Questions about Firewalls and computer monitoring

[Marie SWE]

Hi all.

I'm a newbie on Debian as for two weeks back... I have little more than two year user experience of Linux as a operating system and maximum 4-6 month of tweaking around in linux Mint18 and LMDE3 to make them work under this two+ years... So I'm trying to get the same control/function over my linux Debian workstations as I have/had on my windows workstations.
I have around 30years experience of windowsOS and I have notice that my microsofts/windows knowledge is my enemy and makes things much harder in Linux, do to windows thinking/solutions/troubleshooting and the worst part, I am used to GUI's since mid/late 90s and I like them.
So I have two newbie questions

First question.. Firewalls.
I tried to find a good firewall in the beginning with Mint18.. and failed.. so I stopped looking and focused on other things.. now it is a priority again and i have tried to find info online and failed again.. So my question is, Does it exist a good and advanced firewall to linux desktop?? free or paid.
*Requirement is. it should be able to handle mac-address rules not only IP. ( I recently learned that iptables can handle mac-adress rules )
*It should preferably be able to have a default rule to block inbound and outbound traffic. and when a new program wants network access, the firewall should ask if the program should be denied or allowed.
And last.. I would like if it had some kind of graphical user interface for management and easy overviewing.

Second question.. Monitoring.
I also would like to know what my computer is doing.. so I wonder if there is some program like windows"resource monitor" that monitor program/processes cpu activity, memory usage, diskactivity what program/process read/write to what file at the time and networkactivity what program/process connects to what target IP-adress at the time.

Is this two questions possible in Linux desktop?

I thank you all, for all answers in advance.
//Marie

[Bulkley]

I used to manually set up IPtables which has been replace with Nftables. Worth looking up. I've tried others including gufw. I have not tried shorewall but that may be the one that interests you in your network. For myself I abandoned all of these and set my Internet router/modem onboard firewall to maximum security.

[Marie SWE]

I used to manually set up IPtables which has been replace with Nftables. Worth looking up. I've tried others including gufw. I have not tried shorewall but that may be the one that interests you in your network. For myself I abandoned all of these and set my Internet router/modem onboard firewall to maximum security.

Gufw is absolutely better than nothing .... but it is a joke.. windows firewall is more advanced then gufw.
I have not read anything about Nftables. so can it use mac-address filtering like iptables?
Shorewall, I will read about it some more tomorrow after I have slept.. very messy documentation on their site
Thanks for your tip.

As first defense from internet I have a pfSense machine... and my old cisco firewall as backup/fallback.. I switched from my cisco do to old firmware.. but a okay backup to prevent longer downtime if something brakes on my pfsense.

[Bulkley]

For a resource monitor many users rely on Conky.

Back to the firewall issue, it really depends upon what you want. Agreed, gufw is not impressive. From what I can tell you want more and better. For most computers the big threat comes through the Internet. If multiple people will be using your computers and connecting their USB thumb drives then you need protection on each terminal.

I've never used it myself but look up Freedombox.

FreedomBox is designed to be your own inexpensive server at home. It runs free software and offers an increasing number of services ranging from a calendar or jabber server to a wiki or VPN. A web interface allows you to easily install and configure your apps.

Freedombox is available in Debian's repositoriy.

[Marie SWE]

For a resource monitor many users rely on Conky.

Back to the firewall issue, it really depends upon what you want. Agreed, gufw is not impressive. From what I can tell you want more and better. For most computers the big threat comes through the Internet. If multiple people will be using your computers and connecting their USB thumb drives then you need protection on each terminal.

I've never used it myself but look up Freedombox.

FreedomBox is designed to be your own inexpensive server at home. It runs free software and offers an increasing number of services ranging from a calendar or jabber server to a wiki or VPN. A web interface allows you to easily install and configure your apps.

Freedombox is available in Debian's repositoriy.

Thanks for your tip.
I will checkout Conky.
you are right. I'm used to advanced solutions in windows environment, so yes I am looking for more and better then average home user.
Yes, the biggest threat is from the outside.... but..... it's always a but in the game... each rule has an exception.
a firewall/router/gatway has historically been hacked/penetrated... and this may happen different systems in the future as well. Maybe not through a built-in "NSA backdoor" but an other zerodays vulnerability. Then it is effective to have software firewalls on all computers inside the network.
Then there are viruses, malware, spyware that can create backdoors, send information from keyloggers. Then it is good to have a firewall on the infected/targeted computer which by default blocks new programs from going online and phoning home the information.
But it maybe never happen, so I can benefit from all the extra security layers. But IF it were to happen, I wouldn't stand with my pants down and thinking "crap what is happening, what do I do now" panic mode
This is where computer monitoring comes in as well. If you can see what kind of disk activity you have and which programs use which files, which programs trying to go online and so on, then you may be lucky enough to identify things before the damage is too big.

a little story of experience.. I encountered the wanacry virus on one of my computers it was still zerodays then, it was a windows XP machine who did get infected. Thanks to the firewall in that XPcomputer, the virus couldn't spread in my network to my other windows computers and the resource monitor indicated high disk activity on my files, so I pulled the power cord before too many files had been encrypted... around 400 files had time to be encrypted before I pulled the power but only 20 files were important and there were only 6 files that were new that I didn't have backup on
Therefore, monitoring of the computer is effective and firewalls on each computer to stop outgoing traffic.

Freedombox looks like a server solution, but I will read some more about it if I'm wrong about that.

[Hallvor]

*It should preferably be able to have a default rule to block inbound and outbound traffic. and when a new program wants network access, the firewall should ask if the program should be denied or allowed.
And last.. I would like if it had some kind of graphical user interface for management and easy overviewing.

It seems like the Windows firewall would be just perfect for you. Seriously, I doubt what you ask for can be done in any other way than the CLI.

Second question.. Monitoring.
I also would like to know what my computer is doing.. so I wonder if there is some program like windows"resource monitor" that monitor program/processes cpu activity, memory usage, diskactivity what program/process read/write to what file at the time and networkactivity what program/process connects to what target IP-adress at the time.

There are tons of monitors. Just do a google search.

This command will show all connected IPs and what's connecting to them. You may have to install netstat first. Adding the command to Conky should be feasible.

Code: Select all

# netstat -natp

Is this two questions possible in Linux desktop?

We have all been Windows users, but trying to make GNU/Linux behave like Windows will end in as much bitterness and frustration as the other way around. Don't be scared of the CLI; it is a fantastic tool that will give you a kind of control you never had in Windows. Is there a steep learning curve? Absolutely. Also, accepting that you are no longer a power user can also be frustrating. I get that.

The Windows environment is incredibly hostile, with just about any malware on the planet targeting it. My Windows computer was also taken down by malware (a worm) many years ago. Asking for an armoured vehicle in a war zone makes perfect sense, but it makes less sense in a peaceful GNU/Linux suburb.

I run a firewall myself, and all external connections are blocked, but haven't bothered blocking outgoing connections. It is good enough.

[steve_v]

*It should preferably be able to have a default rule to block inbound and outbound traffic. and when a new program wants network access, the firewall should ask if the program should be denied or allowed.
And last.. I would like if it had some kind of graphical user interface for management and easy overviewing.

There are a few GUI firewall frontends, but AFAIK there's no firewall software for GNU/Linux that fits both of those requirements. [obsolete information redacted] to my knowledge nobody has implemented the "X program wants to access the internet" GUI bit.. Probably because nobody really needs to block individual applications on a system where everything is free and open source. Also most of the GUI offerings kind of suck in general.

Personally I just use UFW for simple rules on the desktop, and run a more comprehensive (IPFire) solution on my router. In the past I've used FWBuilder to generate rules for both, it's pretty powerful and might be worth a look if you don't want to deal with iptables directly abut need more than UFW or Firewalld offers.

I wonder if there is some program like windows"resource monitor" that monitor program/processes cpu activity, memory usage, diskactivity what program/process read/write to what file at the time and networkactivity what program/process connects to what target IP-adress at the time.

There are many variations on this for the CLI, most of them descending in some way from the venerable 'top' command. I like htop, but there's also iftop for network traffic, or iotop for disk access. If you use a full-blown DE, it probably includes some kind of system monitor as well.
IMO there are too many options for that category to list here, and a web-search is a better bet.

[p.H]

ptables (or nftables these days) can match by-process

No, iptables cannot match by process. The "owner" match used to be able to match on process command line, but that was unreliable and removed. Most Linux "firewalls" are only packet filters operating at the network layer, not at the process/socket layer. AFAIK, this requires using security frameworks such as AppArmor or SELinux.

[steve_v]

that was unreliable and removed.

That's news to me. So be it, I'm pretty sure nobody was using it anyway.

Ed. Huh, looks like it went away with kernel 2.6.14... Shows how long its been since I last used it.

[Bulkley]

I think I misunderstood what the OP meant by monitor. If so, Conky won't help. I suspect Tripwire is more appropriate.

Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

[Marie SWE]

I had polishing on a really long text, on and off for several hours of what to write to explain it all better..
Swedish is my mother tongue, and my English isn't the best, so it is difficult some times to write without it being misunderstood and without stepping on someone's toes, do to different points of view.. And the risk was of swearing in church with some of the content I wrote.
So I decided I shouldn't to keep the peace.

I will continue look for GUI solutions.
Thanks for all your tips.

[Hallvor]

Don't worry about it. We have thick skins, but you might want to have the same.

KDE is working on Plasma Firewall. It is not exactly what you want, but not that far off either. You can select the default policy, e.g. block all connections, and with a click of a button you can see all applications that are trying to reach the Internet. Making a fine grained firewall should not be a problem, but it will take a long time before you can see it in Debian.

Send me a PM if you think I can understand you better, and I'll try to help you. Eg forstår svensk, men det er ikkje sikkert at du forstår norsken min. (I can understand Swedish, but you might not understand my Norwegian.)

[010101]

I too, have face this dilemma. When I searched for a iptable gui, i was overwhelmed. Good god, there's so many!

One post made a good point: It really all depends on what your looking for in a gui.

Another poster made a fine point: "I doubt what you ask for can be done in any other way than the CLI."

There are many, many Gui for iptables out there. And I think there may be one that will meet your needs. But if you want precise filtering than really the CLI is the way to go. But I understand that you may have CLI anxiety, everyone does when first coming over to Linux. But this anxiety will slowly past over time, with you growing more comfortable with the CLI during the time.

By the sound of it, you seem determine to find a GUI. Which is fine. Less of a hassle than CLI. The problem is that there many. And people can suggest this GUI and that GUI, but this doesn't mean that these would be what you need. I think this is something that only you can figure out for yourself.

As for a package for monitoring your system.

Try Task Manger.

Also, I have a pullout panel, and on it I can (at a glance) see the following: incoming and outgoing network activity, sda, cpu usage, swap usage, power usage.
On another panel I monitor my temperature and power usage.
It's easy to create a panel. You can easily add what you need.

You can use the htop or top command from the CLI to look at what's happening.

[Bulkley]

"Fwbuilder Builder consists of an object-oriented GUI . . . " and it's in Debian repositories.

[steve_v]

KDE is working on Plasma Firewall.

...And yours-truly is following behind removing the gratuitous systemd dependencies so he can install it on Gentoo. It's actually quite nice as a frontend for simple desktop use.

Fwbuilder

...Is slowly, ever so slowly, creeping toward the fabled 6.0 release. I'll probably give it another spin when that drops. Personally I consider it overkill for a desktop, but if you have many machines to administer it can be not only a builder of firewall rules, but also a builder of firewall networks.

It's the usual story with GNU/Linux: GUI desktop "security" apps are properly limited, but when it comes to remote-administering a bunch of border firewalls or setting up antivirus for a mailserver we've got all the toys. It must confuse the hell out of the windows-refugees.

[Marie SWE]

Don't worry about it. We have thick skins, but you might want to have the same.

I have thick skin I have grown up with interests that are male dominating so I have been hardened. Hahaha
Okay, then I will take you at your word and swear a bit in church now. Hahaha

.
Lets begin to swearing, But to you who read this, if you are sensitive souls or faint-hearted, I really suggest you stop reading or to put cotton in your ears and blinders on.
I'm not a computer nerd. I don't have computers as a hobby or an interest... I have my computers as work tools.
I was interested in computers when I was a teenager, computers were a mental challenge and something completely new for normal people in the 80s. I lived at home at that time and didn't have all the everyday things to take care of. only school, friends and some hobbies. and I was interested in computers up to the late 90's... so I lost interest around 20 years ago.
In the 80's MDA graphics standard and ms-dos were a must and in the 90's you had to hack files to get cd-rom, sound etc. to work in win 3.11, 95 and in some cases also in the first edition of 98...... It was over 20 years ago and it is still standard in linux.
The terminal........come on...seriously... everything is so ugly in terminal it feels like the old 80s with old MDA graphics. It almost a new Back to the future part4 movie
If people love the terminal design and it's old MDA graphics so much. why do they then have graphic flashy desktop environments with different gadgets on the desktop. Isn't that contradictory if you dislike GUI environments.

I really do understand that the terminal is a powerful tool(when you know all the thousand commands and codes). But what is so wrong with both having a GUI and being able to use the terminal for those who want to??
Is it the fear of the risk that regular non-computer-nerd users will start using Linux desktops OS?
Or is it because the nerds is so stuck in the 80s/90s fetish and only focus and interest is on tweaking there LinuxOS day in and day out and not use the computer to anything else?
Why is GUI's so extremely dangerous to some linux people??
GUI is easy, it is fast, when you not a programmer or a nerd with thousands of commands stuck in your head.
One example. Network sharing and setup a network drive to the workstation
Windows control panel --> Network and sharing center --> advanced sharing settings.
enable network identification, file and printer sharing, sharing so anyone with network access can read and write in the shared folder and its subfolders. Done
Right-click on the folder or partition you want to share. select properties click Sharing and Advanced Sharing. Click on share this folder. Click on permissions. add users or select all if you want guest access to work. Done
Add network disk
Navigate to the folder on the network you want to add. Right-click and click Connect Network Device. Done
This takes about 3 minutes on a newly installed windows workstation. Difficulty level 1-10 around 3 for a regular user
And in Linux. First, you need to install samba and the necessary file sharing components
Then you have to edit/hack smb.conf with some code parameters and if you do not have them in mind, you have to write them off some document one by one or cut and paste.
Then there are two ways. With Caja sharing root permission and right click on a folder/partition and click share. or via smb.conf write an entire code for a shared folder or partition.
To connect a network resource as a disk, you must edit the file fstab and write some code.
Time around 15 minutes. Difficulty level 1-10 around 8 for a regular user

Linux did have a easy gui-tool system-config-samba or what is name was.. but its gone..... why make somethings easy if you can do it the hard way.
GUI is a good thing for normal people. and it will not destroy the linux world. it can even make it grow so more people starts using it.

The terminal/CLI or what ever you want to cal it, has no spelling check so for me and everyone else who has dyslexia and difficult to spell sometimes the terminal and file hack becomes very time consuming... and it's really ugly

.
So... my point is why I want GUI's.. it is because it's efficient, it saves me a lot of time and I don't have to study code/hacks to set up my computer or use them.... and this is year 2021 and graphic design is way better than the 80s MDA graphics that iotop or htop or....... gives.
Just to be a little ironically humorous.. Some of us even have a life outside of the computer-world as well, and don't really have the time to study code and hacks for several month or even years, to setup a computer so it works.

Sorry if my swearing was too much here in church, or if stepped on someone's toe.

[Hallvor]

The terminal is intimidating to beginners, but something you'll not want to get rid of in a few years. With a few commands, I can change the desktop environment or remove the GUI and use it as a server. Try doing that in the GUI of Windows.

What desktop environment are you using? KDE is by far the most GUI point-and-click desktop environment.

One example:



GNU/Linux is not some free version of Windows. Forget it. It will never be the same. But you'll probably never have to worry about virus attacks, reboots every few days, that the system slows down terribly within a few years, and the high resource usage.

[Marie SWE]

The terminal is intimidating to beginners, but something you'll not want to get rid of in a few years. With a few commands, I can change the desktop environment or remove the GUI and use it as a server. Try doing that in the GUI of Windows.

What desktop environment are you using? KDE is by far the most GUI point-and-click desktop environment.

One example:

[img https://i.ibb.co/fXnxYkx/Screenshot-202 ... -13-46.png[/img]

GNU/Linux is not some free version of Windows. Forget it. It will never be the same. But you'll probably never have to worry about virus attacks, reboots every few days, that the system slows down terribly within a few years, and the high resource usage.

My message was not directed to you but to the linux world.

I'm not intimidated of the terminal I grow up with ms-dos and basic.. it's just so old school.. I just don't like it and it's unnecessarily time consuming and ugly.. and I don't have thousand and thousands of commands in my head or time to study em all. so GUI's is faster
??why should I remove windows GUI.. I like the gui environment.
Even If I can remove GUI it in linux, I will never do a stupid thing like that.

I used Xfce because it is resource efficient and it runs much cooler on laptops and no flashy layout it's like win2000. and I switched to use whisker menu.
I have installed a lot of GUI programs from the other desktop environments to get the best out of them all. GUI program manager from gnome and the system monitor from gnome and some other Gui's

Oh no not again...... I have heard several people say that.. And some say that you don't need to monitor your computer or local Lan at all... and that antivirus is not needed and you are only affected by viruses etc in windows.
Sorry to rock the cradle, but Linux is not an immune system. I think the last one was called EvilGnome and Linux networks has been hacked earlier in history.
Yes windows is usually targeted as there are more windows computers in the world. But the bigger the linux world gets, the more malware will come to linux systems in the future as well. yes the structure is different, but everything depends on the user.. This also applies to windows as well ... the user has to do something stupid, like install software, click on a link and approve the activity. same thing with evilgnome
So it is better to be prepared that all evil things can happen, than being naive and believing that nothing can happen to "me". it may work in stealth mode, something that you might not even notice that it even works in the background that sends data back to hackers or who ever it may be behind it take your pick.. If it doesn't interfere or is destructive to your system, it can live forever in the background and the user will never notice it because "Linux will never be affected mentality"

Why reboot windows every few days? If you can Linux you can learn windows easier and faster.
I have one win7 computer right at this moment with a uptime of over 6+month.. My HPserver is a win2008R2 it's stable to.
I know windows systems way more than I want to know it. unfortunately I have 30years of wincrap experience so I know how to tweak it to be stable, resource efficient and not have all idiotic background activity's or telemetry crap. And I can do it GUI style without filehacks or commandprompt commands.
The problem is win7EOL and win10 is a spyware rolling release, so everything that's tweaked to stop the evil M$, is undone after a big OSrollup
That's why I switched over to linux to not have to fix all computers all the time... just install, tweak it ones, make a recovery image of the system and then forget it for years to come.. If the HDD crash a year o two from now. just replace it, run recovery and the system is up within 15mins and no tweaks is necessary.. just a few security updates to install.
This is why I am spoiled and I want GUI's. easy, fast and you don't have to study codes, commands.. just have to focus on how the system works, not the code of how the system works... I'm not a programmer and I don't want to never-ever become a programmer.

:thumb up: I have full respect for programmers and they are the ones that do a fantastic job of making programs and operating systems easier for us users. But programming and code it is not my profession or my interest, so to speak...
as in the matrix movie, I will take the blue pill, i don't care for the matrix-code I care about the system working when I need to work

As in my earlier post above http://forums.debian.net/viewtopic.php?p=736474#p736474 swearing in church wasn't a good thing.
I am really sorry.. I am a user... not a worshiper
sorry everyone

[steve_v]

If people love the terminal design and it's old MDA graphics so much. why do they then have graphic flashy desktop environments with different gadgets on the desktop. Isn't that contradictory if you dislike GUI environments.

I expect most people here have and use both, for variable degrees of "flashy". Some prefer very minimal desktops, but few use the console exclusively.
I for one don't dislike GUI environments, I just find them superfluous a lot of the time. Bash in a console window is literally the most frequently used application (though with stiff competition from firefox) on my shiny desktop.

I really do understand that the terminal is a powerful tool(when you know all the thousand commands and codes). But what is so wrong with both having a GUI and being able to use the terminal for those who want to??

Nothing at all. But that's very different from refusing to learn/use the terminal and complaining when certain tasks are only achievable there, or getting pissy when people ask you to run commands for troubleshooting purposes.
Both of those happen fairly regularly, and it's extremely irritating, especially when you're trying to help someone in good faith and they turn around and attack you for being a "terminal elitist". There are numerous writeups on why the CLI is better for technical support, so I'll not regurgitate them here.

Is it the fear of the risk that regular non-computer-nerd users will start using Linux desktops OS?

Personally I consider the drive for easy/pretty over functional that seems to be gaining traction somewhat counterproductive, and the "GNU/Linux needs more users" argument that always appears alongside "terminal is too hard for normal users" rather ridiculous. But that's just me. I'd much prefer a system that works over one that looks nice, and I really don't see why GNU/Linux needs a bunch more non-contributing non-technical "users".
Those two arguments almost always come from people leaving Windows and accustomed to using a commercial product from a corporation who cares about it's market share, they expect everything to be easy and they expect to have someone to blame when it doesn't work the way they want. GNU/Linux doesn't work that way at all, and we don't need the attitude.
GNU/Linux is not a product, you can't vote with your wallet, and it doesn't have any sales to compete for. If you aren't contributing it doesn't loose anything if you don't use it either.

So no, speaking only for my self of course, I'm not afraid that "regular users" will start using GNU/Linux. I just don't have time for help-vampires who will never give anything back to the community, or for people who expect someone else to work on $feature for free and complain when it isn't there.

One example. Network sharing...

For starters, SMB shares are a Windows thing and many GNU/Linux users prefer NFS/SSHFS/etc. Samba is arcane and poorly integrated into the desktop because it's a standalone server project for a non-native protocol.
Secondly, many DEs/file managers do indeed have an easy sharing configuration. I don't run Debian on any desktop machines so I can't check, but my Gentoo/KDE5 setup has an easy "share" tab in the file properties dialog.

...it can even make it grow so more people starts using it.

I was waiting for it, and there it is. It always comes around to this one argument. Why exactly does GNU/Linux need more users again?
More people using Windows means more people paying for Windows. GNU/Linux is free, so what we need isn't more users, it's more hackers. Y'know, people who contribute their time to making GNU/Linux better, so we can have more nice stuff.

So... my point is why I want GUI's.. it is because it's efficient, it saves me a lot of time and I don't have to study code/hacks to set up my computer or use them.

Personally I find the CLI more efficient. Case in point: if I want a real file manager, I still use "mc", because the keyboard is far, far faster than using a mouse... If you've used DOS you'll probably spot it as a Norton Commander clone right away.
Most people working on software for GNU/Linux work on the stuff they find useful, if that doesn't include a GUI for a particular task, it doesn't get written. vOv.
If you want something else, you're welcome to write it yourself or find a dev you can ask/bribe to do it for you.

See, we're back to the "product" vs. "community" / "want" vs "do" bit. The GNU/Linux community doesn't (for the most part) have a project-manager telling them to work on a GUI for "normal users" to boost market share. Instead, if you want something done you either ask a developer really nicely, or you learn to code and do it yourself. Complaining or appealing to market-share achieves nothing, because nobody is competing.

GNU/Linux is not a free Windows. It's not a free MacOS. It's not a commercial product at all, it's a community of users and developers (who are quite often the same people) and it doesn't have the same priorities that a corporation does.
If you want to use it effectively and be a worthwhile member of the community, you will have to unlearn the things you know from using commercial OS... Once you do, you'll never go back.

I have 30years of wincrap experience

Windows power-users are the worst. So much to unlearn they have.

I have full respect for programmers and they are the ones that do a fantastic job of making programs and operating systems easier for us users. But programming and code it is not my profession or my interest, so to speak.

Fair enough... But that doesn't buy you licence to tell people who do code that their stuff sucks or what thing they should be working on instead.

I care about the system working when I need to work

Well then you're welcome to grab the source code and make it so, or to go back to a commercial OS so you can (indirectly) pay someone else to do it for you.
To retrieve a very old meme I had laying around:

If what you want is a finished "car", with a warranty and 24/7 roadside support (as well as GPS tracking and ads on the entertainment unit), you're in the wrong place.
If you're more interested in making it your car, just how you want it, and you're not afraid to get your hands dirty, welcome aboard.

sorry everyone

Unnecessary IMO, I enjoy a good argument. Just don't expect to convince anyone so easily.

To return to the OP, I actually agree that a GUI firewall would be nice... Just not enough to complain at the lack thereof or to write one myself. The effort involved far outweighs the benefit, and GUIs are a PITA to code.
As for antimalware... 20+ years using GNU/Linux daily, zero concerns. I'm not getting sucked into that argument again, so I'll leave it at that.

[Marie SWE]

I really do understand that the terminal is a powerful tool(when you know all the thousand commands and codes). But what is so wrong with both having a GUI and being able to use the terminal for those who want to??

Nothing at all. But that's very different from refusing to learn/use the terminal and complaining when certain tasks are only achievable there, or getting pissy when people ask you to run commands for troubleshooting purposes.
Both of those happen fairly regularly, and it's extremely irritating, especially when you're trying to help someone in good faith and they turn around and attack you for being a "terminal elitist". There are numerous writeups on why the CLI is better for technical support, so I'll not regurgitate them here.

I don't get "pissy" for troubleshooting suggestions I only ask about GUI firewall and to monitor my computer thru a GUI.. I already know CLI commands thru google Here is one "sudo iotop --only --delay=1". . but I don't want 4-5 terminal windows open in the background at all time doing one thing only. I want one window so I fast can alt+tab to switch to. as I am used to. perhaps two windows. and yes I can with time learn iptabels and just isolate my linux machines from my win-machines until i have time to learn the code/commands.
I didn't ask for cli tip, I just asked about GUIs

Is it the fear of the risk that regular non-computer-nerd users will start using Linux desktops OS?

Personally I consider the drive for easy/pretty over functional that seems to be gaining traction somewhat counterproductive, and the "GNU/Linux needs more users" argument that always appears alongside "terminal is too hard for normal users" rather ridiculous. But that's just me. I'd much prefer a system that works over one that looks nice, and I really don't see why GNU/Linux needs a bunch more non-contributing non-technical "users".
Those two arguments almost always come from people leaving Windows and accustomed to using a commercial product from a corporation who cares about it's market share, they expect everything to be easy and they expect to have someone to blame when it doesn't work the way they want. GNU/Linux doesn't work that way at all, and we don't need the attitude.
GNU/Linux is not a product, you can't vote with your wallet, and it doesn't have any sales to compete for. If you aren't contributing it doesn't loose anything if you don't use it either.

So no, speaking only for my self of course, I'm not afraid that "regular users" will start using GNU/Linux. I just don't have time for help-vampires who will never give anything back to the community, or for people who expect someone else to work on $feature for free and complain when it isn't there.

Linux communitys was proud when it's reached 1% of the market and wants to be bigger and be a serious contender on the market.. how should that be possible if non-tech users is unwanted?
and yes, I have contributed... I have written a couple of GUI-style guides for the absolute beginner in a swedish forum and helped users solve linux problems and hardware problems. I also have find a way to avoid the old linux swap death problem on lowend macines and are going to write about that in the future when i get the time. so yes I do contributes.. I just prefer the gui-style-ways of things.

One example. Network sharing...

For starters, SMB shares are a Windows thing and many GNU/Linux users prefer NFS/SSHFS/etc. Samba is arcane and poorly integrated into the desktop because it's a standalone server project for a non-native protocol.
Secondly, many DEs/file managers do indeed have an easy sharing configuration. I don't run Debian on any desktop machines so I can't check, but my Gentoo/KDE5 setup has an easy "share" tab in the file properties dialog.

Yes and I do have both Linux and windows machines in my network up to 2023 online and after 2023 they will be offline but still in my network, so SMBshares is necessary.

So... my point is why I want GUI's.. it is because it's efficient, it saves me a lot of time and I don't have to study code/hacks to set up my computer or use them.

Personally I find the CLI more efficient. Case in point: if I want a real file manager, I still use "mc", because the keyboard is far, far faster than using a mouse... If you've used DOS you'll probably spot it as a Norton Commander clone right away.
Most people working on software for GNU/Linux work on the stuff they find useful, if that doesn't include a GUI for a particular task, it doesn't get written. vOv.
If you want something else, you're welcome to write it yourself or find a dev you can ask/bribe to do it for you.

See, we're back to the "product" vs. "community" / "want" vs "do" bit. The GNU/Linux community doesn't (for the most part) have a project-manager telling them to work on a GUI for "normal users" to boost market share. Instead, if you want something done you either ask a developer really nicely, or you learn to code and do it yourself. Complaining or appealing to market-share achieves nothing, because nobody is competing.

GNU/Linux is not a free Windows. It's not a free MacOS. It's not a commercial product at all, it's a community of users and developers (who are quite often the same people) and it doesn't have the same priorities that a corporation does.
If you want to use it effectively and be a worthwhile member of the community, you will have to unlearn the things you know from using commercial OS... Once you do, you'll never go back.

Oh yes i can understand that Cli is faster for you who can the commands.. I get that.. but how fast ware you in cli the first time when you didn't know all the commands. that was what i meant, I am faster in GUI do to lack of commands in my head and my dyslexia.. to exaggerate a bit, but how well does this work in terminal as it doesn't have spell checking.. apt instal libreofice... then i need to experiment with spelling or thru a spellchecker.. then the gui becomes is faster and more efficient for me. I do can spell install and office, but it was an example of a problem for some people in this world.
and yes i love to know some programmer who as the interest of making guis. and i have tried true mint to suggesting things to make some things easier for noobs. and a can't easy learn to code that does require to spell correctly all times. and it takes years to learn or schooling.

I have full respect for programmers and they are the ones that do a fantastic job of making programs and operating systems easier for us users. But programming and code it is not my profession or my interest, so to speak.

Fair enough... But that doesn't buy you licence to tell people who do code that their stuff sucks or what thing they should be working on instead.

??? where did i write that someone's code sucks... please do quote that part where I wrote that

I care about the system working when I need to work

Well then you're welcome to grab the source code and make it so, or to go back to a commercial OS so you can (indirectly) pay someone else to do it for you.
To retrieve a very old meme I had laying around:
[img https://i.postimg.cc/LssrxQTn/linux-car-kit.jpg[/img]
If what you want is a finished "car", with a warranty and 24/7 roadside support (as well as GPS tracking and ads on the entertainment unit), you're in the wrong place.
If you're more interested in making it your car, just how you want it, and you're not afraid to get your hands dirty, welcome aboard.

That's why I by a used car, i do not need roadside support i just need to know where I can get/buy the tools to use to it, not how to build the tools from scratch my self

sorry everyone

Unnecessary IMO, I enjoy a good argument. Just don't expect to convince anyone so easily.

To return to the OP, I actually agree that a GUI firewall would be nice... Just not enough to complain at the lack thereof or to write one myself. The effort involved far outweighs the benefit, and GUIs are a PITA to code.
As for antimalware... 20+ years using GNU/Linux daily, zero concerns. I'm not getting sucked into that argument again, so I'll leave it at that.

I also love a good discussion.and it's fun to meet new people with a really good discussion and a bit of humor in it all.. and it's always fun to see how big different views people have based on the different interests that we are all driven by.... and i got a chance to work on my bad English
It was fun that with the car example, as I have a interest of modify, style and tune cars.. but I will never want to build a car from scratch