Firewalld status?

I’m trying to secure my laptop with Clear Linux OS installed. Clear Linux itself states that they have developed the OS, among other things in order to have a high security mindset.

As they describe:
“The Clear Linux Project creates an operating system and software stacks that offer highly optimized performance, security, versatility, and manageability.
Security enabled from the Cloud to the Edge, to the End Device. Clear Linux OS has an automated tool that is constantly scanning for CVEs *, which are patched accordingly. * “Common Vulnerabilities and Exposures”. "

Background to my question:

Ahkok replied in the thread “Firewall packages?”

Gufw is a frontend to ufw which we decided NOT to include. ufw is too debian / ubuntu centric to integrate nicely and would likely be too much work to include.
Instead, we will have firewalld available within a few days. This still probably needs to be polished up a bit so please help by testing and providing feedback on the firewall bundle once it becomes available. We will look into adding firewall-config at a later point in time when it all works OK.

I raise my connection question in this separate thread.

My wonder:
What is the status of this with Firewalld?

I use the desktop version for private use, and would feel more secure with Firewalld installed.


Has installed Sophos antivirus that writes about its antivirus software like this:
"Features
Effective and secure
The Sophos Antivirus engine effectively detects and cleans viruses, Trojans, and other malware. In addition to sophisticated detection based on advanced heuristics, Sophos Antivirus for Linux uses Live Protection to look up suspicious files in real time via SophosLabs. "
As far as I understand, Linux should for the most part be vulnerable to Trojans and malware, and not to the same extent as viruses.


So Firewalld would certainly complement security.
Together with Clear Linux OS built-in encryption, you have secured as well as you can.

excellent documentation:

https://docs.01.org/clearlinux/latest/guides/network/firewall.html#iptables

i set the restrictive firewall configuration (iptables).

or you can download & configure firewalld:

https://docs.01.org/clearlinux/latest/guides/network/firewall.html#firewalld

user-choice.

antivirus 4 linux : (imho) not (yet) necessary. for many reasons. but they have a clamav-bundle.

3 Likes

Thanks for the links to the documents, very much appreciated. Must read about it. Let’s see if the team has anything to say about the status. Would also be interesting to hear about how CVE works.
ohmyfish: :slight_smile: What do you mean by the comment “for many reasons” about antivirus.Not only, not necessary?
From what I have seen, many “heavy” names have stated the need for antivirus for Linux as well. Most recently saw an article in the Linux news app where it was mentioned that Debian was the most insecure operating system, with the most vulnerabilities. Linux overall was at par with Mac OS.

sudo firewall-cmd --state

RUNNING :slight_smile:

1 Like

We are software engineers, and so we work based on data, and together with industry security experts. There are lots of threats, and we try to mitigate all of them by layering defenses on top of each other. In these layers, some are very, very important, and some are almost entirely optional, if not ineffective.

Firewalls are less important if the OS doesn’t expose services to the outside by default. In ClearLinux OS, we enforce this strategy by disabling network services by default - e.g. mariadb listens on a UNIX socket, nginx won’t listen at all, and other services similarly like that are restricted from being accessed over the network. This strategy alone makes firewall software much less urgent - there simply isn’t anything that a firewall could easily block.

This strategy is great for systems that are deployed with a singular task (cloud, server etc). And it is great for typical desktop-only use. In those cases, a firewall is likely ineffective unless properly limiting flows per application - e.g. “untrusted” desktop applications.

That means that in ClearLinux, if you do want to consider a firewall, you should absolutely educate you how firewalls can be used to further protect your system, and use e.g. firewalld and even clamav if your use of the software warrants it.

However, ClearLinux isn’t a “we hold your hands” type of distribution. We will likely not enable firewalls or antivirus software by default. In many cases, firewalls and antivirus are just in the way.

We do consider mitigating e.g. SSH bruteforce attacks, since they’re ubiquitous and just plain annoying, which is why we ship tallow on every system. Beyond that a strategy to avoid exposing services on public network facing ports is far better than aggressively filtering ports and subsequently poking holes in it.

1 Like

My intention was not to diminish your knowledge. The respect for the project has made me not humble about it, so almost. :slight_smile: I really did not understand that Clear Linux OS is so advanced in terms of security. Most thought it was about encryption. But this is apparently something completely different, which sounds really interesting and commendable. Are there any documents describing the structure of the security? Is there anything else that you as a user can, or should think of in terms of security, when using for regular office work. So without deeper knowledge, or knowledge at all. Must apparently change my mind about general safety thinking. Really an exciting project. Thank you for your wonderful work. A really nice experience of using the OS, which is fast and stable.

Keep in mind that ClearLinux isn’t a general purpose OS. While we ship things like gimp and darktable, our purpose isn’t to make an OS that everyone can use, and be fully safe. Primarily, we target professionals (IT, devops, cloud/container deployments, etc). That has significant implications for:

  • what we consider essential software and use cases
  • what we consider optional use cases
  • what we consider unwanted use cases

We apply the same strategy when it comes to performance - optimal for “essential” use cases, good for “optional” use cases, and we ignore “unwanted” or unsupported use cases.

If you are a general purpose laptop-using steamgame-playing hulu-watching person, ClearLinux isn’t really for you and it may be not secure enough for you. Datacenter security looks a lot different than high school computer security, for instance.

A good example is antivirus: we don’t enable it, we provide it (clamav), but, virtually no integration with the rest of the OS. That has serious implications for your usage: You should absolutely not click on weird attachments in your email if you use ClearLinux. You shouldn’t ever, of course, but a general purpose OS that protects you from online threats should probably protect you. Because ClearLinux isn’t general purpose, we don’t, and so it’s probably not suitable as-is for high-risk dark net browsing :).

… nothing against hulu. “devs” is amazing ;).

Too many streaming options… :slight_smile:

1 Like