Who said anything about it being standard? I said I know this CAN happen, and I said it was quite some time ago. We can only hope this insanity isn’t still in practice anywhere, but I learned long ago that expecting a corporation to NOT do foolish things will give me the same disappointing results as expecting money to come out of my ass. If there’s a manager involved, then something on the tech side is going to get fucked up in the name of saving a buck. Therefore I cannot just assume OP gets a normal NAT address, nor can I assume they have any other firewall type device between them and the internet. With limited data, the best I can do is try and provide some general information, hopefully encourage them to ask more questions or provide more specific information, and just hope they don’t have a ridiculously stupid ISP that makes things needlessly complicated.

Most of my experience is with iptables, but yeah, I think until you start adding rules nothing is implicitly denied? Once you enable a couple of initial rules then you should have good blocking from the outside while allowing internal traffic to connect freely. It doesn’t get in your way until you start using it, but then it doesn’t take much to get it going.

You’re right, it doesn’t make any sense. And it didn’t make any sense at the time either. After setting up the router with a laptop, I moved the connection to the firewall but it refused to connect. When I finally got ahold of tech support they said the connection locks into the first machine that logs in and they had to release it so I could connect the new machine. And just like that the firewall was given a routable IP address and connected to the internet. Stupidest thing I ever heard of, but that’s how they were set up. Now this was around 15+ years ago and I would certainly hope nobody is doing that crap today, but apparently that was their brilliant method of limiting how many devices could get online at once.

What are you talking about? You’re assuming that every residential router is going to have some kind of firewall enabled by default (they don’t). Sure, if OP has a router that provides a basic firewall type service then it will likely block all incoming unauthorized traffic. However OP is specifically talking about a linux-based firewall and hasn’t specified if they have a router-based firewall service in place as well so we can only provide info on the firewall they specified. And if you look at UFW, the default configuration is to allow outgoing traffic and block all but a very few defined incoming ports.

You’re also making the assumption that OP is using NAT, when that is not always the case for all ISPs. Some are really annoying with their setup in that they give a routable IP to the first computer that connects and don’t allow any other connections (I had that setup once with Comcast). In this case, you wouldn’t even need to define port-forwarding to get directly to OP’s computer – and any services they might be running. This particular scenario is especially dangerous for home computers and I really hope no legitimate ISP is still following a practice like this, however I don’t take anything for granted.

Regardless of what other equipment OP has, UFW is going to provide FAR better defaults and configurability when compared to a residential router that is simply set up to create the fewest support calls to their ISP.

Possibly? The way I read it, it sounded like OP wasn’t really even sure what a firewall does.

Sure it CAN be configured, but the typical policy of firewalls is to start from a position of blocking everything. From what I’ve seen, on Linux the standard starting point is blocking all incoming and allowing all outgoing. On Windows the default seems to be blocking everything in both directions. Sure you could start with a policy of allowing everything and block only selected ports, but what good is that when you can’t predict what ports an attacker might come from?

You’ve got it backwards. A firewall blocks everything, then you open up the ports you want to use. A standard config would allow everything going out, and block everything coming in (unless you initiated that connection, then it is allowed).

So the question you should be asking, is what services do you think you’re going to be running on your desktop that you plan to allow anyone on the internet to get to?

From my own experience it was more about being a solution in search of a problem. I see some comments about how the old init system was so horribly broken, and yet the reality was it worked perfectly fine for all but some very niche situations. The only advantage I have ever seen with systemd is that it’s very good at multitasking the startup/shutdown processes, but that certainly wasn’t the case when it first arrived. For example I had a raspberry pi that booted in 15 seconds, and when I loaded a new image with systemd it took close to two minutes to boot. And there were quite a lot of problems like that, which is why people were so aggravated when distro admins asked the community for their thoughts on switching to systemd and then changed the distros anyway. This also touches on the perception that the “community” accepted it and moved on – no, systemd was pushed on the community despite numerous problems and critical feedback.

But we’re here now, systemd has improved, and we can only hope that some day all the broken bits get fixed. Personally I’m still annoyed that it took me almost a week to get static IPs set up on all the NICs for a new firewall because despite the whole “predictable names” thing they still kept moving around depending on if I did a soft or hard reset. Configuring the cards under udev took less than a minute and worked consistently but someone decided it was time to break that I guess.

What’s your fear of editing config files? They’re just text files, and manual edits certainly allow a degree of customization that you’ll never find in a GUI interface. My own config is set up with domain name folders under /home/ to contain the many domains I run, that’s something I’ve never seen handled by a GUI and yet it makes so much more sense for keeping files organized.

sudo apt install apache2

Did you really need a GUI for that? The web folders are under /var/www/ and you can browse to it from another computer by typing the IP into the address bar. As long as you’re not using Chrome you might even be able to type the computer name into the address bar.

OK yeah, I wasn’t sure if it had a way to collect debs from other sources. I’ve been using it for years to locally cache the standard Debian repos so I don’t need to re-download packages every time I update my various servers and VMs, but I haven’t really tried using it for anything beyond that.

Sorry to ask, but isn’t this basically the same thing as apt-cacher-ng?

My primary domain is something that people have blacklisted because four letters happen to partially match a word that could be spammy (how ridiculous is that?), however the mail servers (the ones they keep blocking) are attached to my computer business name which I registered in 2006, so there’s really no reason why they should block it for that reason.

Unfortunately that’s not true. I’ve been running mail servers under my domain since around 2000, almost as long as Microsoft has been running Hotmail, and I was certainly following good standards like SPF and DKIM well before they considered such a thing… and yet Microsoft is the bane of my mail server’s existence. Despite no compromises resulting in spam blasts, MS still regularly shuts me out with no reason given and no hits showing on their monitors. If I can find their email address to ask what the problem is, I get a generic “your domain has been cleared” sort of reply but never any reason why they blocked me in the first place.

I think I missed something in your description, but what are you running on your local server? I think most people set up postfix to relay the emails over to gmail or whoever, and there are options in postfix for backwards compatibility with Outlook or even Microsoft Mail so your wife could use whatever client she wants. If you don’t have a local mail server set up then this is probably what you want to do. This method allow a local or remote connection from any client so you could run K9 on your phone instead of a VPN.

For opening such a setup to the internet (and allowing access from anywhere), make sure you have strong passwords on your accounts, require SASL authentication, and set up fail2ban to block repeated attempts to hack your mailboxes. Don’t run anything else on the same server (or use virtual machines or strong containers) to reduce the chance of your mail server getting compromised other ways, and you should be good to go.

If you already have a router tying these two networks together then you should NOT also have two NICs in one machine tied to both networks. Pick one or the other, you can’t have both. If you think you need both then you haven’t correctly considered your network topology.

This sounds familiar. Can you verify if you’ve enabled net.ipv4.ip_forward=1 in /etc/sysctl.conf? If you have to make a change, then issue sysctl --system to reload the updates.

Sure. You install your DE first, and then start installing software like browsers, email, etc. The net install disk is just a barebones system to get you up and running and then you install whatever you need from there. If you’re building a desktop them you might want a DE. If you’re building a server then you might want web or email services. The basic installation can be expended to include everything you want for that particular machine.

The advantage of using a pre-configured full setup is that you don’t need to know the name of all the packages you want to install, and typically you can still remove the ones you don’t like. Even with the DE you will probably find that the package also installs a number of common tools like task bar widgets or file managers. So in making a truly custom system you will have to hit google quite a bit to find the things you want to install, but then you learn what all those various packages actually do. Even the GUI login screen has multiple choices to select from which give you different ways of managing the logins. That’s one of the things most people really enjoy about linux – almost every type of software has multiple choices (like Firefox vs Chrome) so it’s easy to build up a desktop that suits your particular needs.

1. Have you looked at Mate Desktop? It’s based off of an earlier version of Gnome but I find it much more familiar to the way things used to be managed on Windows.

2. That’s going to come down to the specific hardware. A lot of vendors build their devices to only work under Windows but there are a lot of smart Linux techs who have been able to reverse-engineer working drives. Your best bet is to find a hardware compatibility list and see how much support your particular laptop has.

3. If you look at Debian, you can get the “net-install” image. This doesn’t even install a desktop environment, it simply boots you to a command line and you can install whatever you want to use. Many other distributions probably have a similar installed available, it’s just a matter of deciphering what the names mean.

4. If you install something as root, or if it’s installed by the system during the initial installation, then yes you’ll need root, but more likely you will use “sudo” which gives your user account the temporary access needed (if it was set up with that access). Again, going back to something like Debian’s net-install, everything except the core OS would be installed by you anyway.

5. “Rooting” sounds like a term you brought from an Android phone. In desktop terms, think of the root user as being like the admin on Windows. You only use it when needed, like when you’re performing a system update, otherwise you do everything under your regular user account.

6. When you install a DE like Gnome, it also adds a login to your graphical interface. If you install a second DE, then on the login screen you are presented a choice as to which one you want to use this time. If you want to switch, you just log out and select another one from the login screen. You can have as many as you want, just remember that this loads a ton of extra stuff on your system. It’s ok to play with, but then I would suggest uninstalling the ones you don’t like.

7. Wayland is the core of the DE. The previous system was Xorg, but both are still in common use. Docker is a container system, so like if you wanted to install a web server then Docker would contain all of the modules for that software independently of anything else you have installed. This means that a system update is less likely to break something (although that’s already pretty unlikely), but it does require more storage space.

The closest thing I have is Ghostery, which is just an inspector. I don’t use any extensions to modify the code of a page, so yeah I’m not sure either. I also use Firefox, just checked this at work and I’m seeing the same results. And the dev tools here agree with your findings – both normal and <em> text are using the same font. The only thing I can think of is that the font itself (on my Linux computers) have a different “A” for the two styles. Ah well, not something I care enough to dig in to further, I just thought it was odd to see that discrepancy.