引用自 The Nintendo guy：

from what I've read on some other forum here, stema is installed natively, not as a flatpak.
Also even if steam was a flatpak, all games would also use steam settings
Like if i denie internet access to steam, all my games would also loose access. Otherwise this would probably be a pretty major exploit, if an app could bypass the sandboxing just like that.

From how I read what you wrote, there may be some miscommunication or misunderstanding of how Firewalls work. It might be worthwhile to search YouTube for a simplistic explanation of how Firewalls work.

The native Steam client of SteamOS 3.x would *not* be impacted in any way if I tell the firewall to DROP unrequested incoming packets. NOTE: I did not say DROP outbound packets & requested connections. In fact, no network *client* would be impacted for an outbound request.

When establishing a TCP/IP connection from the Deck to Valve:
+ Steam (on Deck) -> Valve's listening port
-- I want to talk to you, I'm going to listen on my higher port number (say 56432), open your connection back to me there
+ Valve -> Steam Deck, Valve knocks on Steam Deck's listening port (say 56432)
-- Hey, it's Valve, can I talk to you? [Deck's OS] Yup. Let's keep using this number.

With a Incoming DROP configured, the above is allowed as the Steam Deck *initiated* the session. What won't work is this:

+ Hacker -> Steam Deck port 22 for SSH port attack
-- Steam Deck, I'm not going to respond that cause I didn't call you first. You don't even get to talk to the hand, mic drop.

But say you want to host a game - like Terraria or Don't Starve Alone, this is where the game is going to want to LISTEN on its configured port. Requests to it will be unsolicited and we don't want to DROP them.

So make things available to connect to listening game servers, SSHd, etc., we need to either:
a) leave the firewall wide open (or off) so we can play party games (and be vulnerable to network attack/exploits)
b) have a simple, sensible Firewall management toolset similar to GUFW (ufw underneath) so from the GUI, it's as easy as a UI Toggle.

Having a Game Mode UI for managing the built-in Linux kernel iptables (firewall) should be a priority.

i totally agree Valve should include a firewall to SteamOS 3, PiHole is just an idea for a temporary workaround, because hell only knows how long it's gonna take for them to add one... maybe tomorrow, maybe next year with so much on their plate right now

Yes, it's possible to install native packages, but you'll need to follow several steps to make the OS writeable, and all system changes will probably be lost after the next major upgrade, plus it's a bit risky for noobs... if you're ok with that, go for it, but don't do it blindly... and expect issues... SteamOS 3 is not fully stabilized, even with the system in rwad-inly mode things happen to it

引用自 retrogunner：

引用自 The Nintendo guy：

from what I've read on some other forum here, stema is installed natively, not as a flatpak.
Also even if steam was a flatpak, all games would also use steam settings
Like if i denie internet access to steam, all my games would also loose access. Otherwise this would probably be a pretty major exploit, if an app could bypass the sandboxing just like that.

From how I read what you wrote, there may be some miscommunication or misunderstanding of how Firewalls work. It might be worthwhile to search YouTube for a simplistic explanation of how Firewalls work.

The native Steam client of SteamOS 3.x would *not* be impacted in any way if I tell the firewall to DROP unrequested incoming packets. NOTE: I did not say DROP outbound packets & requested connections. In fact, no network *client* would be impacted for an outbound request.

When establishing a TCP/IP connection from the Deck to Valve:
+ Steam (on Deck) -> Valve's listening port
-- I want to talk to you, I'm going to listen on my higher port number (say 56432), open your connection back to me there
+ Valve -> Steam Deck, Valve knocks on Steam Deck's listening port (say 56432)
-- Hey, it's Valve, can I talk to you? [Deck's OS] Yup. Let's keep using this number.

With a Incoming DROP configured, the above is allowed as the Steam Deck *initiated* the session. What won't work is this:

+ Hacker -> Steam Deck port 22 for SSH port attack
-- Steam Deck, I'm not going to respond that cause I didn't call you first. You don't even get to talk to the hand, mic drop.

But say you want to host a game - like Terraria or Don't Starve Alone, this is where the game is going to want to LISTEN on its configured port. Requests to it will be unsolicited and we don't want to DROP them.

So make things available to connect to listening game servers, SSHd, etc., we need to either:
a) leave the firewall wide open (or off) so we can play party games (and be vulnerable to network attack/exploits)
b) have a simple, sensible Firewall management toolset similar to GUFW (ufw underneath) so from the GUI, it's as easy as a UI Toggle.

Having a Game Mode UI for managing the built-in Linux kernel iptables (firewall) should be a priority.

I know what a firewall is and somewhat how it works
(use ufw myself with some simple premade setting)
It's just that using native packages in immutable file systems can be a hassle, i think Valve itself says that it's not recommended and that they could be removed after an update.
It's just that at least denieing network access it at least something.

Nintendo Guy - cool. see, it was me just mis-reading what you wrote. (I hope the simplified explanation helps others.)

I do concur about not enabling r/w due to OS updates. I've a growing list of "TODOs" so once I get my Deck, I can both contribute back with some community improvements & have the Deck as portable game/toolbox.

On my windows gaming machine everything is blocked by default and only applications that i want to be able to connect are whitelisted.

On my linux machine i never managed to do the same thing with the firewall. Everything looked like it had some problem down the line when i looked for more informations about it, so i gave up. Granted, i'm a huge linux noob so there is probably a way.

So, there isn't any newsworthy update on this matter, or?

There is nothing there to see, interact with or change, it's immutable. The games themselfs, whatever militant activities, whatever unwanted surveillance, are contained... the most they could is maybe change your settings in that particular game.

Repeating it, many many times....

If you wanted to use ufw, you would not be able to write rules.

Troll post, load a full fledged writeable os, with root access, configure the way you want if you want it that way.

引用自 L.Brown：

The thing I don't like is that the games don't ask if they are allowed to do that and just do it, and I don't know which data are

They do tell you just they know no one will read the agreements they ask you to read when you install. Like EA's walls of text before you even play the game.

引用自 retrogunner：

引用自 The Nintendo guy：

from what I've read on some other forum here, stema is installed natively, not as a flatpak.
Also even if steam was a flatpak, all games would also use steam settings
Like if i denie internet access to steam, all my games would also loose access. Otherwise this would probably be a pretty major exploit, if an app could bypass the sandboxing just like that.

From how I read what you wrote, there may be some miscommunication or misunderstanding of how Firewalls work. It might be worthwhile to search YouTube for a simplistic explanation of how Firewalls work.

The native Steam client of SteamOS 3.x would *not* be impacted in any way if I tell the firewall to DROP unrequested incoming packets. NOTE: I did not say DROP outbound packets & requested connections. In fact, no network *client* would be impacted for an outbound request.

When establishing a TCP/IP connection from the Deck to Valve:
+ Steam (on Deck) -> Valve's listening port
-- I want to talk to you, I'm going to listen on my higher port number (say 56432), open your connection back to me there
+ Valve -> Steam Deck, Valve knocks on Steam Deck's listening port (say 56432)
-- Hey, it's Valve, can I talk to you? [Deck's OS] Yup. Let's keep using this number.

With a Incoming DROP configured, the above is allowed as the Steam Deck *initiated* the session. What won't work is this:

+ Hacker -> Steam Deck port 22 for SSH port attack
-- Steam Deck, I'm not going to respond that cause I didn't call you first. You don't even get to talk to the hand, mic drop.

But say you want to host a game - like Terraria or Don't Starve Alone, this is where the game is going to want to LISTEN on its configured port. Requests to it will be unsolicited and we don't want to DROP them.

So make things available to connect to listening game servers, SSHd, etc., we need to either:
a) leave the firewall wide open (or off) so we can play party games (and be vulnerable to network attack/exploits)
b) have a simple, sensible Firewall management toolset similar to GUFW (ufw underneath) so from the GUI, it's as easy as a UI Toggle.

Having a Game Mode UI for managing the built-in Linux kernel iptables (firewall) should be a priority.

I do agreed with that. Anyway you still can do it manually if you need to.

1. Go to desktop mode with mouse and keyboard, you gonna need that.
2. Run "Konsole" for access terminal.
3. Setup password for you root access to you Steam Deck, by default there are no password, use commend -- passwd "your password".
4. Run commend -- sudo steamos-readonly disable, to disable read only mode.
5. Run commend -- sudo pacman -S ufw
6. Run commend -- sudo steamos-readonly enable, to enable read only mode back on.

Go to setting and firewall you should see your firewall option enabled.

引用自 7iNDA：

引用自 retrogunner：

From how I read what you wrote, there may be some miscommunication or misunderstanding of how Firewalls work. It might be worthwhile to search YouTube for a simplistic explanation of how Firewalls work.

The native Steam client of SteamOS 3.x would *not* be impacted in any way if I tell the firewall to DROP unrequested incoming packets. NOTE: I did not say DROP outbound packets & requested connections. In fact, no network *client* would be impacted for an outbound request.

When establishing a TCP/IP connection from the Deck to Valve:
+ Steam (on Deck) -> Valve's listening port
-- I want to talk to you, I'm going to listen on my higher port number (say 56432), open your connection back to me there
+ Valve -> Steam Deck, Valve knocks on Steam Deck's listening port (say 56432)
-- Hey, it's Valve, can I talk to you? [Deck's OS] Yup. Let's keep using this number.

With a Incoming DROP configured, the above is allowed as the Steam Deck *initiated* the session. What won't work is this:

+ Hacker -> Steam Deck port 22 for SSH port attack
-- Steam Deck, I'm not going to respond that cause I didn't call you first. You don't even get to talk to the hand, mic drop.

But say you want to host a game - like Terraria or Don't Starve Alone, this is where the game is going to want to LISTEN on its configured port. Requests to it will be unsolicited and we don't want to DROP them.

So make things available to connect to listening game servers, SSHd, etc., we need to either:
a) leave the firewall wide open (or off) so we can play party games (and be vulnerable to network attack/exploits)
b) have a simple, sensible Firewall management toolset similar to GUFW (ufw underneath) so from the GUI, it's as easy as a UI Toggle.

Having a Game Mode UI for managing the built-in Linux kernel iptables (firewall) should be a priority.

I do agreed with that. Anyway you still can do it manually if you need to.

1. Go to desktop mode with mouse and keyboard, you gonna need that.
2. Run "Konsole" for access terminal.
3. Setup password for you root access to you Steam Deck, by default there are no password, use commend -- passwd "your password".
4. Run commend -- sudo steamos-readonly disable, to disable read only mode.
5. Run commend -- sudo pacman -S ufw
6. Run commend -- sudo steamos-readonly enable, to enable read only mode back on.

Go to setting and firewall you should see your firewall option enabled.

An important note for this, or any other modification done by temporarily disabling the immutable filesystem to make modifications to it, is any time you do an update these changes will be lost and you will need to redo the installation and configuration.

引用自 PopinFRESH：

An important note for this, or any other modification done by temporarily disabling the immutable filesystem to make modifications to it, is any time you do an update these changes will be lost and you will need to redo the installation and configuration.

And that is a real bummer...=(
(Or do the changes (via rules for examples) remain through the firewall, only the firewall option itself is disabled again?)

引用自 L.Brown：

引用自 PopinFRESH：

An important note for this, or any other modification done by temporarily disabling the immutable filesystem to make modifications to it, is any time you do an update these changes will be lost and you will need to redo the installation and configuration.

And that is a real bummer...=(
(Or do the changes (via rules for examples) remain through the firewall, only the firewall option itself is disabled again?)

In theory, it should just be the firewall being enabled. Although, only one way to find out.

Installing firewalls should be possible using Nix packages now, right? Ufw doesn't seem to be available. I installed OpenSnitch but it doesn't seem to do anything

https://steamcommunity.com/sharedfiles/filedetails/?id=3004433273

引用自 element109：

In the OS settings app there is a firewall already built in, I assume it works if you have enabled checked.

But it is sadly very basic. For example, I would expect it to show me which program has gone online or, if one goes online, to ask me if it is OK. Unfortunately, neither of these is the case =(.

@ LeviathanWon: Don't know what you are trying to say?