Hello everyone,

I'm looking to increase the security of my computers a bit through firewalld (with the KDE settings). I have a desktop and a laptop, both running Fedora 40 with KDE plasma. I don't have access to the router's firewalls etc etc this is only for my machines.

The issue is I'm having a hard time navigating the zones and setting rules the way I want. I don't wanna deal with switching to UFW and while I generally like CLI stuff I'd prefer to generally stick with the GUI here even though I find it a bit confusing (I will use CLI if necessary tho).

Anyways, let's get to the point. Firstly the only difference between the laptop and desktop, in terms of use-case, is that on my desktop I'm always connected to my home's subnet via LAN while on my laptop I often connect to public wifis, so naturally the laptop is a little less secure.

For my use-case I care about 3 network interfaces:

• tailscale: this is the one I use to ssh into my machines and stuff and I want this to be the only interface which allows me to ssh. This is because not only it allows me to ssh remotely but also I figure is also the most secure way to use ssh as the tailscales team is probably better at security than I am.
• Proton VPN's: this I use for gaming, web browsing and seeding Linux ISOs so I'd like settings that block everything without affecting these usecases.
• normal internet: I almost always have my VPN on but occasionally I don't for one reason or another and I only use this for web browsing and gaming via steam. Settings I'd like here are essentially the same as ProtonVPN's but stricter if it makes sense to be stricter, especially on the laptop where it's likely a public wifi I'm conencting to when I'm not home. If it's possible I'd also like this interface to be hidden from nmap scans.

I do some light pentesting to learn so there's also that.

I currently have every relevant connection set to FedoraWorkstation zone by default except I manually tell the laptop to switch to public zone for public wifis (I'd change the default to be public and specify other zones for non-public connections but rn I'm in a period of time when I'm only connecting it to my home network so I wanna figure out this out first).

My question is, which zones should I use and what rules should I implement to make this more secure?

Thanks in advance

Disclaimer: I know there's a lot of questions and posts like this but generally they're aimed at noobs. I consider myself an intermediate user, and I know generally distros don't matter much and you can have anything another distro has on any distro but I'm looking for something a little "specific" that better suits my need from the get-go, I guess we could say that yeah. Plus hey some discussion won't hurt Lemmy.

I come here to seek your advice oh Great Council of Linux. Please hear my cause:

The problem

Right now I use NixOS and I'm mostly happy with it, I like having everything declared on a config file I can audit to remove stuff I don't use anymore, I like the stability it provides and the rollback feature (I only sued it once but glad to have it), automatic updates that apply when I shut down my PC (I do that often) and won't bork everything, and I like that it generally has very up to date software even on its stable branch. I also like the possibility of using nix-shell to test a program and remove it immediately afterwards even if it leads to a messy .config folder sometimes.

However, there are some pain points especially when it comes to customization. Now, the system itself is very usable and have little complains there, it's very rare that a package I want isn't in the repo, and when everything works it's great, but when it doesn't work it's very frustrating (mainly due to the lack of documentation and troubleshooting via the unofficial discord can be a pain). Namely on my laptop I have issues with the cursor sometime going from the catppuccin theme (on plasma 5, laptop is 23.11) to default on some context menus on X11 or only shows the theme in windows if using wayland (tho I can wait to see if it's fixed on 24.05). I never had this on my desktop gaming PC (which used 23.11 but now switched it to unstable to have plasma 6) but I have other problems there, for example the catppuccin SDDM corners theme doesn't apply anymore for some reason. Now I'm someone who likes to customize the looks of my desktop and I want to have consistency in my theming as much as possible so these issues are very annoying to me. On top of that to resolve the latter the official git repo of the package says to use flakes, now I know many fans of NixOS will swear flakes are cool and all but I absolutely hate them: I find them confusing, I don't like having to deal with more stuff than just my config file and home-manager and I want to have nothing to do with them I just want to use the official packages.

Now I'm sure most of these issues aren't exactly NixOS's fault and maybe in 24.05 they'll all be fixed but I'm getting very annoyed both by these problems and I found it hard to solve other problems in the past as well, and I hate that searching stuff up on ecosia, the wiki, etc doesn't work most of the time due to how different NixOS is and while the (unoffical) discord is generally useful sometimes it cannot provide the help I need, plus most of the stuff I learn troubleshooting NixOS is specific to NixOS and doesn't translate to other linux distros. So that's why on one side I'm considering that maybe it's not worth waiting till the end of the month to see if 24.05 fixes my issues (I don't plan on staying on unstable after the release of 24.05 that's certain) or if I should stick with it instead of wasting a day reconfiguring everything (granted home-manager is cool af but a lot of stuff I use don't use it so it's a one-time pain).

What I look for

Generally in a distro I look for something minimal, easily customizable and where I can use the terminal a lot for installing software and stuff (I just like the progression bars and seeing all the text go weeee accross the screen it's so cool) tho I'm fine using some GUI stuff like the KDE settings for other stuff where the alternative is a very complex set of config files (I generally prefer keeping wonky GUIs to a minimum though so I'm fine with some config files).

More specifically, I require a distro to have out of the box:

• Plasma 6: I am moving to wayland, I love KDE Plasma for its customization and a lot of the stuff I made myself uses Qt. Maybe one day I'll try Cosmic but rn I just like plasma 6.
• Easy to theme and configure: particularly with catppuccin
• Proton VPN: the official apps, doesn't matter if the distro is officially supported or not by Proton
• Steam, discord, gaming stuff & proprietary stuff directly on the repo: or at least easily enabled during the installation, without jumping through hoops
• Rollback feature: be it what NixOS has, snapshots or whatever that btrfs thing is, it's ok if I have to set it up myself if needs be, I need to learn how, but I prefer if it's there out of the box
• Big repo

What I'd like to have but isn't a must have:

• Minimal amount of pre-installed packages: I want to choose myself what goes on my system and don't want to uninstall lots of things
• Being able to leave it untouched for months without risking to brick it when I update
• Decent information and help available: if I'm leaving NixOS I'd rather not deal with poor documentation
• Immutability: I generally like the stability this provides, the atomicity of the updates, etc etc just as long as it doesn't make theming stuff like KDE (with plugins), Grub, SDDM, etc painful.

As for what I don't like:

• Flatpaks: I prefer using system packages in general, plus I don't like their terminal commands and I hear they're not exactly good at following system themes. I guess I could live with them if I have to with flatseal and maybe a better terminal way to install them though.
• Snaps: I hate snaps and in my experience worked terribly, like steam not being able to detect game libraries on other hard drives etc, graphical bugs, plus their backend is proprietary and handled by canonical, see following point.
• Corporations: I don't want my OS to be handled by a corporation, I don't trust them so I'd rather minimize their control over the OS.
• Custom theming: this isn't too important since I'll customize the theme myself regardless, I just generally try to stick to a distro's theme if there's one cause why not. I'm only putting this here to signal I prefer something unthemed (but possibly with a cool logo)

What am I considering?

Right now I'm considering the following options:

• Stay with NixOS: Wait for 24.05 see if that fixes my issues etc
• Bazzite + Aurora: Both are Fedora uBlue spins with KDE. I'm planning on putting Bazzite on my gaming PC since everything is already set up for that and Aurora (KDE spin of Bluefin) on my laptop (I use it for gaming on occasion but it's more for other stuff). They look cool but I'm not too familiar with them, the gripes I have, or think I will have, are flatpaks, some pre-installed stuff like vscode (I use neovim) and also that it's a spin of Fedora, which IMO is a bit too close to Red Hat but I can live with this given these two are different from fedora and further away from RH. Also, can I use ujust to install/uninstall things? What does it do?
• OpenSUSE: I hear good things about Tumbleweed, I also know they have an immutable version but I know very little about it. I tried it in a VM for a few minutes to check out YaST and I was positively impressed but it comes with a lot of pre-installed stuff like a graphical package manager (yes I know there's zypper and that it's slow, I don't mind too much if it works and isn't too bad) and I heard it has something similar to the AUR which I'll need to check out as I saw the normal tumbleweed repos missed some packages I like.
• Arch: I used Arch (btw) for a long time and generally liked it, I didn't have many issues with it and when I did it was usually my fault (tbf that's often the same on NixOS) and I generally could fix them easily (only once did my system break after the power went out during an update requiring a reinstall), the thing I don't like is having to update it weekly manually (I don't trust automatic updates on non-immutable distros much) and this is fine generally but it's a problem for my gaming PC because I have to move away from the house it's in for months on end and telling people to turn it on weekly so I can ssh and update it remotely into it is bothersome. Also, while I like seeing the little pacmans eat the dots, after using NixOS I learned to appreciate updates that don't require me to rtfm, that I don't have to care about too much and don't risk borking something in my system even if it's a small thing. Plus I figured I could try something else knowing that worst case scenario I can always go back to the trusty old Arch. Maybe I could try Arco instead of Vanilla Arch in this case.

I'm open to suggestions for other options though, there's trillions of distros.

What am I excluding

• Debian & co: nothing against Debian, but I used it once and found it very frustrating to use, the packages are fairly outdated (and I don't see that as more stable than say NixOS with the rollback and everything), I had to manually install every proprietary thing, add repos here and there, etc and overall I didn't like it. Also I don't think it has plasma 6 yet. I don't see much point in using any of its derivatives either.
• Gentoo: I don't want to compile everything
• Fedora itself: too close to RH, its derivates I can tolerate but I'd prefer to avoid Fedora and RH stuff if possible

That is all that comes to my mind right now. Thanks in advance.