 2025, 5:59pm

Add Firewall option to sysmaint pannel

I think the best way would be to add nftables rules sets for different usecases but the default being blocking incoming and forwarding and allow outgoing by default.

Another menu in sysmaint panel for firewalls could be added to select or manage firewall rulesets.

/etc/nftables/kicksecure_default.nft

#!/usr/sbin/nft -f

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}

Another example these rules Blocks all incoming and forwarding traffic and allows HTTP, HTTPS, DNS, and limited SSH traffic. Also allows Tor port to ensure it continues to work correctly for torified apt and time sync via sdwdate.

/etc/nftables/kicksecure_restrictive.nft

#!/usr/sbin/nft -f

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        # Allow loopback interface
        iif "lo" accept

        # Allow established connections
        ct state {established, related} accept
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;

        # Allow established connections
        ct state {established, related} accept
    }

    chain output {
        type filter hook output priority 0;
        policy drop;

        # Allow loopback interface
        oif "lo" accept

        # Allow HTTP (port 80)
        tcp dport 80 accept

        # Allow HTTPS (port 443)
        tcp dport 443 accept

        # Allow DNS (port 53)
        udp dport 53 accept
        tcp dport 53 accept

        # Allow SSH (port 22) but limit it to a specific number of connections per minute
        tcp dport 22 limit rate 5/minute accept

        # Allow Tor (port 9050)
        tcp dport 9050 accept
    }
}

Quiksilver · August 16, 2025, 6:01pm

The only issue from research is I’m not sure how you would go about enabling the custom ruleset by default?