The Abstract Applications

Hi everybody! I'm one of the Abstract Developers. We are making two Linux application in Qt: a very simple office suite intended to be familiar of O365 users (O20, [https://flathub.org/apps/details/io.gitlab.o20.word](https://flathub.org/apps/details/io.gitlab.o20.word)); and a suite of abstract, strategy, and arcade games (Abstract Games, [https://snapcraft.io/abstractgames](https://snapcraft.io/abstractgames)). They were specially developed for the KDE desktop, but should work on any linux system. If you're interested, then please install them and tell us what you think. ;)

Full denoscription here: [https://www.reddit.com/r/kde/comments/g1bq1j/the\_abstract\_apps/](https://www.reddit.com/r/kde/comments/g1bq1j/the_abstract_apps/).

I'm sorry if this sounded too much like an ad. This is not supposed to convince you to use our apps, just to introduce myself and gather feedback about them.

https://redd.it/g1c0oe
@r_linux

What is your Alacritty.yml file like?

I was wondering how many people use Alacritty and how they have it configured. So, if anyone wants to paste their Alacritty.yml file I’d be interested to see what it looks like. Also, I’m very lazy and don’t want to have to change it.

https://redd.it/g1j1pw
@r_linux

Weekly Questions and Hardware Thread - April 15, 2020

Welcome to r/linux! If you're new to Linux or trying to get started this thread is for you. Get help here or as always, check out r/linuxquestions or r/linux4noobs

This megathread is for all your question needs. As we don't allow questions on r/linux outside of this megathread, please consider using r/linuxquestions or r/linux4noobs for the best solution to your problem.

Ask your hardware requests here too or try r/linuxhardware!

https://redd.it/g1kpsw
@r_linux

Aspectos a tener en cuenta para adquirir sistemas de cómputo

Los sistemas de computación conllevan una gran cantidad de aspectos y características que deben de evaluarse antes de su compra, algunos de estos son: tipo de equipo, su función, ciclo de vida del sistema operativo seleccionado, estabilidad, compatibilidad y costos.

[https://www.elconspirador.com/2020/04/15/aspectos-a-tener-en-cuenta-para-adquirir-sistemas-de-computo/](https://www.elconspirador.com/2020/04/15/aspectos-a-tener-en-cuenta-para-adquirir-sistemas-de-computo/)

https://redd.it/g1l842
@r_linux

Using libpst to convert PST to MBOX, and understanding Thunderbird's folder structure
https://www.flawlessrhetoric.com/Using-libpst-to-convert-PST-to-MBOX,-and-understanding-Thunderbird's-folder-structure

https://redd.it/g1nhn2
@r_linux

Akademy 2020 will be online. From September 4 to September 11 we'll be holding talks, panels, workshops and BoFs on KDE projects and applications, Plasma, Plasma Mobile, coding, contributing and more for everybody
https://akademy.kde.org/2020

https://redd.it/g1o6tz
@r_linux

Linux host firewalls and Docker containers (IPv4 and IPv6)

I recently tried to set up a cloud server with some basic Nginx reverse proxy in Docker. Before that I thought that Docker and Linux firewalls would just work together flawlessly but I was wrong and some research was required to find a maintainable and elegant solution that doesn't break on firewall and container restarts.



# Issue

I used firewalld in the past because it just worked for me. While setting up the server I allowed traffic for my custom SSH port and nothing else. That worked. Then I set up my Nginx reverse proxy. After that I could also access ports 80 and 443 because I mapped those ports in my docker-compose.yaml. But wait a minute I didn't enable those ports in my firewall, why does that work? What if I want to apply more filters to those connections? I want a centralized and easy to understand view of my open ports. When I looked into firewall-cmd --list-all-zones, iptables -L and iptables-save it was all rather complicated and unmanageable.



# First part of the solution for IPv4

I found this GitHub issue and was a bit relieved to see that others noticed that issue (https://github.com/firewalld/firewalld/issues/461). And I also found several posts about similar issues with ufw. There was a link to a possible solution which inspired me to implement it the way I did: https://unrouted.io/2017/08/15/docker-firewall/

What seems to cause the issue is that Docker does quite a lot with plain old iptables rules which doesn't go that well with other firewall management solutions.

So the solution is going back to also manually only work with just iptables as the linked post suggests. Short summary of the article (but I recommend you to read it): Everything going to Docker doesn't go through the INPUT chain but only the FORWARD chain. Docker will heavily change the FORWARD chain so we won't touch that to not break Docker on firewall reloads. But Docker offers a chain DOCKER-USER which is inserted first into the FORWARD chain and where nothing is automatically inserted so we can work with that. But we want only one firewall chain to manage INPUT and DOCKER-USER. So we create a chain FILTERS that is the target for DOCKER-USER and INPUT. That way we can put all our firewall rules there.

We create a configuration and later a custom systemd service to apply it. First the configuration for iptables. Put this in e.g. `/etc/iptables/iptables.conf`.

*filter
# all our chains with their default actions
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]

# first flush all chains that we will touch to have a clean setup
-F INPUT
-F DOCKER-USER
-F FILTERS

# accept local loopback traffic and if you want it also ping otherwise remove
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
# the important part, go to chain FILTERS
-A INPUT -j FILTERS

# when something comes into the external interface to the FORWARD chain
# (which will first put it into the DOCKER-USER chain), also use chain FILTERS
-A DOCKER-USER -i YOUR_EXTERNAL_INTERFACE_NAME_ETH0 -j FILTERS

# our firewall rules go here, I allowed ping
# first accept all packets for ESTABLISHED and RELATED connection states
-A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# now all our firewall rules that will apply to our host listening to ports
# as well as Docker hosts listening, just some examples
-A FILTERS -m conntrack --ctstate NEW -s 1.2.3.4/32 -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -j DROP

COMMIT


# Second part of the solution for IPv6

If you now disable and stop your firewall service like firewalld and apply this configuration you have an issue that isn't mentioned in the article: If your host has a public IPv6 address, it is now completely unprotected. All chains on ACCEPT by default. You can access all docker hosts because the

traffic first goes through the ip6tables and then through the FORWARD chain of the iptables but then it will already look like it came from the internal dynamic Docker bridge interface and we don't filter for it because we only filtered for the external interface. This took me a while to figure it out because the first step will obviously not appear in your IPv4 iptables LOG if you use it.

Docker doesn't change anything in your IPv6 firewall configuration and all incoming traffic only needs to go through the INPUT chain. So we need a separate configuration for IPv6, e.g. `/etc/iptables/ip6tables.conf`. I'll apply the same configuration here as above.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-F INPUT
-F FORWARD
-F OUTPUT

-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -s 1.2.3.4/32 -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT

COMMIT

Now we also have protected IPv6. Yes these are 2 configuration files and you could certainly automate the shared part of those two. But it's a really simple policy and you only need to take care of certain parts so that's OK for me.



# Putting it all together

Now we just need the systemd service (or a similar noscript for whatever init system you're on). E.g. `/etc/systemd/system/iptables.service`:

[Unit]
Denoscription=Restore iptables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStartPre=/sbin/ip6tables-restore -n /etc/ip6tables.conf
ExecStart=/sbin/iptables-restore -n /etc/iptables.conf

[Install]
WantedBy=multi-user.target

Disable you're current firewall service now, e.g.

sudo systemctl stop firewalld
sudo systemctl disable firewalld


Now we load, start and enable our service:

sudo systemctl daemon-reload
sudo systemctl start iptables
sudo systemctl enable iptables

For every firewall change you want to perform, change the iptables.conf and ip6tables.conf and restart your iptables service:

sudo systemctl restart iptables

Nothing will break for any reloads or restarts. Docker service restarts, iptables service restarts, container runs etc., it will stay the way you configured it.


I hope this helps you in setting this up as much as the article helped me. And now I'll try to find out how the f%#* libvirt firewall rules are put together...

https://redd.it/g1oi2a
@r_linux

Battery life on the pinephone is starting to look good! I got 10h+ with 35% left this morning! Crust × repowerd is aweseome! Even notifications works!
https://redd.it/g1plmh
@r_linux

GNOME OS on Pinebook Pro
https://valentindavid.com/posts/2020-04-14-gnome-os-pinebook-pro/

https://redd.it/g1qqz6
@r_linux

Slow download speeds

Moved from Windows 10 to Manjaro and noticed that my download speeds decreased massively. On Windows I got around 2.1MB/s and on Manjaro I'm getting around 0.2MB/s.

If anyone knows of any fixes for this I would be very grateful

https://redd.it/g1qoi6
@r_linux

GNU Guix 1.1.0 released
https://guix.gnu.org/blog/2020/gnu-guix-1.1.0-released/

https://redd.it/g1tijb
@r_linux

deepin v20 beta released, you can try it now.

​

>deepin is a Linux distribution devoted to providing beautiful, easy to use, safe and reliable system for global users.
>
>deepin 20 Beta comes with a unified design style and redesigns the desktop environment and applications, bringing a brand new interactive experience. Besides that, the underlying repository and kernel are upgraded to Debian 10 and Kernel 5.3 respectively. The continuously optimized system offers a richer application ecosystem and better system stability. What is more, there are some new applications for users.

[DEEPIN 20 BETA—— NEW AND AWESOME](https://www.deepin.org/en/2020/04/15/deepin-20-beta/)

https://redd.it/g1tmul
@r_linux

ELN Buildroot and Compose
https://fedoraproject.org/wiki/Changes/ELN_Buildroot_and_Compose

https://redd.it/g1vfak
@r_linux

Students under quarantine are limited or need to change operating system in order to follow lessons or take exams?

Also would you like to share your story?

Here is mine: I live in Italy and I presented my master degree final dissertation almost one month ago at home on Zoom, before all the privacy-related problems emerged.
I had no issue with the platform and all the things required: webcam, microphone and screen sharing worked and were recognized correctly under openSuse Tumbleweed.

Thanks and stay home!

https://redd.it/g1qd0z
@r_linux

[OC]Linux kernel commits as of 5.7-rc1 by author's email domain name,for domains with >= 5000 commits.
https://redd.it/g1xt7s
@r_linux

Webtatic PHP repo

Anyone use the webtatic repository for PHP? There hasnt been any updates in January and no 7.3 or 7.4 branches added; anyone know if this repo is being abandoned?

All evidence leads to yes, but I wanted to see if anyone had heard or knew anything.

https://redd.it/g1zqr3
@r_linux

This popped up when I tried installing crouton via the terminal.
https://redd.it/g212ij
@r_linux

Why don't some websites work on Linux?

I'm not talking about failing to load because of something weird with network configuration, I'm talking about not letting you use the site because of Linux, or constantly telling you to "upgrade to a supported OS"

For example, Xfinity's Stream wouldn't work if you used Linux. It works now, but why didn't it used to work?

Same thing with this site: [https://www.pearsonmylabandmastering.com/](https://www.pearsonmylabandmastering.com/) we use it for math in high school, and when you go there on Linux, a popup comes up that says Linux isn't supported. Why does the OS matter? I can understand popups about outdated browsers, but the OS being the problem doesn't make sense to me.
I feel like just changing your user agent would fix this (I'm yet to test it)

https://redd.it/g21i7c
@r_linux

“Quick, take the guy on the left, I’ve got the...the, damned blue screen again.”
https://redd.it/g21k86
@r_linux

GitHub slashes prices and makes all its ‘core’ features free
https://www.fastcompany.com/90490727/github-slashes-prices-and-makes-all-its-core-features-free

https://redd.it/g2504x
@r_linux