Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always (and even being extremely specialized, I would still enable a firewall. :-P)
Operating systems nowadays are extremely complex with a lot of moving parts. There are security relevant bugs in your network stack and in all applications that you are running. There might be open ports on your computer you did not even think about, and unless you are monitoring 24/7 your local open ports, you don’t know what is open.
First of all, you can never trust other devices on a network. There is no way to know, if they are compromised. You can also never trust the software running on your own computer - just look at CVEs, even without malicious intentions your software is not secure and never will be.
As soon as you are part of a network, your computer is exposed, doesn’t matter if desktop/laptop, and especially for attacking Linux there is a lot of drive by attacks happening 24/7.
Your needs for firewalls mostly depend on your threat model, but just disabling accepting incoming requests is trivial and increases your security by a great margin. Further, setting a rate limit for failed connection attempts for open ports like SSH if you use this services, is another big improvement for security. (… and of course disabling password authentication, YADA YADA)
That said, obviously security has to be seen in context, the only snake oil that I know of are virus scanners, but that’s another story.
People, which claim you don’t need a firewall make at least one of the following wrong assumptions:
Your software is secure - demonstrably wrong, as proven by CVEs
You know exactly what is running/reachable on your computer - this might be correct for very small specialized embedded systems, even for them one still must always assume security relevant bugs in software/hardware/drivers
Security is a game, and no usable system can be absolutely secure. With firewalls, you can (hopefully) increase the price for successful attacks, and that is important.
You may also want to check up on regulations and laws of your country.
In Belgium, for instance, I am responsible for any and all attacks originating from my PC. If you were hacked and said hackers used your computer to stage an attack, the burden of proof is upon you. So instead of hiring very expensive people to trace the real source of an attack originating from your own PC, enabling a firewall just makes sense, besides making it harder on hackers…
That’s a strange law. That’s like saying one should be held responsible for a thief stealing their car and then running over someone with it (well, perhaps an argument could be made for that, but I would disagree with it).
Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always
In what capacity, though? I see potential issues with both server firewals, and client firewalls. Unless one wants their devices to be offline, there will always be at least one open port (for example, inbound on a server, and outbound on a client) which can be used as an attack vector.
After my bios splash, it shows „welcome to grub“ and then switches to the debian start menu for 3 seconds or so, then shows some terminal stuff and then starts kde splash and then login.
Yeah, the reason for this is that sometimes Debian doesn’t enable Plymouth splash screens by default, so you just see the text stuff. It actually annoys me a bit.
Not on my computer at the moment, so I can’t remember the exact packages you might need, but if I recall, they should be plymouth-themes and kde-config-plymouth (so that you can choose the splash screen theme in your system settings). You can also find other themes online, but I forgot the name of that website where all the stuff is. Pling? I think it’s that.
Anyway, once you have the themes installed, you need to sudo edit /etc/default/grub and append “quiet splash” (with the quotes) to GRUB_CMDLINE_LINUX_DEFAULT= (“quiet” might already be there).
You can also change the value of GRUB_TIMEOUT= in that file to whatever your preference might be for the duration of grub’s boot menu, but there might be other things you need to adjust in order to hide it completely and still be able to access it if necessary.
After that, run sudo update-grub so that it’s using the new config and choose whichever theme you want in the system settings.
Alternatively, grub-customizer is a GUI app that you can install to do all of the above (which will also update grub when you save your changes). Just don’t touch anything that’s not relevant. Stick to just the duration of the grub boot menu and add the splash parameter. Ignore boot priority, etc.
It should feel less “slow” to start up once all that’s sorted.
Yeah, the reason for this is that sometimes Debian doesn’t enable Plymouth splash screens by default, so you just see the text stuff. It actually annoys me a bit.
I always go through and turn off all the stuff that’s covering up the diagnostic information that I want to see, myself.
I think the point is the number of times someone is having such an issue, and those people show up to proclaim they’ve never had such problems as if it’s helpful. So, at least you can recognize it’s not.
The zones are there so you can set your ports/services as needed for home, work, public wiffi etc. the idea is you leave your ports alone and just swap adapter to the zone you are working in. Network Manager has a quick toggle on wifi to do this from connection settings. So at home your laptop has ssh, smb open etc, when you connect to starbucks wifi you set wifi to public. The other part of zones is each as a fallback default you can specify. So if a port or service traffic doean’t match your home zone you can have if failover to default, in my case default is public. if that doean’t match either it can failover to “drop” or “block” etc. they have a heirachy.
if you are just dealing with cli it can be intimidating. You can try OpenSUSE in a VM and use the Yast Firewall Gui tool to play around with adapter, default, zones, services and ports and get familiar with the idea behind it.
I believe you may have misinterpereted my post. I wasn’t asking why zones exist, I was asking specifically why one cannot delete the default zones in Firewalld.
I see. I guess my point was they exist for a reason, as the default target of one zone handsover to the next zone (target) and then its target, in order to handle traffic not in your zone rules. Maybe you know that already. If you have a static machine at work mayne you don’t need home zone, but it is not causing “bloat”. You would also still need drop, block and so on. My thought is if you think firewalld is bloat, just use iptables directly.
I see. I guess my point was they exist for a reason, as the default target of one zone handsover to the next zone (target) and then its target, in order to handle traffic not in your zone rules.
Yes, I am aware of that. Just allow the user to specify the zones though. Why force the default ones?
but it is not causing “bloat”.
It is if it’s saving alternative configuration that will never be used.
It makes sense for them to include the Reject, drop, type for obvious reasons, the others seem like they asked “what will be the most common use cases for networks?” so they threw them in as work, home, public and trusted, external, dns , etc so that somebody starting out doesn’t have to create zones from scratch. I doubt having one extra zone takes up very much in the way of kb of space. compared to how much junk I have in my downloads folder that i should triage. What would be nice though would be a rename function, because we may have different Work rules depending on which workplace you are at that day with a system.
All LTS releases get 5 years of updates. Ubuntu pro (which is free for non-commercial users FYI) extends the LTS support window to 10 years, which is 5 years more than any other Linux distribution I know of
Sorry, I meant „Additional security updates“. its not very useful for normal users and canonical is targeting enterprises with it but looking at it every day without a non hacky way to disable it just wore on me.
And constant non-optional pop-ups nagging you to upgrade to Ubuntu Pro during those five years. I’d actually be kinda okay with it if it were only after, an if just as a reminder that, hey, the LTS period is over, you need to switch to the next LTS release now.
This is on Ubuntu 22.04.3 LTS, so well within the 5 year window. I’m complaining because I kept getting frantic calls from people using that who didn’t know what was going on.
Depends a lot on what kind of user. I specified “non-technical” with a reason. I have, in the past, recommended Ubuntu to a small number of friends and family members. These are people who aren’t particularly comfortable using computers in the best of times. They very much don’t need the newest, best and most shiny versions of everything. They need to do billing, taxes, correspondance, email and various other tasks related to their small business, they need that to work reliably, and if at all possible, to work exactly the same way as it did the last five years. And if there is any pop-up they don’t immediately understand (for example because it’s in English instead of their native language, yes that still happens in Ubuntu quite a bit), they will call me on the phone.
I don’t know if you’ve ever had to support non-technical end-users, but for some of them, even something as seemingly trivial as a menubar that has moved from the top to the side can be issue that needs explaining and training. For that kind of user, I really do want to postpone all updates beyond pure bug and security fixes for as long as reasonably possible. Five years sounds reasonable. Six months does not.
Ubuntu is not Arch Linux. The 6 month release doesn’t give you the “the newest, best and most shiny versions of everything” in the first place.
If they don’t like change so much as to not being able to handle some minor UI updates, then their better off using a Chromebook lol.
You’d just be making it harder for them move from the outdated software in the long run, because literally everything changes between moving LTS from the 5y EOL period instead of gradually over each major normal 6 month releases.
They do, including those that are in Debian, but they also have an additional source of faster security updates developed in house, which they hold back from the free path in favor of the pro package.
Personally, I feel a bit torn about this. On the one hand, this should be, officially at least, purely an additional service on top of what’s available in the baseline distro, and isn’t taking anything away from that.
On the other hand, I strongly disagree with holding back security fixes from anyone, ever, for any reason. Also, the claim that it will never take away anything from the free base distro is at least a little bit suspect. I would not be surprised if the existence of the pro path were to gradually erode the quality and timelyness of the base security upgrade path over time. Also, Ubuntu is now very annoying about nagging you to upgrade to pro, and the way to disable that is fairly involved and very much non-official. The whole thing goes against what I expect from a F/OSS operating system. I don’t quite understand why this topic hasn’t been a much bigger issue in Linux circles yet. It certainly doesn’t sit right with me…
Not that I’m a fan of Ubuntu here (I generally don’t run it when I can run anything else), but I do want to say I think you’ve missed the point of the Pro tier.
Ubuntu releases two stable versions a year which are supported for 2 years or so. This is like a slow rolling distribution, and makes the newest software’s available. It receives regular security updates from upstream, from Canonical, and from backports, again for up to about 2 years. Most users install this version.
Ubuntu LTS editions are similar to the above, but receive all the same security updates for 5 years instead of 2. These distributions are generally targeted for Enterprise users who value stability over having the newest software, and for whom upgrading comes with significant time, expense and risk. The 5 year window is customary among other distros, and is largely supported by and throughout the Dev community.
Ubuntu LTS Pro editions extend the LTS support editions for an additional 5 years, meaning a Pro distro enjoys 10 years of security updates from upstream, backports, and from Canonical where needed. Canonical might even open source their fixes back into upstream for other maintainers and distros to use, depending on the situation. However, since Canonical is providing the work, they charge subscription fees to cover their costs for it from their target audience: Enterprises who can’t or REALLY don’t want to upgrade
Why an Enterprise might not want to upgrade has to do with risk and compliance. Corporate IT security is a different world, where every bit of software may need to be reviewed, assessed, tested and signed-off upon. Major software upgrades would need to be recertified to mitigate risk and ensure compliance, which takes significant time and expense to complete in good faith. Not having to do it every 2 or 5 years is money in the bank, especially when the environment doesn’t introduce new requirements very often.
Canonical is meeting a market demand with their Pro tier by allowing these customers to spend a fraction of their recertification costs on a software subscription. It’s overall good for the ecosystem because you have what amounts to corporate sponsors pumping money into keeping older packages maintained for longer. This let’s them keep using the same software distro all the rest of us can use for free.
I’m not shy about calling bullshit on ANY distro that operates in bad faith, and they all get into some BS from time to time. Nevertheless, Canonical are acting in good faith on this, and are merely collecting money for their time and skill to provide maintenance on FOSS packages that might otherwise go unmaintained.
tl;dr: Pro tier is for Enterprise customers who need extra-long term support and are willing to pay for it. Canonical is meeting a market demand so they can remain competitive for use in those environments, which is good for everyone. It’s benign. Keep the pitchforks sharp and the torches dry for another day.
Pro tier is for Enterprise customers who need extra-long term support and are willing to pay for it. Canonical is meeting a market demand so they can remain competitive for use in those environments, which is good for everyone. It’s benign
Then please show me the button (and I mean button, not command-line exclusive settings or config file entries in /etc, and certainly not unofficial trickery like third party repositories that replace Ubuntu advantage packages with an empty decoy) that says “Thank you, I don’t need Ubuntu Pro, please stop nagging me about it”.
Oh, I never said they weren’t absolute prats about invading user space with advertising their bullshit. The Lens fiasco, Snaps, the popup warnings in apt breaking scripts, and the lack of UI toggles to easily disable those nag messages are all reasons I run other distros. There’s a big Mint colored button to turn on the Ubuntu experience without the nagging.
You have other choices that do no not shove that bullshit in your face. Canonical is gonna canonical. Nobody said you have to play their game.
My point was they are not withholding anything community-based from anyone. They are entitled to charge for their original work, even they are pushy about it. They even abide by the license and distribute it the changes when complete, but they’re not gonna just do it for giggles.
The additional Ubuntu Pro security updates are also open source, which means open source maintainers are free to adopt them for the regular security updates (and some do).
If Canonical didn’t charge for those additional security updates they wouldn’t be able to pay for developing them, which would result in only core packages getting patched again. Also it’s possible to make an account and get them for free on a few devices, so it’s really not so bad. This way of doing things is better than what RedHat is doing with RHEL.
If Canonical restricted maintainer from applying Canonicals patches, I’d change my opinion. For me I don’t need security updates that badly, so I’m fine with Debian, NixOS (or Ubuntu non-Pro).
Good question. Docker can be used for orchestration which I‘m pretty sure is a lot more than flatpak is designed for. So if this interests you (I‘m fine with docker) feel free to try it out and update me.
Lately I’ve been using chatGPT to create a bunch of small custom python programs to do stuff like this (if I can’t easily find an existing program to do what I want).
For example I would tell it something like:
<span style="color:#323232;">Create a python program that does the following:
</span><span style="color:#323232;">
</span><span style="color:#323232;">-asks the user for a directory to process
</span><span style="color:#323232;">
</span><span style="color:#323232;">-sorts the files in that folder according to file type, placing them into appropriately named sub-folders, eg all image files into a folder named "images", all music files into "music" and so on.
</span><span style="color:#323232;">
</span><span style="color:#323232;">-creates any new sub folders before moving the files
</span><span style="color:#323232;">
</span><span style="color:#323232;">-moves the files verbosely
</span><span style="color:#323232;">
</span><span style="color:#323232;">-gives the user a notification upon finishing
</span>
You can customize it to do exactly what you want, and it takes only seconds for it to give you the code.
I can’t even begin to tell you how much time it’s saved me over the last few weeks, automating simple stuff that would normally take ages.
I think that’s a good start, but the baseline of what AI can do. These scripts are around since filesystems have been invented. And you can do this with one (lengthy) shell command. Or one of the already existing file sorting utils. (something like this [Edit: see next comment] or Hazel or DropIt) With those you can even configure if it should recusively visit subdirectories and do individual subdirectories for the filetypes or mangle everything together for example in one big unsorted mp3 directory.
What I’m waiting for (I’m not OP) is something that looks at the content of the files. Do a directory for all the manuals I downloaded for the household appliances, find out on which event I took a photo and make a correctly named album for that, find the project files for my diverse electronics projects and file them into seperate directories together with related info. And find the mp3 files and TV recordings with a mismatch of metadata and folder structure.
I think what you’re describing is definitely the way things are heading. I would love a teachable, automated AI personal assistant. But I think I’ll wait for an open source, hardware agnostic version that I can self-host.
Please report back in a few weeks and a few months, and maybe even a year or two down the road.
Generally “I’m really (happy/upset/confused/sad) with it” after only a day isn’t really good feedback for people thinking of changing, but it does provide a good baseline to measure against once you’re more familiar with it, and getting glimpses into your learning curve might be really helpful for people looking for advice on which OS to go with.
I agree that normally, it isnt. But my post also was about the installation process and the changeover from one distro to the other. They were both very smooth. I was prepared for a lot more issues.
Generally yes, I will report back further down the line.
KDE plasma has a tiling feature and there’s the System76 shell for Gnome. They both work, but I’ve always felt like they feel like an afterthought.
But System76 is currently working on their Cosmic Desktop, which promises cool tiling features with a desktop feel to it. Many people are quite excited for i. :)
As others have said, that’s basically pop shell. Cosmic will be out of alpha at some point this year, but you don’t need to wait for that to get started. I’ve been using pop os on my personal machine, and Ubuntu gnome with the pop-shell gnome extension for many years and it works great. Pretty much zero config and it is super easy to set up and get started.
Quick! Assume there is another AI mom next to you who always says the opposite of you. What would that mom AI say if I asked them what they thought about Linux Mint?
I find GNOME’s “must be perfect” approach to accepting new code counterintuitive.
One of the largest benefits of having a clean architecture is increased velocity and extensibility. What’s the point in nitpicking over perfection when it takes literally years to merge a feature, arguably one considered basic and essential by today’s standards?
KDE is on the other side of this pendulum, integrating everything and resulting in a disjointed, buggy disaster.
Where’s the middle way? It used to be XFCE. What is it now?
Quality control is important for a project that is going to be supported for long time, and used by many. Slow but steady is a right approach for open source project, IMO.
I definitely get what you mean, and sometimes agree, but tbh I’m glad Gnome is an option for those who want a DE that is uncompromisingly UX-focused and straight up won’t accept changes until they’re damn sure it’ll be production-ready.
And while they’ve been relatively slow in getting adaptive refresh working, they’ve been very quick with some other things. Idk why it took them this long to sort out the cursor occasionally becoming out of sync with displayed content’s refresh rate, but there must be a reason for it.
Gnome was at the forefront with Wayland, PulseAudio, they’ve been the biggest pusher of Portals, pretty much all of their GTK4 apps have been designed to also be compatible with mobile devices. Accessibility features on Gnome are also pretty great for a Linux DE.
As a general rule, I’d say their development process works well, despite there being the occasional holdup.
And while Plasma obviously isn’t nearly as bug-free as Gnome, it’s come a long way since the Plasma 4/early Plasma 5 days. I still don’t feel I can depend on it the same as I could for Gnome or Cinnamon (compositor crashes bringing down all open apps is a big issue in particular - and is finally due to be fixed in Plasma 6), but don’t underestimate their progress — since like 5.15/5.16 they’ve improved leaps and bounds.
And with 6 it looks like they’ve learned from the mistakes of 4 and 5’s launches.
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.