Kalcifer

Kalcifer, 1 month ago

I agree with the general sentiment, but I don’t believe that it’s right to wish harm upon them.

Kalcifer, 1 month ago

Thinkpad T460.

Kalcifer, 3 months ago (edited 3 months ago)

Neat project. The choice to use a web UI is… interesting. Unfortunate that it doesn’t support Wayland for tracking open windows yet. Also, the stopwatch feature is experimental and isn’t fully implemented.

Update (2024-03-27T07:41Z): After doing some more research, it appears to be standard design for this sort of software to use a client-server structure. I’m not sure if this exactly fits my usecase. I suppose, ideally, it would be great if I could be able to interract with the activity tracker on all my devices. Unfortunately, however, the ActivityWatch docs state that, currently, it only supports listening on localhost [source].

Kalcifer, 3 months ago

This is a very nice looking app. Unfortunately, it functions as a timer with editable preset tasks. I want to log how much time I spent working on a task, not work on a task for a specific amount of time.

Kalcifer, 3 months ago

I appreciate the inclusion of a CLI program! Personally, I am looking for something with a UI.

Kalcifer, 3 months ago

I’ve been using this for the past day, and it is a great app! It seems to cover exactly what I’m looking for, and it’s a pretty well designed app. Thank you for the recommendation!

Kalcifer, 3 months ago

doas, afaik, was originally made for FreeBSD, so some of its features aren’t compatible with/haven’t been implemented for Linux. That may or may not be an important issue for you to consider.

Kalcifer, 3 months ago

For annotating PDFs:

• Xournal++
• Rnote

For arranging PDFs:

• PDF Arranger

Kalcifer, 3 months ago

It’s all about reducing the surface area for an attack — if you do become compromised, it’s one less thing to have to worry aobut. It would be preferable to not have to worry about your data and someone bribing you with some video footage.

Kalcifer, 3 months ago

That’s a rather self-centered statement, imo. Just because you may not be bothered by the idea, does not mean that it does not have merit for others. That line of thinking is in a similar vein to saying “We don’t need freedom of speech because I have nothing to say.”.

Kalcifer, 3 months ago

What are the names of the movies/shows in the top 3 pictures?

Kalcifer, 3 months ago

It depends on how interested/motivated you are in finding out exactly why things aren’t working. If you just want a working system without the hassle, since it’s a fresh install, I’d recommend just reinstalling.

Kalcifer, 4 months ago

Apt is the greatest package manager ever built.

What’s your rationale for making that claim?

Kalcifer, 4 months ago

How do you compare it with Pacman?

Kalcifer, 4 months ago

There is really no comparison between Gentoo and Arch outside of the “build your own system” approach

This is essentially what I was referring to.

Kalcifer, 4 months ago

I’ve never seen Gentoo ship a version of curl that broke Portage…

Aha, would you mind elaborating? That sounds like quite the issue for Pacman to break its own dependencies.

You basically unpack a tarball, select a kernel, install a bootloader, and go. It’s no different to before except that you can optionally choose to enable the use of binary packages.

Ah okay, I was under the impression that the installation didn’t require installing from source with the new binary system – I thought it was more akin to Arch’s installation where you just select your kernel binary in Pacman, then download, and install.

Gentoo has a great system for managing configuration changes when a package updates a file that you’ve customised.

Would you have any resources/documentation for me to look into this more?

This question doesn’t make much sense to me. What is a “system update”? Isn’t that just updating all of your packages at once?

I misworded my original post – I was referring to things like updating the kernel. I thought that maybe the kernel would be a binary, so it would not have to be recompiled like how I would assume it usually does.

Gentoo enables users to select the stable or testing path, on a per package basis, so you have to opt into packages that haven’t been well tested and even those are typically better tested than arch.

This sounds very appealing to me, but I must admit that these sorts of configurations do seem like they would be mildly daunting to juggle on a production machine.

Kalcifer, 4 months ago

This is just the base system - it’s like any other distribution’s base install except that we don’t have an official ‘installer’; Gentoo distributes tarballs that users unpack following the guidance in the handbook.

[…]

After unpacking the system image you can install a binary kernel, have portage compile one for you, or manage it manually (but still let portage fetch sources)

It may be best for me to simply attempt to install Gentoo in a VM to see for myself, but, out of curiosity, how does the base image differ from something like the .iso that Arch Linux distributes to allow you to install the distro? So, if one were to install a binary kernel, would they still need to initially compile anything? Or could one theoretically do a full Gentoo install without the need of compiling?

Kalcifer, 4 months ago

I’m aware of the cross-post button, but I don’t like how it functions – it doesn’t link all the related posts together, and it unnecessarily turns the body of the post into a quote.

Kalcifer, 4 months ago

A big point of a firewall is to have a device guaranteed to have very little attack surface in between devices that are more unknown quantities.

Are you referring to a NAT?

Then they can add additional features, like recognizing when someone is trying to take advantage of a vulnerability in the webserver on port 80 and blocking it.

It seems that you are using more of a general interperetation of the term “firewall” rather than something more specific like a packet filtering firewall (which is more of the focus of my post). Am I correct In my interperetation?

Kalcifer, 4 months ago

For most people at home their router also does firewalling and NAT, and that is enough.

It is important to note (as was pointed out by others in this thread) that one must also consider threats emanating from within the LAN, as well: Do you have guests that you allow onto your network with potentially un-vetted devices? Do you have other network-capable devices connected to your network that you cannot guarantee their security? Can you guarantee that there are no unintended services with potential security vulnerabilities listening to ports on your device? If so, it is worth considering, at the very least, a packet filtering firewall, e.g. nftables, and if you cant trust the services running on your device, perhaps also an application layer firewall like OpenSnitch.

Kalcifer, 4 months ago

but I’m not sure how much of a security threat that actually would be. More of a privacy threat, hence running pihole.

It is important to note that being unaware of something’s level of security is not an argument that it is more secure, or not worthy of scrutiny.

Kalcifer, 4 months ago

(friendly wrapper on iptables)

iptables is deprecated, so it’s better to label it as a wrapper for nftables.

Kalcifer, 4 months ago

For a typical home user who isn’t opening ports or taking a development laptop to places with unsecure wifi networks, you don’t really need a firewall. It’s completely superflous.

A “typical” home user, whom I assume is less knowledgeable about technology, is probably the person who would benefit the most from strict firewalls installed on their device. Such an individual assumedly doesn’t have the prerequisite knowledge, or awareness required to adequately gauge the threats on their network.

Anything you do to your PC that causes you genuine discomfort will more than likely be your own fault rather than an explicit vulnerability.

Would this not be adequate rationale for having contingencies, i.e. firewalls? A risk/threat needn’t only be an external malicious actor. One’s own mistakes could certainly be interpreted as a potential threat, and are, therefore, worthy of mitigation.

And if you’re opening ports on your home network to do self-hosting, you’re already inviting trouble and a firewall is, in that scenario, a bandaid on a sucking chest wound you self-inflicted.

Well, no, not necessarily. It’s important to understand what the purpose of the firewall is. If a device can potentially become an attack vector, it’s important to take precautions against that – you’d want to secure other devices on the network in the off chance that it does become compromised, or secure that very device to limit the potential damage that it could inflict.

Kalcifer, 4 months ago

put a fresh-install of MS-Windows on a machine, & connected it to the internet.

What version of Windows? Connected how? Through a NAT, or was it through a DMZ connection, or netiher? Was Windows’ firewall enabled?

It took SEVERAL MINUTES for it to be broken-into, & corrupted, botnetted.

This is highly dependent on the setup, ofc. I can’t really comment without more knowledge of the experiment.

haven’t done it in years: they’ll not pay-for good anti-virus

Idk, nowadays, 3rd party anti-virus software on Windows doesn’t have too much user – Windows Defender is pretty dang good. If anything, a lot of them are borderline scams, or worse.

get AIDS, then, & don’t use anti-AIDS drugs, & see how “healthy” you are, 2 years in.

You don’t catch AIDS. HIV is the virus which causes AIDS to develop over time, if untreated. I’m not sure what you mean by anti-AIDS drugs. You could potentially be referring to anti-retroviral medication, or other related medication used to treat HIV, but, again that’s treating HIV to prevent the development of AIDS. You could also be referring to PrEP, but, once again, that is for protection against contracting the virus, not the collection of symptoms from a chronic HIV infection which is referred to as AIDS.

Tarpit was a wonderful-looking invention

This is interesting, I hadn’t heard of this!

Linux’s netfilter/iptables

Just a side note: iptables is deprecated – it has been succeeded by nftables.

EDIT: “when do I need to wear a seatbelt?”

is essentially the same category of question.

Fair point!

Kalcifer, 4 months ago

No, I was referring to a firewall

A NAT is a type of firewall.

how many ports are open on one versus a random user’s device?

I don’t understand the wording of this question.

NGFWs have extensive capabilities beyond packet filtering.

Interesting. Do you have any recommendations for software, or further reading on the topic?

Kalcifer, 4 months ago (edited 4 months ago)

The problem is when you expose your server to the entire internet. It only takes a few minutes for the bots to find you.

I mean, sure, but the existence of bots doesn’t immediately guarantee that a given service will be compromised; simply take precautions to ensure that the exposed services are secure, that the rest of the network, and the device itself are adequately protected, etc.

Honestly you should use a mesh VPN instead.

In order to solve what problem, specifically?

Kalcifer, 4 months ago

This example feels mildly contrived, as it is probably unlikely that one would have an email server running on a mobile device, but I understand your point.

I have another firewall setting for an untrusted LAN

This sounds interesting. Is it possible to implement this with a packet filtering firewall (e.g. nftables)?

Kalcifer, 4 months ago

Defaults are robust enough

Would you mind defining what “defaults” are?

Kalcifer, 4 months ago

A Firewall might be more advanced than just NAT/poking a hole, it may do intrusion detection (whatever that means) and DDoS protection

I mean, sure, but the original question of why there’s a need for a second firewall still exists.

Maybe you’ve a bunch of IoT devices in your network that are sold by a Chinese company or any IoT device (lol) and you don’t want them to be able to access the internet because they’ll establish connections to shady places and might be used to access your network and other devices inside it.

This doesn’t really answer the question. The device without a firewall would still be on the same network as the “sketchy IoT devices”. The question wasn’t about whether or not you should have outgoing rules on the router preventing some devices from making contact with the outside world, but instead was about what risk there is to a device that doesn’t have a firewall if it doesn’t have any services listening.

Essentially the same answer and in #3

Somewhat, only I would solve it using an application layer firewall rather than a packet filtering firewall (if it’s even possible to practically solve that with a packet filtering firewall without just dropping all outgoing packets, that is).

just don’t get a hardware firewall

What is the purpose of these devices? Is it because enterprise routers don’t contain a firewall within them, so you need a dedicated device that offers that functionality?

Kalcifer, 4 months ago

You most likely don’t need on device firewall if your in your home network behind a router that has a firewall.

Under what circumstance(s) would one need a device firewall? If I were to guess, I would say that it is when the internet facing device doesn’t contain a firewall within it (e.g. some enterprise-grade router), so a dedicated firewall device must exist behind it.

Kalcifer, 4 months ago

I’ve caught lots of daemons for software that I hadn’t noticed was running and random telemetry activity that way

I did the exact same thing recently when I installed OpenSnitch – it was quite interesting to see all the requests that were being made.

If your policy is “this is meant to be an HTTPS-only machine,” then you might want to enforce that at the firewall level to prevent some careless developer from serving the app on port 80 (HTTP), or exposing the database port while they’re throwing spaghetti at the wall wrestling with some bug. That careless developer could be future-you, of course.

That’s a fair point!

Kalcifer, 4 months ago

True, I could for example switch on and off your smarthome lights or disable the alarm and burgle your home. Or print 500 pages.

How would the firewall on one device prevent other devices from abusing the rest of the network? Perhaps you misunderstood the original intent of my post. I certainly wouldn’t blame you if that is the case, though – when I made my post I was far too vague in my intent – perhaps I simply didn’t think through my question enough, but the more likely answer is that I simply wasn’t knowledgeable enough on the topic to accurately pose the question that I wanted to ask.

Common fallacy, If A then B doesn’t mean If B then A. Truth is, if you have a NAT, it does some of the jobs a firewall does. (Dropping incoming traffic.)

Fair point!

“You need it if you don’t trust the software running on your computer.” => True

For this, though, the only solution to it would be an application layer firewall like OpenSnitch, correct?

Kalcifer, 4 months ago

My point is simply, as a rule of thump a firewall usually mitigates a lot of attack vectors

The only quibble that I would have with your statement is that I would say that it’s better to word it as it “mitigates a lot of potential attack vectors”, but, other than that, I completely agree with what you said.

Kalcifer, 4 months ago

They also would not realistically be doing anything that would cause open ports on their machine to serve data to some external application.

They may not explicitly do it, no, but I could certainly see the possibility of the software that they use having such a vulnerability, or even a malicious bit of software inadvertently being installed on their device.

In other words: don’t mess around with a firewall if you don’t know what you’re doing. Use your time learning other things first if you’re a not technically sophisticated user. I also don’t exactly know what “mistakes” you’d be mitigating by installing a firewall if you aren’t binding processes to those ports (something a novice user should not be doing anyway).

This sort of skirts around answering the question.

The best way of mitigating mistakes is by not making them in the first place

But mistakes will be made all the same.

Prevention is always better than cure.

This is exactly the point that I am trying to make. Having contingencies in place on the off chance that something doesn’t go as expected could certainly be interpreted as “prevention”.

You should never open ports on your local network. Ever.

What would be the rationale for this statement?

if you need to expose locally hosted services you should be maintaining a cloud VM or similar cloud based service that forwards connections to the desired service on your internal network via a VPN like Tailscale.

I’m not sure that I understand what issue that this would solve. Would the malicious connections not still be forwarded through the VPN to the service? I am quite lacking in knowledge on Tailscale, and how related infrastructure is used in production, so please pardon my ignorance.

Kalcifer, 4 months ago

should prevent all new tcp connection TO ssh ports on other servers when initiated locally (the forward chain is again another story)

But the point that I was trying to make was that that would then also block you from using SSH. If you want to connect to any external service, you need to open a port for it, and if there’s an open port, then there’s a opening for unintended escape.

so … one could run an http/s proxy under a specific user account, block all outgoing connections except those of that proxy (i.e. squid) then every program that wants to connect somewhere using direct ip connections would have to use that proxy.

I don’t fully understand what this is trying to accomplish.

Kalcifer, 4 months ago

Is netfilter not just the API through which you can make firewall rules (e.g. nftables) for the networking stack?

Kalcifer, 4 months ago

I think I was going for the firewall as a means if perimeter security.

Are you referring to the firewall on the router?

it’s fairly uncommon that people go wardriving

Interesting. I hadn’t heard of this.

That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network.

As in blocking or restricting their communication with the rest of the lan in the router’s firewall, for example? Or, perhaps, putting them behind their own dedicated firewall (this is probably superfluous to the firewall in the router though).

But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only

For clarity’s sake, would you be able to provide an example of how this could be implemented? It’s not immediately clear to me exactly what you are referring to when combining “user” with network related topics.

Kalcifer, 4 months ago

Have “smart” AI features that will detect threats even when they aren’t known yet;

This is a crazy one – pattern recognition of traffic.

Higher throughput than your router while doing all the other operations above;

Fair point! I hadn’t considered that one.

You can even argue that you can virtualize something like pfSense or OPNsense on some host

This is an intriguing idea. I hadn’t heard of it before.

also virtualizes your router

How would one virtualize a router…? That sounds strange, to say the least.

Kalcifer, 4 months ago

now i have the feeling as if there might be a misunderstanding of what “ports” are and what an “open” port actually is. Or i just dont get what you want. i am not on your server/workstation thus i cannot even try to connect TO an external service “from” your machine.

This is most likely a result of my original post being too vague – which is, of course, entirely my fault. I was intending it to refer to a firewall running on a specific device. For example, a desktop computer with a firewall, which is behind a NAT router.

so what is your scenario? what do you want to prevent?

What is your example in response to? Or perhaps I don’t understand what it is attempting to clarify. I don’t necessarily have any confusion regarding setting up rules for known and discrete connections like SSH.

accomplish control (allow/block/report) over who or what on my machine can connect to the outside world (using http/s) and to exactly where, but independant of ip addresses but using domains to allow or deny on a per user/application + domain combonation while not having to update ip based rules that could quickly outdate anyway.

Are you referring to an application layer firewall like, for example, OpenSnitch?

Kalcifer, 4 months ago

Enable access when you’re at your workplace but inhibit the Windows network share when you’re at the airport wifi.

How would something like this be normally accomplished? I know that Firewalld has the ability to select a zone based on the connection, but, if I understand correctly, I think this is decided by the Firewalld daemon, rather than the packet filtering firewall itself (e.g. nftables). I don’t think an application layer firewall would be able to differentiate networks, so I don’t think something like OpenSnitch would be able to control this, for example.

But an approach like this isn’t perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure.

What would be a better alternative that you would suggest?

You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can’t be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place.

The unfortunate thing about this – and I have encountered this personally – is that some networks may block VPN related traffic. You can take measures to attempt to obfuscate the VPN traffic from the network, but it is still a potential headache that could lock you out of using your service.

Kalcifer, 4 months ago

for example detect which network was connected to and re-configure the packet filter.

Firewalld is capable of this – it can switch zones depending on the current connection.

And while I think that is not a good argument at all, I feel protected enough by using the free software I do and roughly knowing how to use a computer. I don’t see a need to install a firewall just to feel better. Maybe that changes once my laptop is cluttered and I lose track of what software opens new ports.

There does still exist the risk of a vulnerability being pushed to whatever software that you use – this vulnerability would be essentially out of your control. This vulnerability could be used as a potential attack vector if all ports are available.

I’m currently learning about Web Application Firewalls. Maybe I’ll put ModSecurity in-front of my Nextcloud.

Interesting! I haven’t heard of this. Side note, out of curiosity, how did you go about installing your Nextcloud instance? Manual install? AIO? Snap?

I’m personally not a friend of that kind of legislation. If somebody uses my tools to commit a crime, I don’t think I should be held responsible for that.

It would be a rather difficult thing to prove – one could certainly just make the argument that you did, in that someone else that was on the guest network did something illegal. I would argue that it is most likely difficult to prove otherwise.

Kalcifer, 4 months ago

But this is a really difficult thing to protect from. If someone gets to push code on my computer that gets executed, I’m entirely out of luck. It could […] send data […].

Not necessarily. An application layer firewall, for example, could certainly get in the way of it trying to send data externally.

On the other hand it could happen not deliberately but just be vulnerable software.

Are you referring to a service leaving a port open that can be connected to from the network?

And then also run Lemmy, Matrix chat and a microblogging platform on it.

I’m definitely curious about the outcome of this – Matrix especially. Perhaps the new/alternative servers function a bit better now, but I’ve heard that, for synapse at least, Matrix can be very demanding on hardware to run (from what I’ve heard, the issues mostly arise when one joins a larger server).

You’re considered a “disruptor” and can be held responsible, especially to stop that “disruption”.

Interesting. Do you mean “held responsible” to simply stop the disruption, or “held responsible” for the actions of/damaged caused by the disruption?

Kalcifer, 4 months ago

If for example my Firefox were to be compromised and started not only talking to Firefox Sync to send the history to my phone, but also send my behavior and all the passwords I type in to a third party… How would the firewall know?

If it’s going to some undesirable domain, or IP, then you can block the request for that application. The exact capabilities of the application layer firewall certainly depend on the exact application layer firewall in question, but this is, at least, possible with OpenSnitch.

It’s just random outgoing encrypted traffic from its perspective.

For the actual content of the traffic, is this not the case with essentially all firewalls? They can’t see the content of te traffic if it is using TLS. You would need to somehow intercept the packet before it is encrypted on the device. I’m not aware of any firewall that has such a capability.

If you just click on ‘Allow’ there is no added benefit.

The exact level of fine-grain control heavily depends on the application layer firewall in question.

A maliciously crafted request or answer to your software can trigger it to fail and do something that it shouldn’t do.

Interesting.

I think now it’s just the first, plus they can ask for a fixed amount of money since by your negliect, you caused their lawyer to put in some effort.

I do, perhaps, somewhat understand this argument, but it still feels quite ridiculous to me.

Kalcifer, 4 months ago

It’s always a heartwarming experience seeing someone passionate about a subject enough that they’d be willing to dedicate what was likely at least twenty minutes of their own free time to writing a detailed response to a stranger on the internet.

❤️

(1) VMX (outside TXT) disabled…;

From what I can see, this isn’t that big of a deal. It’s just a warning (technically it is an error, but, essentially it’s a warning), that Virtual Machine Extensions aren’t enabled in the BIOS. Unless these are required for the boot process of your distro (which I seriously doubt), it shouldn’t cause you any problems, unless you explicitly require their functionality for some other program.

(2) ima: error communicating with TPM. I went into the BIOS and figured out how to turn the TPM on, and when I did so… what do you know, I started boot-looping again, just as before.

That’s… strange. Are you certain that it isn’t the converse? Very strange that enabling the TPM would cause issues. It could certainly make sense for it to cause issues if the TPM was in use, and it was disabled.

In case you are unaware, the TPM is essentially a chip on the motherboard (in most cases, anyways – it potentially could be in a different form within the CPU e.g. fTPM)

Apparently I’m going to have to do a bit of troubleshooting to get Linux operable with the TPM

It’s completely possible, and I would certainly not discourage it’s use – especially if the device is a laptop. It’s, of course, not the be-all and end-all of security, but full disk encryption with a TPM is definitely a good first line of defence. Obviously, it’s better to manually input the encryption password, rather than having it be released by the TPM, but I certainly wouldn’t blame someone for opting for the more user friendly alternative.

Finale works just fine on my system and I don’t intend on changing away from it anytime soon. I’ve been using it for so many years, it’s like second-nature to me. I couldn’t imagine dropping a software I spent hundreds of dollars on now for something else if I still get great mileage out of it.

For sure! If you are comfortable in your work flow, then by all means stay wiht it. Ethically, though, it of course doesn’t hurt to keep FOSS alternatives to proprietary software in the back of your mind 😊.

It certainly seems more complex than Ubuntu

It sort of depends on exactly what you mean by that, but I certainly wouldn’t argue with the colloquial statement that it’s more “complex” – especially the installation.

but at the same time, boy does it give you a rich experience in learning the intricacies of your system and how everything functions together.

Absolutely! And if you want to go another step further in that understanding, then I would recomend looking into Gentoo.

but then others will actually cause the drive to crash in some spectacular fashion

I think I may know what you are talking about with this. I have experienced issues with external HDD’s going to sleep when they are being read from, or written to, but I attribute that to USB sleep modes. So, if you are referring to an internal SATA drive, then I’m not sure what would be causing that issue.

and I have to sudo umount -l

I would caution against using the -l/–lazy flag. It may present you with unintended consequences. It woudl be better to find what process is keeping the dive busy before attempting an unmount.

[source]

then remount again with ntfs-3g

Out of curiosity, is there any particular reason why you’re using the userspace NTFS driver, rather than the included kernel driver?