Hi everyone,
The next step on my privacy journey is to move away from Apple/macOS. I have dabbed a little with Fedora on a spare laptop and now replaced it with secureblue. One source of frustration under fedora was to get opensnitch working, which i wanted to use to block all connections not going through the vpn (to add a layer to the killswitch) and to prevent telemetry wherever possible. Littlesnitch does that really well on macOS, but that proved more difficult with opensnitch.
My question is how useful/recommended is a firewall (opensnitch or other) on linux, esp fedora, esp silverblue, esp secureblue. Any input is welcome!
2 Likes
It is very important. I think it is related to eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc) · Issue #774 · evilsocket/opensnitch · GitHub (ik secureblue doesn’t use a custom kernel). Have you checked if secureblue disables any of those or related? You can open an issue on secureblue with the error.
Thanks, I haven’t actually tried installing it yet. I was just wondering whether it was worth the hassle (and/or whether there are better alternatives).
You shouldn’t necessarily need opensnitch to accomplish that. Linux has a builtin firewall nftable / iptables. Most people don’t configure this directly, but use intermediary software for this purpose, for Debian/Ubuntu and derivatives that usually means using UFW, and for Fedora/RHEL family distros that often means Firewalld.
It’s possible that firewalld is preinstalled on secureblue already (if so you don’t need to install any additional software, just write a few firewalld rules). If not, it’s possible to create the rules with nftables/iptables directly, but the syntax is a bit unintuitive.
I use firewall-config to manage firewalld on Silverblue. It’s available from the Fedora flatpak repo. See Documentation - Utilities - firewall-config | firewalld
Pretty sure the Secureblue won’t have that repo active - but it is the only flatpak on there that’s not on flathub, and I’m sure you could just activate it if you were so inclined.
Thanks to all. For the more technical part, I will ask directly on the secureblue discord server (although that is a really terrible alternative to a forum). At least, the consensus seems to be that something like this is needed.