The best way to get familiar with it is honestly to just use it. Your knowledge of the general CAD workflow will translate, but FreeCAD definitely does some things in quirky ways, and the only way to get familiar with them is to use them. The FreeCAD forum is a great place to go for help.

I dont know if they can see my content but I dont think they do.

From what I understand, they should still be able to see your content — you are still posting to the network.

You can always ask the folks on .ml for they make the software.

Ha, well, @dessalines@lemmy.ml is a moderator of this community.

So, IIUC, you’re saying that if a user on A browses a community on C, they will never see a user from B?

For sure. What the aforementioned bits of information provide is the ability to be confident in the privacy of software if one were to treat it as a black box, ie an average consumer.

Hm, I feel that it’s inaccurate to say “we wouldn’t be able to tell”. It’s not exactly a black box system — the app would have to run on an operating system, and if you are able to know what the operating system is doing, and what instructions are being executed by the CPU, then you can know exactly what the app is doing.

What the aforementioned bits of information provide is the ability to treat software as a black box and be sure of its safety without having to fundamentally audit it.

Windows -> Ubuntu -> Arch Linux

Without it being open source and not providing reproducible builds, the privacy claims are borderline weightless.

I like 3, 11, 34, 4, 26.

doas, afaik, was originally made for FreeBSD, so some of its features aren’t compatible with/haven’t been implemented for Linux. That may or may not be an important issue for you to consider.

It depends on how interested/motivated you are in finding out exactly why things aren’t working. If you just want a working system without the hassle, since it’s a fresh install, I’d recommend just reinstalling.

How do you compare it with Pacman?

Apt is the greatest package manager ever built.

What’s your rationale for making that claim?

If for example my Firefox were to be compromised and started not only talking to Firefox Sync to send the history to my phone, but also send my behavior and all the passwords I type in to a third party… How would the firewall know?

If it’s going to some undesirable domain, or IP, then you can block the request for that application. The exact capabilities of the application layer firewall certainly depend on the exact application layer firewall in question, but this is, at least, possible with OpenSnitch.

It’s just random outgoing encrypted traffic from its perspective.

For the actual content of the traffic, is this not the case with essentially all firewalls? They can’t see the content of te traffic if it is using TLS. You would need to somehow intercept the packet before it is encrypted on the device. I’m not aware of any firewall that has such a capability.

If you just click on ‘Allow’ there is no added benefit.

The exact level of fine-grain control heavily depends on the application layer firewall in question.

A maliciously crafted request or answer to your software can trigger it to fail and do something that it shouldn’t do.

Interesting.

I think now it’s just the first, plus they can ask for a fixed amount of money since by your negliect, you caused their lawyer to put in some effort.

I do, perhaps, somewhat understand this argument, but it still feels quite ridiculous to me.

But this is a really difficult thing to protect from. If someone gets to push code on my computer that gets executed, I’m entirely out of luck. It could […] send data […].

Not necessarily. An application layer firewall, for example, could certainly get in the way of it trying to send data externally.

On the other hand it could happen not deliberately but just be vulnerable software.

Are you referring to a service leaving a port open that can be connected to from the network?

And then also run Lemmy, Matrix chat and a microblogging platform on it.

I’m definitely curious about the outcome of this – Matrix especially. Perhaps the new/alternative servers function a bit better now, but I’ve heard that, for synapse at least, Matrix can be very demanding on hardware to run (from what I’ve heard, the issues mostly arise when one joins a larger server).

You’re considered a “disruptor” and can be held responsible, especially to stop that “disruption”.

Interesting. Do you mean “held responsible” to simply stop the disruption, or “held responsible” for the actions of/damaged caused by the disruption?

for example detect which network was connected to and re-configure the packet filter.

Firewalld is capable of this – it can switch zones depending on the current connection.

And while I think that is not a good argument at all, I feel protected enough by using the free software I do and roughly knowing how to use a computer. I don’t see a need to install a firewall just to feel better. Maybe that changes once my laptop is cluttered and I lose track of what software opens new ports.

There does still exist the risk of a vulnerability being pushed to whatever software that you use – this vulnerability would be essentially out of your control. This vulnerability could be used as a potential attack vector if all ports are available.

I’m currently learning about Web Application Firewalls. Maybe I’ll put ModSecurity in-front of my Nextcloud.

Interesting! I haven’t heard of this. Side note, out of curiosity, how did you go about installing your Nextcloud instance? Manual install? AIO? Snap?

I’m personally not a friend of that kind of legislation. If somebody uses my tools to commit a crime, I don’t think I should be held responsible for that.

It would be a rather difficult thing to prove – one could certainly just make the argument that you did, in that someone else that was on the guest network did something illegal. I would argue that it is most likely difficult to prove otherwise.

Enable access when you’re at your workplace but inhibit the Windows network share when you’re at the airport wifi.

How would something like this be normally accomplished? I know that Firewalld has the ability to select a zone based on the connection, but, if I understand correctly, I think this is decided by the Firewalld daemon, rather than the packet filtering firewall itself (e.g. nftables). I don’t think an application layer firewall would be able to differentiate networks, so I don’t think something like OpenSnitch would be able to control this, for example.

But an approach like this isn’t perfect by any means. The IoT devices can still mess with each other. Everything is a hassle to set up. And the WiFi is a single point of failure.

What would be a better alternative that you would suggest?

You can also set up a VPN that connects specifically you to your home-network or services. Your Nextcloud server can’t be reached or hacked from the internet, unless you also have the VPN credentials to connect to it in the first place.

The unfortunate thing about this – and I have encountered this personally – is that some networks may block VPN related traffic. You can take measures to attempt to obfuscate the VPN traffic from the network, but it is still a potential headache that could lock you out of using your service.

This is just the base system - it’s like any other distribution’s base install except that we don’t have an official ‘installer’; Gentoo distributes tarballs that users unpack following the guidance in the handbook.

[…]

After unpacking the system image you can install a binary kernel, have portage compile one for you, or manage it manually (but still let portage fetch sources)

It may be best for me to simply attempt to install Gentoo in a VM to see for myself, but, out of curiosity, how does the base image differ from something like the .iso that Arch Linux distributes to allow you to install the distro? So, if one were to install a binary kernel, would they still need to initially compile anything? Or could one theoretically do a full Gentoo install without the need of compiling?

now i have the feeling as if there might be a misunderstanding of what “ports” are and what an “open” port actually is. Or i just dont get what you want. i am not on your server/workstation thus i cannot even try to connect TO an external service “from” your machine.

This is most likely a result of my original post being too vague – which is, of course, entirely my fault. I was intending it to refer to a firewall running on a specific device. For example, a desktop computer with a firewall, which is behind a NAT router.

so what is your scenario? what do you want to prevent?

What is your example in response to? Or perhaps I don’t understand what it is attempting to clarify. I don’t necessarily have any confusion regarding setting up rules for known and discrete connections like SSH.

accomplish control (allow/block/report) over who or what on my machine can connect to the outside world (using http/s) and to exactly where, but independant of ip addresses but using domains to allow or deny on a per user/application + domain combonation while not having to update ip based rules that could quickly outdate anyway.

Are you referring to an application layer firewall like, for example, OpenSnitch?

Have “smart” AI features that will detect threats even when they aren’t known yet;

This is a crazy one – pattern recognition of traffic.

Higher throughput than your router while doing all the other operations above;

Fair point! I hadn’t considered that one.

You can even argue that you can virtualize something like pfSense or OPNsense on some host

This is an intriguing idea. I hadn’t heard of it before.

also virtualizes your router

How would one virtualize a router…? That sounds strange, to say the least.

I think I was going for the firewall as a means if perimeter security.

Are you referring to the firewall on the router?

it’s fairly uncommon that people go wardriving

Interesting. I hadn’t heard of this.

That may be isolating the cheap chinese consumer electronic with god knows which bugs and spying tech from the rest of the network.

As in blocking or restricting their communication with the rest of the lan in the router’s firewall, for example? Or, perhaps, putting them behind their own dedicated firewall (this is probably superfluous to the firewall in the router though).

But you might also be able to use a conventional firewall (or a VPN) to restrict access to that software to trusted users only

For clarity’s sake, would you be able to provide an example of how this could be implemented? It’s not immediately clear to me exactly what you are referring to when combining “user” with network related topics.