Kalcifer

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

That's a strange law. That's like saying one should be held responsible for a thief stealing their car and then running over someone with it (well, perhaps an argument could be made for that, but I would disagree with it).

Kalcifer OP , 5 months ago (edited 4 months ago) to Linux in When do I actually need a firewall?

Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always

In what capacity, though? I see potential issues with both server firewalls, and client firewalls. Unless one wants their devices to be offline, there will always be at least one open port (for example, inbound on a server, and outbound on a client) which can be used as an attack vector.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

A big part of securing a net comes from preventing things like someone establishing an outbound connection on some random port and siphoning off everything to a home base.

What's the stop said malware from siphoning data over a known port? If one were to block all outbound connections, then they essentially have an offline device. If they were to want to browse the web, for example, they would need to allow outbound connections to at least HTTPS, HTTP, and DNS. What's to stop the malware from simply establishing a connection to a remote server over HTTPS?

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

You always need a firewall, no other answer’s.

Okay, but why? That's kind of the point of why I made this post, as is stated in the post's body.

Kalcifer OP , 5 months ago to Linux in When do I actually need a firewall?

Tell the computer explicitly which ports it can and cannot open.

Isn't this all rather moot if there is even one open port, though? Say, for example, that you want to mitigate outgoing connections from potential malware that gets installed onto your device. You set a policy to drop all outgoing packets in your firewall; however, you want to still use your device for browsing the web, so you then allow outgoing connections to DNS (UDP, and TCP port 53), HTTP (TCP port 80), and HTTPS (TCP port 443). What if the malware on your device simply pipes its connections through one of those open ports? Is there anything stopping it from siphoning data from your PC to a remote server over HTTP?

Kalcifer OP , 5 months ago (edited 5 months ago) to Linux in Is it possible to delete the default zones in Firewalld, and if not, why?

I see. I guess my point was they exist for a reason, as the default target of one zone handsover to the next zone (target) and then its target, in order to handle traffic not in your zone rules.

Yes, I am aware of that. Just allow the user to specify the zones though. Why force the default ones?

but it is not causing “bloat”.

It is if it's saving alternative configuration that will never be used.

just use iptables directly.

This is essentially what I ended up doing.

Kalcifer OP , 5 months ago to Linux in Is it possible to delete the default zones in Firewalld, and if not, why?

Because it aligns with most people’s use case.

Sure, that is why we have defaults, but why force them? Why not create the defaults, and then allow the user to remove them if they wish?

You’re free to patch it out if you’re so inclined.

This is somewhat of a non-answer. Technically, yes, it is possible for a user to patch OSS as they see fit, but that does not excuse poor design desicions, nor is it necessarily fair to expect the user to do that.

Kalcifer OP , 5 months ago to Linux in Is it possible to delete the default zones in Firewalld, and if not, why?

Do they impact your firewall efficiency?

No -- it just seems unnecessary to force the user to have the default ones -- just allow the user to create the zones that they want/need.

Kalcifer OP , 5 months ago to Linux in Is it possible to delete the default zones in Firewalld, and if not, why?

Because the people that wrote it decided to make it that way.

Sure, but it still feels like a strange design decision.

If you don’t like it, just remove firewalld and manage your iptables/nftables directly

This is essentially what I ended up doing.

Kalcifer OP , 5 months ago to Linux in Is it possible to delete the default zones in Firewalld, and if not, why?

I believe you may have misinterpereted my post. I wasn't asking why zones exist, I was asking specifically why one cannot delete the default zones in Firewalld.

Kalcifer OP , 5 months ago to homelab in [WORKAROUND] Nextcloud portforward stops working when it is moved to a bridged network

I really appreciate all the help that you provided in this thread! To simplify the setup, I bought a different primary router, flashed OpenWRT to it, then set up a WDS bridge between it and the other router. So far, I've had no issues, and the setup has been greatly simplified. I'm, of course, still curious as to why the previous setup wasn't working, but at least everything is working now.

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

To make sure that I understand correctly, are you describing something similar to what was described in this thread?

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

Interesting, where does the 3rd hop come from? Wouldn't the routing table just point from one router to the other -- so 2 hops?

Kalcifer , 5 months ago to Linux in Linux Ubuntu Dual-booting horror

when I installed Ubuntu, it was installed on a partition (sda2) rather than a primary drive (sda)

The exact meaning of the language in use is somewhat context dependent. It is technically possible to use a block device (e.g. /dev/sda) [source] as a filesystem, but it is generally discouraged -- afaik, this is generally because of compatibility reasons. As to the meaning of a statement that looks something like "Install Ubuntu to /dev/sda" this could be interpereted as essentially just rewriting the existing partition table that exists on that drive with a new one, where, for example, partition 1 (e.g. /dev/sda1) is for the boot partition, and partition 2 (e.g. /dev/sda2) is where Ubuntu lives. In that example, technically Ubuntu is only resides in /dev/sda2, but, for the whole installation process, the user can interpret it as essentially installing it all to /dev/sda.

I’ve read that when GRUB is installed, if it gets installed to /dev/sda2 rather than /dev/sda it can cause issues with dual booting as the BIOS will read in a sequential order, and it may miss a partition if it’s “far enough down the list”

It's worth understanding the boot process of a system (this is more taylored to an average Linux system, but can be generally applied, if one is careful):

1. The machine powers on
2. The BIOS chip on the motherboard comes to life, it gets copied into RAM, and the CPU starts executing it.
3. It finds the first device in the BIOS boot list
4. It looks at the first sector (512 bytes) of that drive (this generally only applies if the drive uses MBR, and can be a little bit different with GPT, but the general process is pretty much the same, afaik), which contain the location of the bootloader on that drive, and copies it to RAM at address 0x7C00
5. The bootloader (e.g. Grub) springs to life and it takes over the boot process from the BIOS
6. In the case of your average linux installation, Grub will then initialize something called the "initramfs" which is sort of like an extremely small Linux OS that gets loaded into RAM
7. Initramfs essentially bootstraps the actual Linux distro into booting -- this is required as booting the desired Linux distro may depend on things that run on Linux which can't exist before Linux is loaded (e.g. LVM's, LUKS encryption, etc.).
8. Now that the OS is loaded into ram, it boots, and the process is complete.

So, back to your statement, the actual program of Grub could reside in /dev/sda2, but the "bootloader bootsrapping" program, which resides in the first 512 bytes of the disk, could be thought of as being installed to /dev/sda.

[source], [source], [source], [source]

As another example, you may be in for some trouble if grubx.efi is installed on /dev/sda8 or something.

The only real "hard" limit on the location of Grub is that, in the case of MBR, it necessarily must be located within the first 2.2 TB of the disk.

[source], [source], [source], [source]

I guess I must have gotten my preconceptions wrong, or perhaps I misread something. From my impression, certain things can be installed on the primary drive such as boot loaders, but I could be wrong.

As I outlined above, this is sort of a technicality in language that depends on context.

Finale 2012c is the main software I needed.

I'm not sure if this is exactly equivalent to that software, but perhaps you would be interested in MuseScore -- it's open source.

I’ve heard it can be pretty challenging to get into Arch, is this true?

This has been somewhat exaggerated through memes by the community, and strange elitism. It's a bit tough to separate oneself from their curse of knowledge, but if one possesses the motivation to learn, it's really not that complicated. Depending on one's existing knowledge, it may initially appear daunting, but the community is quite good, from my experience, and the Arch Wiki is extremely useful. Installation is essentially a matter of just following the installation guide step-by-step.

I don’t know if I’ll ever be a “script kiddie” as it were.

Imo, arch has nothing to do with that. If one wants to be a part of that then prob lurking around the Kali Linux communities would be a start. Do note that I am not speaking about Kali Linux from experience, just hearsay, so take that with a grain of salt. But, yeah, Arch is more for people that want more fine-grained control over their system without wanting to get into the full-time job that is something like Gentoo 😜.

I don’t know how much I like the idea of having to hand-craft my OS from bare metal.

Imo, that's not really what arch is -- even Gentoo isn't like that. The closest to that would probably be something like Linux From Scratch. Arch just gives you more freedom to choose the base software that your system is using -- stuff like your DE, your networking utils, display server, audio server, etc.

I would like to emphasize that this kind of choice exists with virtually all Linux distros -- as in you can essentially make any distro "look" like any other (there may be some intricacies that I am unaware of that may get in the way of changing some things without having to alter others); Arch Linux simply gives you most of the choice right up front.

Kalcifer , 5 months ago to Linux in Linux Ubuntu Dual-booting horror

Thank you for the breakdown.

You are very welcome! 😊

I’m now dedicated Ubuntu

A very fair decision! Dual booting can be a huge pain, and, for the average user, it really isn't all that necessary anymore -- Linux has come a very long way!

My problem turned out to be something with the BIOS. I don’t know if a switch got flipped somewhere along the way or what, but when I reset the BIOS to factory default settings in the boot menu I no longer had issues with boot looping and a CPU I could fry an egg on.

Interesting. I'm curious what the setting was. But, I'm glad that it worked out for you in the end!

I do believe that GRUB was initially installed on sda2 and not sda

I refer back to my previous comment -- sda2 refers to a partition on the drive named sda. You could have a drive sda, sdb, sdc, etc. If one was given some partition sdc3 that means it is partition 3 on drive sdc. Everything gets installed into a partition on a drive.

Windows was just taking precidence over grubx64.efi upon startup

This can certainly happen -- especially if Windows is installed after Linux. I woud refer you to this answer to fix it.

less a few graphical funnies with some larger proprietary software I use.

Yeah, I'm not too surprised about that (depending on the speicfic graphical issues that you are referring to, mind you) -- especially if you are using Wine. If you don't mind me asking, what software are you wanting/needing to use?

Funny enough, I tried to do a clean install of Debian with KDE on my system and I went back to having boot issues, mainly where it would just open to GRUB CL and I couldn’t get it to initialize Debian, when I was certain it was a good install.

Hm, this is strange. I would err on the side of a layer 8 error, but there could certainly be some other fuckery afoot.

So I’m just going to stick to Ubuntu for a good while and learn it.

There's no problem with that! Ubuntu was the first distro that I used, as well, when I first got into Linux. Granted, I didn't stick with Ubuntu for long, cause I got mildly annoyed with how it worked.

Once I feel very confident in filesystem maintenance, command line navigation, snap/flatpak/.deb/whatever, all the major things, I’ll start shopping around for another distro again.

Sounds like a solid plan! When you do decide to move on from Ubuntu, I'd recommend Arch LInux 😜