Skip to content

install/enable network firewall by default

I'd like to propose enabling some network firewall by default in pmOS. The idea is to default drop connections to any other ports on the device, so that any zero-day or other vulnerabilities in any apps that might listen on ports running on the device can't be exploited.

Some options of how it could be configured for SSH access to the device:

  • disable ssh on all interfaces except usb network

    • most secure option, but makes debug difficult.

  • disable ssh on usb net and wifi ifaces

    • probably the best compromise, especially if we disable password auth over ssh and only allow key authentication

  • disable ssh on the WWAN interface, enable on everything else

    • I can't think of any way a user would be able to ssh into a device over the WWAN interface, so this seems like something we'd want regardless

  • enable ssh everywhere

    • still more secure than what we have now (no firewall..)

A UI of some sort to manage the firewall would be nice too, so that SSH or other rules could be easily toggled. I'm not aware of any interface that would work well on mobile.

Just to get the conversation going, I've included some quick notes about the firewall options I know of:

nftables

My favorite, since the config is a lot more readable than iptables. The default config installed with the nftables package in alpine is pretty good. It supports config.d-style configuration files too.

This firewall requires some additional kernel parameters to be enabled. I've already done this for the postmarketos-linux-allwinner and linux-purism-librem5 kernels in pmaports.

ufw

A frontend to iptables, makes configuration easier. I don't have a lot of experience using this...

iptables

The config 'language' is painful... it's hard to get it right, and easy to get it wrong. But lots of people seem to still 'like' it.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information