Moderators: kirk, jamesbond, p310don, JakeSFR, step, Forum moderators
FatDog uses eztables as the default firewall.
However, I just found the following additional firewall package in the repository:
https://distro.ibiblio.org/fatdog/packa ... arch-1.txz
I tried to google the package name but it would not bring up anything relevant.
Do you know which Firewall software this is exactly?
Thanks for your feedback! 
Interesting... The project's website seems to be down:
https://triptico.com/software/aovfirewall.html
Has the project been abandoned?
Has anyone used aovfirewall in FatDog and could explain how it differs from eztables?
The author, Angel Ortega (of the "Minimum Profit" / "mp" editor which has been in Puppy since its earliest versions), has retired. He has passed over the maintenance of his software (under the "triptico" branding) to a group of people who are called as "ttcdt" (triptico/ttc development team). ttcdt however only adopts some of the software, the are either not maintained, or was just dropped.
aovfirewall is one of those that doesn't make it.
It is still provided here as an alternative to eztables, which unfortunately is also EOL.
At the end of the day, the one that actually does the firewalling is "iptables". eztables, aovfirewall, and many others are just frontends to iptables, supposedly to make it easier to use.
I'm happy to hear suggestions about other iptables frontends as potential replacements for eztables or aovfirewall, as long as they are not too heavy and do not depend on heavy stuff (like python).
Thanks for your explanation @jamesbond !
I currently use eztables and got used to its configuration standard, but as you mentioned, it is not maintained any longer and not very well documented, which can get tricky if you need to set firewall rules that are more complex.
ufw is pretty common in Ubuntu but uses Python. So that does not meet our requirement:
A couple of other options that pretend to "make iptables easy" (not sure about the maintenance status of each project):
- Shorewall is written in Perl:
https://shorewall.org/
- FireStarter (looks abandoned):
https://sourceforge.net/projects/firestarter/
- ipteditor uses Ruby:
https://github.com/Intika-Linux-Firewal ... Editor-Gui
- Easywall is written in Python:
https://github.com/jpylypiw/easywall
- FirewallBuilder:
https://fwbuilder.sourceforge.net/
A simple GUI in FatDog in the style of FireStarter would be nice that also displays firewall events.
Thank you for your suggestions @Neo_78.
Unfortunately it doesn't solve the problem.
Neo_78 wrote: Sun Jul 14, 2024 8:51 pmufw is pretty common in Ubuntu but uses Python. So that does not meet our requirement:
https://launchpad.net/ufw
I don't mind packaging this one, but this won't ever make it to base. You will have to install it from gslapt (later after I have made it available).
A couple of other options that pretend to "make iptables easy" (not sure about the maintenance status of each project):
- Shorewall is written in Perl:
https://shorewall.org/
This is really not easy at all, even the website says so. It's just a unified way to configure miscellaneous firewalls for all flavours of Unix including Linux, BSD, etc.
- FireStarter (looks abandoned):
https://sourceforge.net/projects/firestarter/
Dead project.
- ipteditor uses Ruby:
https://github.com/Intika-Linux-Firewal ... Editor-Gui
Dead project, and Ruby is not the base (so same problem with ufw).
- Easywall is written in Python:1
https://github.com/jpylypiw/easywall
Uses python, so same class as ufw.
- FirewallBuilder:
https://fwbuilder.sourceforge.net/
Dead project.
A simple GUI in FatDog in the style of FireStarter would be nice that also displays firewall events.
I agree! Anyone want to start writing one?
I'm currently working on simplifying the Puppy firewall at https://github.com/vanilla-dpup/woof-CE ... irewall_ng. I dropped all firewall rules that are 100% useless on an endpoint (to a server or a router) and sysfs hardening, then flipped the logic (incoming packets are dropped unless x or y, instead of accepting everything except x, y, z, [...]) to reduce the number of iptables rules. This simplified script doesn't use any deprecated tables and I want to port the remaining code to nftables, to make it more future-proof and maybe even simpler.
Neo_78 wrote: Sun Jul 21, 2024 1:29 pmIf Python is not an option, what would be the preferred programming language to write an iptables GUI for Fatdog? @jamesbond
Please don't get me wrong. We don't exclude python programs. It's just because we don't include python in the base, it means that whatever written in python will not make it into the base. You can still have python programs (and we have plenty of them!) in the repository.
But if you need a firewall control program that is included in the base, then it has to be written in other languages. You can use compiled languages (C, Go) or scripting languages as long as the script interpreter is included in the base.
The one that @dimkr is updating, is written in shell script, and uses "yad" for its GUI. I'll be looking out for that one.
dimkr wrote: Sun Jul 21, 2024 10:09 amI'm currently working on simplifying the Puppy firewall at https://github.com/vanilla-dpup/woof-CE ... irewall_ng. I dropped all firewall rules that are 100% useless on an endpoint (to a server or a router) and sysfs hardening, then flipped the logic (incoming packets are dropped unless x or y, instead of accepting everything except x, y, z, [...]) to reduce the number of iptables rules. This simplified script doesn't use any deprecated tables and I want to port the remaining code to nftables, to make it more future-proof and maybe even simpler.
Interesting. I'll take look at that. Thanks for letting me know!
A bash script with yad for the GUI sounds like a cool option for Fatdog:
Yad seems to be written in C. Would be interesting to see if it could replicate the FireStarter GUI:
https://sourceforge.net/projects/firestarter/
Interesting Yad guide can be found here:
How does yad differ from Zenity?
"yad" is already included in Fatdog64 base. A few of Fatdog tools uses yad, for example, Fatdog64 control panel 
EDIT: I downloaded @dimkr's firewall_ng, put it to /usr/sbin, then chmod +x /usr/sbin/firewal_ng, and launch it. It seems to work very well!
@dimkr, with your permission, I would like to include this by default in Fatdog.
jamesbond wrote: Sun Jul 21, 2024 4:13 pm@dimkr, with your permission, I would like to include this by default in Fatdog.
Sure! But you'll need to give it some testing and verify that I haven't made mistakes. I'm daily driving a Puppy with it and so far everything is fine. I'm using it without logging and without any exceptions, and that's what I expect most users to do.
The GUI is a yad port of the original gtkdialog UI, but I removed the "generic" vs. "specific interface" distinction, which can be confusing and useless for many users (why would anyone want to turn off the firewall when using WiFi or a wired network?), and I removed any assumptions about the LAN subnet or gateway (which can change when you move between networks, hence the exception doesn't work).
(And you'll probably need to drop the line that updates the waybar firewall widget 
)
(EDIT: today I dropped the "Samba client" checkbox inherited from Puppy - it makes no sense in a firewall that blocks only incoming connections, and I ported from iptables to nftables)
Is this firewall script based on the following Slackware generator?
http://www.slackware.com/~alien/efg/
Is it possible to show and log firewall events and activities?
https://github.com/puppylinux-woof-CE/w ... irewall_ng
Probably, this firewall is really really old. We don't have history before https://github.com/puppylinux-woof-CE/w ... 54d3ca84ee but it hasn't changed much in recent Puppy releases beyond few changes by me, like the addition of (partial) IPv6 support and fixes for really old bugs.
My fork at https://github.com/vanilla-dpup/woof-CE ... irewall_ng still carries the original comments that mention this firewall's ancestry but there's very little code that hasn't changed, especially after the yad port of the UI and the nftables port of the rules.
dimkr wrote: Sun Jul 21, 2024 4:55 pmjamesbond wrote: Sun Jul 21, 2024 4:13 pm@dimkr, with your permission, I would like to include this by default in Fatdog.
Sure! But you'll need to give it some testing and verify that I haven't made mistakes. I'm daily driving a Puppy with it and so far everything is fine. I'm using it without logging and without any exceptions, and that's what I expect most users to do.
Thank you! I will definitely do that and run it first myself, before dropping it in.
The GUI is a yad port of the original gtkdialog UI, but I removed the "generic" vs. "specific interface" distinction, which can be confusing and useless for many users (why would anyone want to turn off the firewall when using WiFi or a wired network?),
Perhaps: "wired" = home, and "wifi" = McDonalds But I agree, it's no longer relevant. All we need it is "on" or "off" and that's it.
and I removed any assumptions about the LAN subnet or gateway (which can change when you move between networks, hence the exception doesn't work).
Nice.
(And you'll probably need to drop the line that updates the waybar firewall widget
Yes, I noticed that.
(EDIT: today I dropped the "Samba client" checkbox inherited from Puppy - it makes no sense in a firewall that blocks only incoming connections, and I ported from iptables to nftables)
Ah, I was about to say, I'd be happy to send patches to you, but I'd probably stay on iptables a bit longer (though 902 ships with nftables too, many tools still work with iptables, so ... ), so now you've switch to nftables, my patches probably aren't going to be helpful for you.
jamesbond wrote: Tue Jul 23, 2024 2:32 pmAh, I was about to say, I'd be happy to send patches to you, but I'd probably stay on iptables a bit longer (though 902 ships with nftables too, many tools still work with iptables, so ... ), so now you've switch to nftables, my patches probably aren't going to be helpful for you.
Modern iptables is just a wrapper around the same underlying technology as nftables but with different rule syntax (backward compatible with classic iptables), so maybe you're already using nftables but only under the hood.
If you want to replace iptables with the smaller nftables package, the conversion should be easy. Most iptables commands can be changed to use iptables-translate, and it writes nft equivalents. If you don't use tables like nat, it should map 1:1 to the nft syntax.