10-16-2020, 07:06 PM
Hello,
I was able to install ufw on pmOS after some digging... since pmOS is based on Alpine, I used Alpine's docs to get it installed:
https://wiki.alpinelinux.org/wiki/Uncomp...d_Firewall
For some reason ufw is no longer in testing and checking Alpine's own package lookup, you will now find this in edge.
The correct command to get this on pmOS is as follows:
#Note: you gonna need sudo for this obviously....
#Also... this is a kind of cheat to get ufw installed without adding the repo for edge. It's a one time thing. See the docs for a better explanation.
Since pmOS uses openrc, you can add ufw to the startup via rc-update command but I don't recommend that for one reason.... ufw has broken pmOS net connectivity.
I have tested with adding necessary rules to allow the usual traffic for ssh, dns, etc. ufw fails with the following:
Since ufw is found in edge and not the main repo.... this is expected behavior to me. This obviously hasn't been tested enough to the point where it's guaranteed to work on Alpine. I honestly don't know what's up or how to get it working but I'll keep trying. I'm getting the feeling though that eventually I'll wind up flashing Mobian on my PinePhone as well... not what I was aiming to do but I also think shipping something that's potentially going to be used in public with public networks... is not very wise without a legitimate firewall in place. Granted Linux works the way it does, the assumption that people won't put stupid stuff on their phone is often misguided.... which leads to people opening up their phone to higher risk. I know people might complain that ufw takes improper assumptions as well that maybe mimic what Windows does (or is it Ubuntu?)... but c'mon guys. Basic network security is deny by default and allow by exception. Everyone in the field knows this.... personally, I'd rather have something hardened by default and prevents me from adding in something I'm not 100% sure on what it is I'm adding than letting everything run free willy. Arguably, my whole motivation for even getting a Linux phone in the first place was to guarantee that I could harden it to what was deemed necessary. There's nothing stopping me from just sticking to iptables but I use a flavor of Ubuntu on my older laptop and utilize ufw on there.... I thought I would be able to here as well but here we are.
I was able to install ufw on pmOS after some digging... since pmOS is based on Alpine, I used Alpine's docs to get it installed:
https://wiki.alpinelinux.org/wiki/Uncomp...d_Firewall
For some reason ufw is no longer in testing and checking Alpine's own package lookup, you will now find this in edge.
The correct command to get this on pmOS is as follows:
Code:
apk add ufw --update-cache --repository http://nl.alpinelinux.org/alpine/edge/community --allow-untrusted#Note: you gonna need sudo for this obviously....
#Also... this is a kind of cheat to get ufw installed without adding the repo for edge. It's a one time thing. See the docs for a better explanation.
Since pmOS uses openrc, you can add ufw to the startup via rc-update command but I don't recommend that for one reason.... ufw has broken pmOS net connectivity.
I have tested with adding necessary rules to allow the usual traffic for ssh, dns, etc. ufw fails with the following:
Quote:hostname:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/5.7.0
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/5.7.0
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/5.7.0
iptables-restore v1.8.4 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 63
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.4 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 29
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Problem loading ipv6 (skipping)
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Since ufw is found in edge and not the main repo.... this is expected behavior to me. This obviously hasn't been tested enough to the point where it's guaranteed to work on Alpine. I honestly don't know what's up or how to get it working but I'll keep trying. I'm getting the feeling though that eventually I'll wind up flashing Mobian on my PinePhone as well... not what I was aiming to do but I also think shipping something that's potentially going to be used in public with public networks... is not very wise without a legitimate firewall in place. Granted Linux works the way it does, the assumption that people won't put stupid stuff on their phone is often misguided.... which leads to people opening up their phone to higher risk. I know people might complain that ufw takes improper assumptions as well that maybe mimic what Windows does (or is it Ubuntu?)... but c'mon guys. Basic network security is deny by default and allow by exception. Everyone in the field knows this.... personally, I'd rather have something hardened by default and prevents me from adding in something I'm not 100% sure on what it is I'm adding than letting everything run free willy. Arguably, my whole motivation for even getting a Linux phone in the first place was to guarantee that I could harden it to what was deemed necessary. There's nothing stopping me from just sticking to iptables but I use a flavor of Ubuntu on my older laptop and utilize ufw on there.... I thought I would be able to here as well but here we are.