I don’t fully understand how you are going about your installation. Are you attempting to install Windows 10, and Ubuntu onto different partitions on one drive, or each on a separate drive? Are you wanting to use grub to boot the OS of choice, or to choose the boot device from the BIOS boot device menu? In what order did you initially install the OS’s (Windows 10 first, then Ubuntu, or vice-versa)?
The fact that it’s a “single board” computer, specifically, is mildly irrelevant, imo; just follow standard backup practices. The only way the type of computer really comes into question is whether or not it has adequate resources to run whatever backup solution that you choose. For my usecase, Borg works great, but choose whatever solution fits your requirements. The “simplest”, and lightest solution is probably rsync, but that may leave a lot to be desired.
Well dang, I have Nextcloud installed as a snap (which has been perfectly stable for me when running on Ubuntu Server), but I was thinking of switching over to a docker installation; this thread doesn’t exactly fill me with enthusiasm for that idea…
If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
This is a fair point that I hadn’t considered for the mobile use-case.
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Fair point!
note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.
Interesting! In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
It could also be malicious software that simply makes a request to a remote server – perhaps even siphoning your local data.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
That’s a strange law. That’s like saying one should be held responsible for a thief stealing their car and then running over someone with it (well, perhaps an argument could be made for that, but I would disagree with it).
Seriously, unless you are extremely specialized and know exactly what you are doing, IMHO the answer is: Always
In what capacity, though? I see potential issues with both server firewals, and client firewalls. Unless one wants their devices to be offline, there will always be at least one open port (for example, inbound on a server, and outbound on a client) which can be used as an attack vector.
Tell the computer explicitly which ports it can and cannot open.
Isn’t this all rather moot if there is even one open port, though? Say, for example, that you want to mitigate outgoing connections from potential malware that gets installed onto your device. You set a policy to drop all outgoing packets in your firewall; however, you want to still use your device for browsing the web, so you then allow outgoing connections to DNS (UDP, and TCP port 53), HTTP (TCP port 80), and HTTPS (TCP port 443). What if the malware on your device simply pipes its connections through one of those open ports? Is there anything stopping it from siphoning data from your PC to a remote server over HTTP?
I see. I guess my point was they exist for a reason, as the default target of one zone handsover to the next zone (target) and then its target, in order to handle traffic not in your zone rules.
Yes, I am aware of that. Just allow the user to specify the zones though. Why force the default ones?
but it is not causing “bloat”.
It is if it’s saving alternative configuration that will never be used.
Sure, that is why we have defaults, but why force them? Why not create the defaults, and then allow the user to remove them if they wish?
You’re free to patch it out if you’re so inclined.
This is somewhat of a non-answer. Technically, yes, it is possible for a user to patch OSS as they see fit, but that does not excuse poor design desicions, nor is it necessarily fair to expect the user to do that.