...There's only one firewall application because there only needs to be one
. It handles thing at the lowest level it can, even requiring superuser or root access.
You're talking about iptables, right? Then that's a fail on your part - I was talking about OpenSnitch
, which once it is complete and working, looks to be the best application-level firewall available for Linux.
And that wouldn't even provide the level of security and control that Windows users have enjoyed since 1998 when WRQ released its AtGuard firewall
Process control means being able to set rules to allow or prevent processes from carrying out certain actions like:
* terminating other processes;
* modifying other processes;
* setting hooks to intercept keyboard, mouse or IPC traffic;
* making major changes to system setup (e.g. modifying what runs on startup, loading library order, etc).
Your first link is for a process viewer - very pretty but no more functional than Windows' Task Manager and far behind the likes of Process Hacker
, Process Explorer or TaskInfo on Windows. The second link has no security relevance whatsoever. This suggests that you are completely missing the point I am trying to make.
...allow me to also state that there are further ways to harden Linux if you insist on being a paranoid whackoo, IN ADDITION
to the already heavily scrutinized security built into the kernel itself, there are things like SELinux.
I have already posted
about the impracticality of SELinux for most users, and the fact that so few distros implement it (and those that do, only for a few applications) rather supports my point.
Secondly, distros do not consist of a kernel alone - you have a windowing system (mostly XOrg, with Wayland being a new contender), dozens of window managers and hundreds of applications. To have a secure environment, you either need to ensure that all these are completely secure (and most distros can't even get everything working together properly
, let alone figure out the security implications) or
have OS-level security software to mitigate against application-level vulnerabilities.
For Windows XP, you have a wide range of firewalls
, process protection software (App/RegDefend, System Safety Monitor, Process Guard), specialised anti-keylogger/anti-snooping software (SnoopFree, SpyShelter, Zemana AntiLogger) and plenty of others.
The security ecosystem for Linux is almost a desert in comparison - for application-level firewalls you have a few (mostly unfinished) projects like OpenSnitch, TuxGuardian and Douane. For process control you have GrSecurity, AppAmor and SELinux
, none of which offer interactive setup meaning that you have to configure (and debug) policies in advance, a process that could take days per application rather than the minutes an interactive program would typically require. FireJail has a similar problem in that the effort required to build a whitelisting
profile makes it as impractical as SELinux.
And please don't bash on again about how Linux isn't exploited - Android
is a pretty big counter-example, and there have been several high-profile (or low profile and long-lasting) exploits which would have been trivially detectable by proper (and properly configured) security software on Windows:
* Spammers using Unix/Linux boxes as DNS/HTTP relays for 10 years+ (GOG's forum can't handle Internet Archive links, so cut-and-paste will be needed here): https://web.archive.org/web/20150226085527/http://spamtrackers.eu/wiki/index.php/My_Canadian_Pharmacy#The_tirqd_Unix_infection Engadget (Feb 2016): Hackers compromised Linux Mint's install files (updated) DrHack.Net (June 2017): Indian Government/Military Linux Systems Hacked LinuxUprising.com (May 2018): Malware Found In the Ubuntu Snap Store
-- plus related Slashdot discussion Sophos.com (June 2018): Linux distro hacked on GitHub, 'all code considered compromised' Blackberry.com (April 2020): BlackBerry Report Examines Compromise of Linux Servers by APTs
So whatever version of Linux you run, security is still very much a concern - it is not (and has never been) "hack proof" and far from being a "paranoid whackoo" (as you choose to describe it) those seeking to harden their systems are showing prudence and caution compared to your post's complacency and ignorance (edit: a particularly relevant article to anyone who shares similar views is Sophos.com (Feb 2011): FLAMING RETORT: Cooling the friction when Linux meets anti-virus
And finally, open source code only provides a genuine security benefit if it is (a) fully audited and (b) actually used in building end systems. Aside from Gentoo, I'm not aware of any distro that builds from source, so in most cases Linux users are exposed to compromises introduced by their distro maintainers (either via source code modification or use of a compromised compiler