You’re not a journalist

from reading, don’t believe you (oxjox) happen to even know who CriticalResist8 is let alone who he works for or anything else and that what you want to spread as truth about him (her?) really only is your weak personal shortthought quick-response-cause-i-can-insult-someone opinion. But of course i do not “know” if that is true about you even though i happen to believe that now. how could i know?

i didn’t think CR8 was a journalist either, but i wouldn’t state that i knew he wasn’t until i actually know that as a fact. Do you know that as a fact? Did you check his identity, papers or such?

There are appropriate places for your work. This is not the place.

please, oxjox, do not spread untrue informations or unproven guesses as truth about other people here, lemmy is not a place for such or any type of insults. thank you for not doing such again !!

… that phrase “formed on stolen land” … to who reminds me that again?

maybe try to find a linux user group near where you live. if there is one, usually you get help there, but its usually kinda different sort of help, you don’t get “the solution” to get your personal whishes come true ready prepared in bite-sized piezes for easy consumption but just the help by advices or suggestions that those there can give you or directly would try out.

open source is about sharing knowledge and todays mainstream OS distributions are way more complicated than long ago so the learning curve to adjust things in ways the distribution didn’t prepare (which is often a lot) might be high but always worth a try at least for the learning.

for a lightweight desktop environment that is somehow similar to the old windows98, i’ld say give XFCE a try. i think on debian/ubuntu trying out could be as easy as installing the xfce (or xfce4?) package (or maybe an xfce4-desktop-environment paclage) i don’t remember the exact package name but there is one meta package that depends on all needed stuff, i did it like 4 years ago… when installed you could try it by logging in and (your distro should have a login manager that allows this, or you’ld have to change that too) choosing xfce as desktop environment at login time, thus if you don’t like it, logout again and login with the other again.

i am using xfce because it is clean, lightweight, it does its job, does not invent new unneeded features every few month (like it felt when i used kde long ago) and is adjustable enough for me. i removed the lower task bar and put the open windows components into the bar above adjustedbthat a bit, thats basically what i changed and i think it is quite similar to what win98 was (but thats not the reason for me to have it that way)

also, it is possible to change the window manager (that handles how windows are placed), the desktop manager (like task bar, application menu, maybe widges, logout buttons) and of course also one could change x.org to wayland and back without changing the other components. the login window could come from gnome project but after login one could use a complete different projects toolset.

“can” does not mean that every distro makes that an easy task. also mixing things will likely end in a fuller disk for lots of “needed” components that are maybe mostly unused. (i think i once used gnome but installed kde only for their printing dialog *lol)

when using the big distributions it is likely that no 3rd party downloads are needed to try other window managers or desktop environments, maybe search for such keywords in aptitude , apt search, or such. but new fancy stuff also often first comes from unknown 3rd party websites (or git*.com which is the same security risk as 3rd party websites) before it gets into main repositories after years (or maybe even never)

Closest thing I found was TwisterOS. […] and the fan in my case stops working. Aye-yi-yi!

maybe “TwisterOS” tries to invent air movement by software? it might be a random unrelated incident and the fan is simply broken, it might also be that it enabled some fan control and the fan would start if you only heat up the system enough which might not happen with a lightweight distro and the maybe not cpu consuming programs you use (?). “stress” is a program that could artificially create such cpu consumption for testing (but with a broken fan it might be not a good idea to actively and unnecesarily heat up the cpu, but also cpus usually have failsafe shutdown mechanisms so they dont overheat but that might be like a sudden power down so maybe expect unsaved work to just vanish) another test could be to just give the fan another power source and see what happens, and put abother fan that works in place to see if that changes something

You can use

also there is:

./configure && make && make install

just to mention ;-)

the OS was not the comparison, but the hardware it runs on (just as @Freefall said) but also you seem to be wrong with your other assumption:

And both those devices are tied to a specific OS.

Which seems not to be the case as install instructions for another OS can be found here (i didn’t try it though) for the mentioned device:

https://wiki.lineageos.org/devices/pdx215/

lineage os still is an “android”, but another vendor with clearly different approach than the original firmware and what hinders you from writing bsd drivers and compiling a bsd kernel for it instead? So i count the Xperia 1 III as NOT bound to any OS or OS vendor.

But despite the way longer possible support/security, freedom of choice and endless other possibilities that often come along with free OS choice, this pure and great advantages weren’t even mentioned there, thus it wasnt an OS comparison as it also wasn’t a bound-to-an-OS vs. absentness of vendor-lock-in-limitation-jungle comparison.

First contact was on the here-named eta-carinae system, we did a holiday tour there long ago and heared about earth from a scientist that rescued a human instead of just studying and thus could not leave him there with his memories about him. the human was talking about star trek, its similarities and real differences all the time. he already spoke fluently in standard Sjesh/sound w/o any interfaces so we listened directly to his true mind. he even had a very worn out tng tshirt in his personal memory items box. i mean he really had used his memory items before! that made us curious and the rest is history. However he is now back here, as we managed to arrange his behavioral training to hide his experiences well, he passed all the tests and got his transport back, but with his biologic cells clock reset to his 20th to compensate the decades he lost out there a little bit. it is possible he could become an ambassador for earth one day, but it looks unlikely that he would want that given the circumstances here, a task he always compares with the mytholigical boulder of Sisyphus (that really never existed physically) whenever he is asked about his opportunity.

just kidding, first contact with TNG was in school, other kids talked about the first episode. i could not watch it at home and also had other problems to fix at that time so i missed a lot of the start of it :-/

however i am trying to train myself for writing in general as i have ideas for a longer story (but not within the trek universe) and as the above text came to my mind i just wrote it and hope you don’t find it too misplaced here or badly written… however any feedback is welcome.

so here are some reasons for having a firewall on a computer, i did not read in the thread (could have missed them) i have already written this but then lost the text again before it was saved :( so here a compact version:

• having a second layer of defence, to prevent some of the direct impact of i.e. supply chain attacks like “upgrading” to an malicously manipulated version.
• control things tightly and report strange behaviour as an early warning sign ‘if’ something happens, no matter if attacks or bugs.
• learn how to tighten security and know better what to do in case you need it some day.
• sleep more comfortable when knowing what you have done or prevented
• compliance to some laws or customers buzzword matching whishes
• the fun to do because you can
• getting in touch with real life side quests, that you would never be aware of if you did not actively practiced by hardening your system.

one side quest example i stumbled upon: imagine an attacker has ccompromised the vendor of a software you use on your machine. this software connects to some port eventually, but pings the target first before doing so (whatever! you say). from time to time the ping does not go to the correct 11.22.33.44 of the service (weather app maybe) but to 0.11.22.33 looks like a bug you say, never mind.

could be something different. pinging an IP that does not exist ensures that the connection tracking of your router keeps the entry until it expires, opening a time window that is much easier to hit even if clocks are a bit out of sync.

also as the attacker knows the IP that gets pinged (but its an outbound connection to an unreachable IP you say what could go wrong?)

lets assume the attacker knows the external IP of your router by other means (i.e. you’ve send an email to the attacker and your freemail provider hands over your external router address to him inside of an email received header, or the manipulated software updates an dyndns address, or the attacker just guesses your router has an address of your providers dial up range, no matter what.)

so the attacker knows when and from where (or what range) you will ping an unreachable IP address in exact what timeframe (the software running from cron, or in user space and pings at exact timeframes to the “buggy” IP address) Then within that timeframe the attacker sends you an icmp unreachable packet to your routers external address, and puts the known buggy IP in the payload as the address that is unreachable. the router machtes the payload of the package, recognizes it is related to the known connection tracking entry and forwards the icmp unreachable to your workstation which in turn gives your application the information that the IP address of the attacker informs you that the buggy IP 0.11.22.33 cannot be reached by him. as the source IP of that packet is the IP of the attacker, that software can then open a TCP connection to that IP on port 443 and follow the instructions the attacker sends to it. Sure the attacker needs that backdoor already to exist and run on your workstation, and to know or guess your external IP address, but the actual behaviour of the software looks like normal, a bit buggy maybe, but there are exactly no informations within the software where the command and control server would be, only that it would respond to the icmp unreachable packet it would eventually receive. all connections are outgoing, but the attacker “connects” to his backdoor on your workstation through your NAT “Firewall” as if it did not exist while hiding the backdoor behind an occasional ping to an address that does not respond, either because the IP does not exist, or because it cannot respond due to DDos attack on the 100% sane IP that actually belongs to the service the App legitimately connects to or to a maintenance window, the provider of the manipulated software officially announces. the attacker just needs the IP to not respond or slooowly to increase the timeframe of connecting to his backdoor on your workstation before your router deletes the connectiin tracking entry of that unlucky ping.

if you don’t understand how that example works, that is absolutely normal and i might be bad in explaining too. thinking out of the box around corners that only sometimes are corners to think around and only under very specific circumstances that could happen by chance, or could be directly or indirectly under control of the attacker while only revealing the attackers location in the exact moment of connection is not an easy task and can really destroy the feeling of achievable security (aka believe to have some “control”) but this is not a common attack vector, only maybe an advanced one.

sometimes side quests can be more “informative” than the main course ;-) so i would put that (“learn more”, not the example above) as the main good reason to install a firewall and other security measures on your pc even if you’ld think you’re okay without it.

This is most likely a result of my original post being too vague – which is, of course, entirely my fault.

Never mind, and i got distracted and carried away a bit from your question by the course the messages had taken

What is your example in response to?

i thought it could possibly help clarifying something, sort of it did i guess.

Are you referring to an application layer firewall like, for example, OpenSnitch?

no, i do not conside a proxy like squid to be an “application level firewall” (but i fon’t know opensnitch however), i would just limit outbound connections to some fqdn’s per authenticated client and ensure the connection only goes to where the fqdns actually point to. like an atracker could create a weather applet that “needs” https access to f.oreca.st, but implements a backdoor that silently connects to a static ip using https. with such a proxy, f.oreca.st would be available to the applet, but the other ip not as it is not included in the acl, neither as fqdn nor as an ip. if you like to say this is an application layer firewall ok, but i dont think so, its just a proxy with acls to me that only checks for allowed destination and if the response has some http headers (like 200 ok) but not really more. yet it can make it harder for some attackers to gain the control they are after ;-)

my first guess is that they desperately search someone to take care for their websites progress bar

[======*____________]

Wich is part of the “Tender” template they use: https://w3layouts.com/tender-a-multipurpose-flat-bootstrap-responsive-web-template/ “Tender is a free HTML5 Multipurpose Template, with […]”

and maybe they only have a dumb trainee or one of those super intelligent AIs to search for the specialists they urgently need (or both in combination)

that should explain it ;-)

who knows *gg

follow me for more =D

But the point that I was trying to make was that that would then also block you from using SSH. If you want to connect to any external service, you need to open a port for it, and if there’s an open port, then there’s a opening for unintended escape.

now i have the feeling as if there might be a misunderstanding of what “ports” are and what an “open” port actually is. Or i just dont get what you want. i am not on your server/workstation thus i cannot even try to connect TO an external service “from” your machine. i can do so from MY machine to other machines as i like and if those allow me, but you cannot do anything against that unless that other machine happens to be actually yours (or you own a router that happens to be on my path to where i connect to)

lets try something. your machine A has ssh service running my machine B has ssh and another machine C has ssh.

users on the machines are a b c , the machine letters but in small. what should be possible and what not? like: “a can connect to B using ssh” “a can not connect to C using ssh (forbidden by A)” “a can not connect to C using ssh (forbidden by C)” […]

so what is your scenario? what do you want to prevent?

I don’t fully understand what this is trying to accomplish.

accomplish control (allow/block/report) over who or what on my machine can connect to the outside world (using http/s) and to exactly where, but independant of ip addresses but using domains to allow or deny on a per user/application + domain combonation while not having to update ip based rules that could quickly outdate anyway.

and i hope that has nothing to do with my chaotic style of writing =D

you do not need to know the source ports for filtering outgoing connections.

(i usually use “shorewall” as a nice and handy wrapper around iptables and a “reject everything else policy” when i configured everything as i wanted. so i only occasionally use iptables directly, if my examples dont work, i simply might be wrong with the exact syntax)

something like:

iptables -I OUTPUT -p tcp --dport 22 -j REJECT

should prevent all new tcp connection TO ssh ports on other servers when initiated locally (the forward chain is again another story)

so … one could run an http/s proxy under a specific user account, block all outgoing connections except those of that proxy (i.e. squid) then every program that wants to connect somewhere using direct ip connections would have to use that proxy.

better try this first on a VM on your workstation, not your server in a datacenter:

iptables -I OUTPUT -j REJECT iptables -I OUTPUT -p tcp -m owner --owner squiduser -j ACCEPT

“-I” inserts at the beginning, so that the second -I actually becomes the first rule in that chain allowing tcp for the linux user named “squiduser” while the very next would be the reject everything rule.

here i also assume “squiduser” exists, and hope i recall the syntax for owner match correctly.

then create user accounts within squid for all applications (that support using proxies) with precise acl’s to where (the fqdn’s) these squid-users are allowed to connect to.

there are possibilities to intercept regular tcp/http connections and “force” them to go through the http proxy, but if it comes to https and not-already-known domains the programs would connect to, things become way more complicated (search for “ssl interception”) like the client program/system needs to trust “your own” CA first.

so the concept is to disallow everything by iptables, then allow more finegrained by http proxy where the proxy users would have to authenticate first. this way your weather desktop applet may connect to w.foreca.st if configured, but not e.vili.sh as that would not be included in its users acl.

this setup, would not prevent everything applications could do to connect to the outside world: a local configured email server could probably be abused or even DNS would still be available to evil applications to “transmit” data to their home servers, but thats a different story and abuse of your resolver or forwarder, not the tcp stack then. there exists a library to tunnel tcp streams through dns requests and their answers, a bit creepy, but possible and already prepaired. and only using a http-only proxy does not prevent tcp streams like ssh, i think a simple tcp-through-http-proxy-tunnel software was called “corckscrew” or similar and would go straight through a http proxy but would need the other ond of the tunnel software to be up and running.

much could be abused by malicious software if they get executed on your computer, but in general preventing simple outgoing connections is possible and more or less easy depending on what you want to achieve

not sure what you are talking about, as far as i know(!), the states have communism well integrated. free university, free housing, free medical treatment, free retirement, you just have to enter the military community, they will even protect you for free with all they have from international sues for war crimes you commited. all of above is “as far as i know” only. so to speak, AFAIK “communism” by itself is not the “enemy” of the GOV of the states and has never been, maybe it is just something they do not want >you< to profit from ;-)

you can copy your system live, but that would involve other tools than dd too.

with dd when copying the whole device (instead of just partitions) everything gets cloned. This includes uuids, labes, lvm devices with the names of their lv and vg names and raid devices in case you have any. all of these (c|w)ould collide unless the original disk was taken out or either the new or old disks labrls uuids etc are previously to the boot changed to prevent collusions or accidently mounting/booting the original partitions. also if (!) you use device names i.e. in fstab, crypttab, scripts or such, like with the uuids things could break. also you might have to take action for your bios to actually boot from the stick. most people disable usb boot on notebooks for security reasons.

using dd, cloning the full disk to the full stick, then removing the original disk + set bios boot setting might work out of the box, i’ld try that first as it takes only the effort to boot from another os to do the dd-copy offline (preventing filesystem damage while copying).

a live copy could be done by cloning only the partition layout and bootloader, then setting up new filesystems (with new uuids) and new lvm group/volumes etc if any, copying original disk using rsync then (maybe “bind” mounting to separate partitions if needed), then adjusting boot config to match new uuids/labels. This could be done while running the system to be copied, but of course even running rsync twice might lack some updates of currently open files by sth like desktop programs or logfiles.

Without knowing the exact setup, only limited answers can be given, but you have to make sure the boot process will work, so at least the boot loader (grub?) and its files will be needed, which -at least in the past and for old lilo/grub- could not reside at some position on the disk after some “high value” like some number GBs. if that limitation is still there, your new exact partition layout on the usb stick might be relevant for success, but try/error should give you the hints you need.

you might use “language models” for getting hints, but they are language models, not friends, their “solution” might break your system and delete your data, and they are trained to say they are sorry afterwards, but the are’nt sorry, its just a sequenze of probabilities and words to them not more.

So always only work on data that has been backed up and prooven to be suitable for you to recover everything you need from scratch, no matter if friends, language models or lemmy users assist you ;-)

UPDATE: just learned that batocera is “designed” to be just copied to usb stick and run from there, so it will most likely already include everything you need. best is to follow their instructions how to create the usb stick to boot from. if you already have it running from partition, you most likely can copy your current data using rsync. but beware, if you have two copies with the same uuids (partition +usb) that might not work as expected.

As i see it, the term “firewall” was originally the neat name for an overall security concept for your systems privacy/integrity/security. Thus physical security is (or can be) as well part of a firewall concept as maybe training of users. The keys of your server rooms door could be part of that concept too.

In general you only “need” to secure something that actually is there, you won’t build a safe into the wall and hide it with an old painting without something to put in it or - could be part of the concept - an alarmsensor that triggers when that old painting is moved, thus creating sort of a honeypot.

if and what types of security you want is up to you (so don’t blame others if you made bad decisions).

but as a general rule out of practice i would say it is wise to always have two layers of defence. and always try to prepare for one “error” at a time and try to solve it quickly then.

example: if you want an rsync server on an internet facing machine to only be accessible for some subnets, i would suggest you add iptables rules as tight as possible and also configure the service to reject access from all other than the wanted addresses. also consider monitoring both, maybe using two different approaches: monitor the config to be as defined as well as setup an access-check from one of the unwanted, excluded addresses that fires an alarm when access becomes possible.

this would not only prevent those unwanted access from happening but also prevent accidental opening or breaking of config from happen unnoticed.

here the same, if you want monitoring is also up to you and your concept of security, as is with redundancy.

In general i would suggest to setup an ip filtering “firewall” if you have ip forwarding activated for some reason. a rather tight filtering would maybe only allow what you really need, while DROPping all other requests, but sometimes icmp comes in handy, so maybe you want ping or MTU discovery to actually work. always depends on what you have and how strong you want to protect it from what with what effort. a generic ip filter to only allow outgoing connections on a single workstation may be a good idea as second layer of “defence” in case your router has hidden vendor backdoors that either the vendor sold or someone else simply discovered. Disallowing all that might-be-usable-for-some-users-default-on-protocols like avahi & co in some distros would probably help a bit then.

so there is no generic fault-proof rule of thumb…

to number 5.: what sort of “not trusting” the software? might, has or “will” have: a. security flaws in code b. insecurity by design c. backdoors by gov, vendor or distributor d. spy functionality e. annoying ads as soon as it has internet connection f. all of the above (now guess the likely vendors for this one)

for c d and e one might also want to filter some outgoing connection…

one could also use an ip filtering firewall to keep logs small by disallowing those who obviously have intentions you dislike (fail2ban i.e.)

so maybe create a concept first and ask how to achieve the desired precautions then. or just start with your idea of the firewall and dig into some of the appearing rabbit holes afterwards ;-)

regards