Kicksecure Firewall

SteveK1978 · February 15, 2024, 7:42pm

What is the Firewall comes with Kicksecure on CLI? ufw was not included anywhere in any metapackage.

Patrick · February 16, 2024, 7:11am

None yet. None has been developed yet.

SteveK1978 · February 16, 2024, 3:56pm

I am OK with current state, I don’t think we need extra Firewall.

Patrick · March 18, 2024, 1:21pm

While Kicksecure comes with no open ports by default, a firewall would be useful to protect the user from unwanted, unexpected ports opened by third-party software.

How this could be structured:

kicksecure-shared-firewall
kicksecure-desktop-firewall [block all ports by default]
kicksecure-server-firewall [open port 22, which is SSH’s default port by default]
- Maybe the server firewall should come last. If ever. Much later. Maybe not at all. Maybe server operators should take care of a firewall themselves.

SteveK1978 · March 25, 2024, 2:10pm

No worries.
I can use firewalld or ufw myself.

Patrick · May 28, 2024, 11:33am

Note on UFW by default in Kicksecure:
Still depends on iptables. This seems outdated. Waiting at least until it has been ported to nftables.

SteveK1978 · June 27, 2024, 2:35pm

Sorry for late reply, isn’t ufw just a front-end of iptables?

Patrick · June 28, 2024, 11:10am

Based on web search, seems newer ufw versions support also nftables.

Patrick · June 29, 2024, 12:37pm

Of course.

iptables is deprecated. iptables → nftables.

Patrick · September 14, 2024, 2:28pm

How could Kicksecure be configured to have a firewall enabled by default for Kicksecure desktop but at the same time do not enable the firewall by default for users installing using distribution morphing method?

Why not enable Kicksecure firewall by default for users installing using distribution morphing method? It’s a too intrusive change. Because if they are distribution morphing a server, they might lock themselves out from SSH and other services such as their webserver might become unreachable.

What’s the solution?

A Kicksecure systemd unit which comes disabled by default using systemd presets. It would be enabled by default for Kicksecure for desktop using calamares but users using distribution morphing would need to run sudo systemctl enable --now kicksecure-firewall (not yet implemented at time of writing).

SteveK1978 · September 17, 2024, 4:03pm

Thank you. I don’t really want this feature to be enabled by default. I mainly use Kicksecure as server or virtualization host.