https://wiki.archlinux.org/api.php?action=feedcontributions&user=Naim42&feedformat=atomArchWiki - User contributions [en]2024-03-30T01:10:15ZUser contributionsMediaWiki 1.41.1https://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=751182Simple stateful firewall2022-10-04T15:15:31Z<p>Naim42: Move rpfilter to mangle table instead of raw, see https://github.com/NixOS/nixpkgs/pull/110197</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[es:Simple stateful firewall]]<br />
[[ja:シンプルなステートフルファイアウォール]]<br />
[[ru:Simple stateful firewall]]<br />
{{Related articles start}}<br />
{{Related|Firewalls}}<br />
{{Related|Internet sharing}}<br />
{{Related|Nftables#Simple stateful firewall}}<br />
{{Related|Router}}<br />
{{Related|Uncomplicated Firewall}}<br />
{{Related articles end}}<br />
This page explains how to set up a [[Wikipedia:Stateful firewall|stateful firewall]] using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules below are given in the order they are executed and should only be followed while logged in locally. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. To get around this problem in a remote setup, the [[#Resulting iptables.rules file|example configuration file]] can be used.}}<br />
<br />
== Prerequisites ==<br />
<br />
{{Note|Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities {{Pkg|iptables}} or verify that they are already installed.<br />
<br />
This article assumes that there are currently no iptables rules set. To check the current ruleset and verify that there are currently no rules run the following:<br />
<br />
{{hc|# iptables-save|<nowiki><br />
# Generated by iptables-save v1.4.19.1 on Thu Aug 1 19:28:53 2013<br />
*filter<br />
:INPUT ACCEPT [50:3763]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [30:3472]<br />
COMMIT<br />
# Completed on Thu Aug 1 19:28:53 2013<br />
</nowiki>}}<br />
<br />
or<br />
<br />
{{hc|# iptables -nvL --line-numbers|<nowiki><br />
Chain INPUT (policy ACCEPT 156 packets, 12541 bytes)<br />
num pkts bytes target prot opt in out source destination<br />
<br />
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br />
num pkts bytes target prot opt in out source destination<br />
<br />
Chain OUTPUT (policy ACCEPT 82 packets, 8672 bytes)<br />
num pkts bytes target prot opt in out source destination<br />
</nowiki>}}<br />
<br />
If there are rules, you may be able to reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
Otherwise, see [[Iptables#Resetting rules]].<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
The chains can of course have arbitrary names. We pick these just to match the protocols we want handle with them in the later rules, which are specified with the protocol options, e.g. {{ic|-p tcp}}, always.<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at [[#Setting up a NAT gateway]]. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
The OUTPUT chain can be a powerful tool for filtering outbound traffic, especially for servers and other devices which do not run web browsers or peer-to-peer tools that need to connect to arbitrary destinations on the internet. However, properly setting up an OUTPUT chain requires information about the intended use of the system. A secure set of rules for a desktop system, laptop system, cloud server and home/on-prem server would all be very different.<br />
<br />
In this simple example, we will allow all outbound traffic by setting the default policy for the '''OUTPUT''' chain to '''ACCEPT'''. This is less secure, but is highly compatible with many systems.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
Similar to the previous chains, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
<br />
{{Warning|If you are logged in via SSH, the following will immediately disconnect the SSH session. To avoid it: <br />
# add the first INPUT chain rule below (it will keep the session open), <br />
# add a regular rule to allow inbound SSH (to be able to reconnect in case of a connection drop) and <br />
# set the policy.<br />
}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted. For a simplified ASCII art showing how packets traverse those builtin chains, see [https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html How Packets Traverse The Filters].<br />
<br />
The first rule added to the INPUT chain will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). ICMP stands for Internet Control Message Protocol. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule:<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The connection state {{ic|ESTABLISHED}} implies that either another rule previously allowed the initial ({{ic|--ctstate NEW}}) connection attempt or the connection was already active (for example an active remote SSH connection).<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let us say a router), it will get through, regardless of any other settings you may have.}}<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|<br />
* This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.<br />
* ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or the like. Keep this in mind, and accept them before this rule! Run {{ic|iptables -A INPUT -p 41 -j ACCEPT}} as root.<br />
}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming ICMP echo requests, also known as pings. Only the first packet will count as NEW, the others will be handled by the RELATED, ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections. Once a connection is accepted by either TCP or UDP chain, it is handled by the RELATED/ESTABLISHED traffic rule. The TCP and UDP chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
{{Note|{{ic|NEW}} does not necessarily imply {{ic|--syn}}. However, packets that match "{{ic|NEW}} but not {{ic|--syn}}" are rarely malicious and should not just be dropped. Instead, they are simply rejected with a TCP RESET by the next rule. Also, {{ic|--syn}} is not equivalent to {{ic|--tcp-flags SYN SYN}}. See {{man|8|iptables-extensions}} for details.}}<br />
<br />
We reject TCP connections with TCP RESET packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Resulting iptables.rules file ===<br />
<br />
Example of {{ic|iptables.rules}} file after running all the commands from above:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file can be generated and saved with:<br />
<br />
# iptables-save -f /etc/iptables/iptables.rules<br />
<br />
and can be used to continue with the following sections. If you are setting up the firewall remotely via SSH, append the following rule to allow new SSH connections before continuing (adjust port as required):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
=== The TCP and UDP chains ===<br />
<br />
The TCP and UDP chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
==== Opening ports to incoming connections ====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming TCP/UDP requests for a [[DNS server]] (port 53):<br />
<br />
# iptables -A TCP -p tcp --dport 53 -j ACCEPT<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See {{man|8|iptables}} for more advanced rules, like matching multiple ports.<br />
<br />
==== Port knocking ====<br />
<br />
Port knocking is a method to externally open ports that, by default, the firewall keeps closed. It works by requiring connection attempts to a series of predefined closed ports. When the correct sequence of port "knocks" (connection attempts) is received, the firewall opens certain port(s) to allow a connection. See [[Port knocking]] for more information.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
{{Note|{{ic|rp_filter}} is currently set to {{ic|2}} by default in {{ic|/usr/lib/sysctl.d/50-default.conf}}, so the following step is not necessary.}}<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting {{Ic|rp_filter}} (Reverse Path Filter) in sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.d/90-firewall.conf}} file (see [[sysctl]] for details) to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
This can be done with netfilter instead if statistics (and better logging) are desired:<br />
<br />
# iptables -t mangle -I PREROUTING -m rpfilter --invert -j DROP<br />
<br />
{{Note|There is no reason to enable this in both places. The netfilter method is the modern choice and works with IPv6 too.}}<br />
<br />
For niche setups where asymmetric routing is used, the {{ic|1=rp_filter=2}} sysctl option needs to be used instead. Passing the {{ic|--loose}} switch to the {{ic|rpfilter}} module will accomplish the same thing with netfilter.<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block ping request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. This should only be done for educational purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.d/90-firewall.conf}} file (see [[sysctl]] for details):<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://www.snowman.net/projects/ipt_recent/<br />
<br />
==== Tricking port scanners ====<br />
<br />
{{Note|<br />
* This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.<br />
* This trick may block a legitimate IP address if some packets from this address to the destination port are regarded as INVALID by module conntrack. To avoid blacklisting, a workaround is to allow all packets directed to that particular destination port.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans ({{ic|-sU}}, {{ic|-sA}} and {{ic|-sS}} in ''nmap'' respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RESET packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends a SYN (synchronization) packet to every port to initiate a TCP connection. Closed ports return a TCP RESET packet, or get dropped by a strict firewall, while open ports return a SYN ACK packet.<br />
<br />
The {{ic|recent}} module can be used to keep track of hosts with rejected connection attempts and return a TCP RESET for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RESET to any host that got onto the {{ic|TCP-PORTSCAN}} list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --rsource --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the {{ic|TCP-PORTSCAN}} list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
# iptables -A INPUT -p tcp -m recent --set --rsource --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the {{ic|UDP-PORTSCAN}} list to the top of the UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --rsource --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p udp -m recent --set --rsource --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used, the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule, or it would intercept the ''trick port scanner'' rules you just added, rendering them useless. Simply delete ({{ic|-D}}) the rule, then add it again using append ({{ic|-A}}), which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[sysctl#TCP/IP stack hardening]] for relevant kernel parameters.<br />
<br />
==== Bruteforce attacks ====<br />
<br />
Unfortunately, bruteforce attacks on services accessible via an external IP address are common. One reason for this is that the attacks are easy to perform with the many tools available. Fortunately, there are a number of ways to protect the services against them. One is the use of appropriate {{ic|iptables}} rules which activate and blacklist an IP after a set number of packets attempt to initiate a connection. Another is the use of specialised daemons that monitor the logfiles for failed attempts and blacklist accordingly.<br />
<br />
{{Warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing {{ic|/var}} can become full, especially if an attacker is pounding on the server). Additionally, with the knowledge of your IP address, the attacker can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
<br />
Two packages that ban IPs after too many password failures are [[Fail2ban]] or, for {{ic|sshd}} in particular, [[Sshguard]]. These two applications update iptables rules to reject temporarily or permanently future connections from attackers.<br />
<br />
The following rules give an example configuration to mitigate SSH bruteforce attacks using {{ic|iptables}}.<br />
<br />
# iptables -N IN_SSH<br />
# iptables -N LOG_AND_DROP<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j LOG_AND_DROP<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j LOG_AND_DROP <br />
# iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT<br />
# iptables -A LOG_AND_DROP -j LOG --log-prefix "iptables deny: " --log-level 7<br />
# iptables -A LOG_AND_DROP -j DROP<br />
<br />
Most of the rules should be self-explanatory: the first one allows for a maximum of three connection packets in ten seconds and drops further attempts from this IP. The next rule adds a quirk by allowing a maximum of four hits in 30 minutes. This is done because some bruteforce attacks are actually performed slow and not in a burst of attempts. The rules employ a number of additional options. To read more about them, check the original reference for this example in [https://compilefailure.blogspot.com/2011/04/better-ssh-brute-force-prevention-with.html compilefailure.blogspot.com]. The LOG_AND_DROP chain is used for logging dropped connections.<br />
<br />
The above rules can be used to protect any service, though the SSH daemon is probably the most often required one.<br />
<br />
In terms of order, one must ensure that {{ic|-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH}} is at the right position in the iptables sequence: it should come before the TCP chain is attached to INPUT in order to catch new SSH connections first. If all the previous steps of this wiki have been completed, the following positioning works:<br />
...<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
'''-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH'''<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
...<br />
<br />
{{Tip|For self-testing the rules after setup, the actual blacklisting can slow the test, making it difficult to fine-tune parameters. One can watch the incoming attempts via {{ic|cat /proc/net/xt_recent/sshbf}}. To unblock the own IP during testing, root is needed {{ic|echo / > /proc/net/xt_recent/sshbf}}}}<br />
<br />
=== IPv6 ===<br />
<br />
If you do not use IPv6, you can consider [[Disabling IPv6|disabling it]], otherwise follow these steps to enable the IPv6 firewall rules.<br />
<br />
Copy the IPv4 rules used in this example as a base, and change any IPs from IPv4 format to IPv6 format:<br />
<br />
# cp /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
A few of the rules in this example have to be adapted for use with IPv6. The ICMP protocol has been updated in IPv6, replacing the ICMP protocol for use with IPv4. Hence, the reject error return codes {{ic|--reject-with icmp-port-unreachable}} and {{ic|--reject-with icmp-proto-unreachable}} have to be converted to ICMPv6 codes. <br />
<br />
The available ICMPv6 error codes are listed in [[RFC:4443#section-3.1|RFC 4443]], which specifies that connection attempts blocked by a firewall rule should use {{ic|--reject-with icmp6-adm-prohibited}}. Doing so will basically inform the remote system that the connection was rejected by a firewall, rather than a listening service. <br />
<br />
If it is preferred not to explicitly inform about the existence of a firewall filter, the packet may also be rejected without the message: <br />
<br />
-A INPUT -j REJECT<br />
<br />
The above will reject with the default return error of {{ic|--reject-with icmp6-port-unreachable}}. You should note though, that identifying a firewall is a basic feature of port scanning applications and most will identify it regardless. <br />
<br />
{{Expansion|Which ICMPv6 peculiarities should be added to bring the rules at par with the IPv4 rules this article uses?|Talk:Simple_stateful_firewall#ICMP blocking}}<br />
<br />
In the next step make sure the protocol and extension are changed to be IPv6 appropriate for the rule regarding all new incoming ICMP echo requests (pings):<br />
<br />
# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Netfilter conntrack does not appear to track ICMPv6 Neighbor Discovery Protocol (the IPv6 equivalent of ARP), so we need to allow ICMPv6 traffic regardless of state for all directly attached subnets. The following should be inserted after dropping {{ic|--ctstate INVALID}}, but before any other DROP or REJECT targets, along with a corresponding line for each directly attached subnet:<br />
<br />
# ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT<br />
<br />
If you want to enable [[Wikipedia:DHCPv6|DHCPv6]], you need to accept incoming connections on [https://unix.stackexchange.com/a/452905 UDP port 546]:<br />
<br />
# ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT<br />
<br />
Since there is no kernel reverse path filter for IPv6, you may want to enable one in ''ip6tables'' with the following:<br />
<br />
# ip6tables -t mangle -A PREROUTING -m rpfilter -j ACCEPT<br />
# ip6tables -t mangle -A PREROUTING -j DROP<br />
<br />
=== Saving the rules ===<br />
<br />
The rule sets are now finished and should be saved to a file so that they can be loaded on every boot.<br />
<br />
Save the IPv4 and IPv6 rules with these commands:<br />
<br />
# iptables-save -f /etc/iptables/iptables.rules<br />
# ip6tables-save -f /etc/iptables/ip6tables.rules<br />
<br />
=== Resulting ip6tables.rules file ===<br />
<br />
Example of {{ic|ip6tables.rules}} file after running all the commands from above:<br />
<br />
{{hc|/etc/iptables/ip6tables.rules|<br />
# Generated by ip6tables-save v1.8.2 on Sat Apr 20 10:53:41 2019<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT<br />
-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited<br />
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT<br />
COMMIT<br />
# Completed on Sat Apr 20 10:53:41 2019<br />
}}<br />
<br />
Then [[enable]] and [[start]] {{ic|iptables.service}} and the {{ic|ip6tables.service}}. Check the status of the services to make sure the rules are loaded correctly.<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the guide deals with NAT gateways. It is assumed that you already read the [[#Firewall for a single machine|first part of the guide]] and set up the '''INPUT''', '''OUTPUT''', '''TCP''' and '''UDP''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table. There is an ASCII art of the situation at [https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-5.html Controlling What To NAT].<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will create two new chains in the filter table, '''fw-interfaces''' and '''fw-open''', using the following commands:<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let us assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let us assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to [[Internet sharing#Enable packet forwarding|enable packet forwarding]] (if it is not already enabled).<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and [[DHCP]] server like [[dnsmasq]] or a combination of [[BIND]] and [[dhcpd]] to simplify network settings DNS resolution on the client machines. This is not the topic of this guide.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table in the following two simple examples. <br />
<br />
First, we want to change all incoming SSH packets (port 22) to the ssh server of the machine '''192.168.0.5''':<br />
<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules:<br />
<br />
# iptables-save -f /etc/iptables/iptables.rules<br />
<br />
This assumes that you have followed the steps [[#Saving the rules|above]] to enable the '''iptables''' systemd service.<br />
<br />
== See Also ==<br />
<br />
*[https://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[https://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to block brute force attacks]<br />
*[https://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules 18 examples of basic iptables rules]<br />
*[https://www.thegeekstuff.com/2011/06/iptables-rules-examples/ 25 Most Frequently Used Linux IPTables Rules Examples]</div>Naim42https://wiki.archlinux.org/index.php?title=Fonts&diff=527396Fonts2018-06-23T12:08:19Z<p>Naim42: /* Bitmap */ Added Efont Unicode (efont-unicode-bdf recently added to the AUR)</p>
<hr />
<div>[[Category:Fonts]]<br />
[[cs:Fonts]]<br />
[[de:Schriftarten]]<br />
[[es:Fonts]]<br />
[[it:Fonts]]<br />
[[ja:フォント]]<br />
[[ru:Fonts]]<br />
[[zh-hans:Fonts]]<br />
[[zh-hant:Fonts]]<br />
{{Related articles start}}<br />
{{Related|Font configuration}}<br />
{{Related|Java Runtime Environment Fonts}}<br />
{{Related|Metric-compatible fonts}}<br />
{{Related articles end}}<br />
<br />
From [[Wikipedia:Computer font]]: "A computer font (or font) is an electronic data file containing a set of glyphs, characters, or symbols such as dingbats."<br />
<br />
Note that certain font licenses may impose some legal limitations.<br />
<br />
== Font formats ==<br />
<br />
Most computer fonts used today are in either ''bitmap'' or ''outline'' data formats. <br />
;Bitmap fonts: Consist of a matrix of dots or pixels representing the image of each glyph in each face and size.<br />
;Outline or ''vector'' fonts: Use Bézier curves, drawing instructions and mathematical formulae to describe each glyph, which make the character outlines scalable to any size.<br />
<br />
=== Bitmap formats ===<br />
<br />
* [[Wikipedia:Glyph Bitmap Distribution Format|Bitmap Distribution Format]] (BDF) by Adobe<br />
* [[Wikipedia:Portable Compiled Format|Portable Compiled Format]] (PCF) by Xorg<br />
* [[Wikipedia:PC Screen Font|PC Screen Font]] (PSF) used by the Kernel for console fonts, not supported by Xorg (for Unicode PSF files the extension is {{ic|psfu}})<br />
<br />
These formats can also be gzipped. See [[#Bitmap]] for the available bitmap fonts.<br />
<br />
=== Outline formats ===<br />
<br />
* [[Wikipedia:PostScript fonts|PostScript fonts]] by Adobe – has various formats, e.g: Printer Font ASCII (PFA) and Printer Font Binary (PFB)<br />
* [[Wikipedia:TrueType|TrueType]] by Apple and Microsoft (file extension: {{ic|ttf}})<br />
* [[Wikipedia:OpenType|OpenType]] by Microsoft, built on TrueType (file extensions: {{ic|otf}}, {{ic|ttf}})<br />
<br />
For most purposes, the technical differences between TrueType and OpenType can be ignored.<br />
<br />
=== Other formats ===<br />
<br />
The typesetting application, ''TeX,'' and its companion font software, ''Metafont,'' render characters using their own methods. Some of the file extensions used for fonts by these two programs are {{ic|*pk}}, {{ic|*gf}}, {{ic|mf}} and {{ic|vf}}.<br />
<br />
[https://fontforge.github.io/en-US/ FontForge] ({{Pkg|fontforge}}), a font editing application, can store fonts in its native text-based format, {{ic|sfd}}, ''s''pline ''f''ont ''d''atabase.<br />
<br />
The [http://www.w3.org/TR/SVG/fonts.html SVG] format also has its own font description method.<br />
<br />
== Installation ==<br />
<br />
There are various methods for installing fonts.<br />
<br />
=== Pacman ===<br />
<br />
Fonts and font collections in the enabled repositories can be installed using [[pacman]].<br />
<br />
Available fonts may be found by [[pacman#Querying package databases|querying packages]] (e.g. for {{ic|font}} or {{ic|ttf}}).<br />
<br />
=== Creating a package ===<br />
<br />
You should give pacman the ability to manage your fonts, which is done by creating an Arch package. These can also be shared with the community in the [[AUR]]. The packages to install fonts are particularly similar; simply taking an existing [https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/adobe-source-code-pro-fonts package] as template should work well. To learn about how to modify it for your font, please refer to [[Creating packages]].<br />
<br />
The family name of a font file can be aquired with the use of {{ic|fc-query}} for example: {{ic|fc-query -f '%{family[0]}\n' /path/to/file}}. The formatting is described in the FcPatternFormat(3) manual.<br />
<br />
=== Manual installation ===<br />
<br />
The recommended way of adding fonts that are not in the repositories to your system is described in [[#Creating a package]]. This gives pacman the ability to remove or update them at a later time. Fonts can alternately be installed manually as well.<br />
<br />
To install fonts system-wide (available for all users), move the folder to the {{ic|/usr/share/fonts/}} directory. The files need to be readable by every user, use [[chmod]] to set the correct permissions (i.e. at least {{ic|0444}} for files and {{ic|0555}} for directories). To install fonts for only a single user, use {{ic|~/.local/share/fonts}} ({{ic|~/.fonts/}} is now deprecated).<br />
<br />
For Xserver to load fonts directly (as opposed to the use of a ''font server'') the directory for your newly added font must be added with a FontPath entry. This entry is located in the ''Files'' section [[Xorg#Configuration|of your Xorg configuration file]] (e.g. {{ic|/etc/X11/xorg.conf}} or {{ic|/etc/xorg.conf}}). See [[#Older applications]] for more detail.<br />
<br />
Then update the fontconfig font cache: (usually unnecessary as software using the fontconfig library do this.)<br />
<br />
$ fc-cache<br />
<br />
=== Older applications ===<br />
<br />
With older applications that do not support fontconfig (e.g. GTK+ 1.x applications, and {{ic|xfontsel}}) the index will need to be created in the font directory:<br />
<br />
$ mkfontscale<br />
$ mkfontdir<br />
<br />
Or to include more than one folder with one command:<br />
<br />
$ for dir in /font/dir1/ /font/dir2/; do xset +fp $dir; done && xset fp rehash<br />
<br />
Or if fonts were installed in a different sub-folders under the e.g. {{ic|/usr/share/fonts}}:<br />
<br />
$ for dir in * ; do if [ -d "$dir" ]; then cd "$dir";xset +fp "$PWD" ;mkfontscale; mkfontdir;cd .. ;fi; done && xset fp rehash<br />
<br />
At times the X server may fail to load the fonts directory and you will need to rescan all the {{ic|fonts.dir}} files:<br />
<br />
# xset +fp /usr/share/fonts/misc # Inform the X server of new directories<br />
# xset fp rehash # Forces a new rescan<br />
<br />
To check that the font(s) is included:<br />
<br />
$ xlsfonts | grep fontname<br />
<br />
{{note|Many packages will automatically configure Xorg to use the font upon installation. If that is the case with your font, this step is not necessary.}}<br />
<br />
This can also be set globally in {{ic|/etc/X11/xorg.conf}} or {{ic|/etc/X11/xorg.conf.d}}.<br />
<br />
Here is an example of the section that must be added to {{ic|/etc/X11/xorg.conf}}. Add or remove paths based on your particular font requirements.<br />
<br />
# Let X.Org know about the custom font directories<br />
Section "Files"<br />
FontPath "/usr/share/fonts/100dpi"<br />
FontPath "/usr/share/fonts/75dpi"<br />
FontPath "/usr/share/fonts/cantarell"<br />
FontPath "/usr/share/fonts/cyrillic"<br />
FontPath "/usr/share/fonts/encodings"<br />
FontPath "/usr/share/fonts/misc"<br />
FontPath "/usr/share/fonts/truetype"<br />
FontPath "/usr/share/fonts/TTF"<br />
FontPath "/usr/share/fonts/util"<br />
EndSection<br />
<br />
=== Pango Warnings ===<br />
<br />
When [http://www.pango.org/ Pango] is in use on your system it will read from [http://www.freedesktop.org/wiki/Software/fontconfig fontconfig] to sort out where to source fonts.<br />
<br />
(process:5741): Pango-WARNING **: failed to choose a font, expect ugly output. engine-type='PangoRenderFc', script='common'<br />
(process:5741): Pango-WARNING **: failed to choose a font, expect ugly output. engine-type='PangoRenderFc', script='latin'<br />
<br />
If you are seeing errors similar to this and/or seeing blocks instead of characters in your application then you need to add fonts and update the font cache. This example uses the {{Pkg|ttf-liberation}} fonts to illustrate the solution (after successful installation of the package) and runs as root to enable them system-wide.<br />
<br />
# fc-cache<br />
/usr/share/fonts: caching, new cache contents: 0 fonts, 3 dirs<br />
/usr/share/fonts/TTF: caching, new cache contents: 16 fonts, 0 dirs<br />
/usr/share/fonts/encodings: caching, new cache contents: 0 fonts, 1 dirs<br />
/usr/share/fonts/encodings/large: caching, new cache contents: 0 fonts, 0 dirs<br />
/usr/share/fonts/util: caching, new cache contents: 0 fonts, 0 dirs<br />
/var/cache/fontconfig: cleaning cache directory<br />
fc-cache: succeeded<br />
<br />
You can test for a default font being set like so:<br />
<br />
# fc-match<br />
LiberationMono-Regular.ttf: "Liberation Mono" "Regular"<br />
<br />
== Console fonts ==<br />
<br />
{{Note|This section is about the [[Wikipedia:Linux console|Linux console]]. For alternative console solutions offering more features (full Unicode fonts, modern graphics adapters etc.), see [[fbterm]], [[KMSCON]] or similar projects.}}<br />
<br />
By default, the [[Wikipedia:Virtual console|virtual console]] uses the kernel built-in font with a [[Wikipedia:CP437|CP437]] character set,<sup>[https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/tty/vt/Makefile#n4]</sup> but this can be easily changed.<br />
<br />
The [[Wikipedia:Linux console|Linux console]] uses UTF-8 encoding by default, but because the standard VGA-compatible framebuffer is used, a console font is limited to either a standard 256, or 512 glyphs. If the font has more than 256 glyphs, the number of colours is reduced from 16 to 8. In order to assign correct symbol to be displayed to the given Unicode value, a special translation map, often called ''unimap'', is needed. Nowadays most of the console fonts have the ''unimap'' built-in; historically, it had to be loaded separately.<br />
<br />
The {{Pkg|kbd}} package provides tools to change virtual console font and font mapping. Available fonts are saved in the {{ic|/usr/share/kbd/consolefonts/}} directory, those ending with ''.psfu'' or ''.psfu.gz'' have a Unicode translation map built-in.<br />
<br />
Keymaps, the connection between the key pressed and the character used by the computer, are found in the subdirectories of {{ic|/usr/share/kbd/keymaps/}}, see [[Keyboard configuration in console]] for details.<br />
<br />
{{Note|Replacing the font can cause issues with programs that expect a standard VGA-style font, such as those using line drawing graphics.}}<br />
<br />
{{Tip|For European based languages written in Latin/Greek letters you can use {{ic|eurlatgr}} font, it includes a broad range of Latin/Greek letter variations as well as<br />
special characters [https://lists.altlinux.org/pipermail/kbd/2014-February/000439.html].}}<br />
<br />
=== Preview and temporary changes ===<br />
<br />
{{Tip|An organized library of images for previewing is available: [http://alexandre.deverteuil.net/pages/consolefonts/ Linux console fonts screenshots].}}<br />
<br />
$ showconsolefont<br />
<br />
shows a table of glyphs or letters of a font.<br />
<br />
{{ic|setfont}} temporarily change the font if passed a font name (in {{ic|/usr/share/kbd/consolefonts/}}) such as<br />
<br />
$ setfont lat2-16 -m 8859-2<br />
<br />
Font names are case-sensitive. With no parameter, {{ic|setfont}} returns the console to the default font.<br />
<br />
{{Tip|All font changing commands can be typed in "blind".}}<br />
<br />
{{Note|''setfont'' only works on the console currently being used. Any other consoles, active or inactive, remain unaffected.}}<br />
<br />
=== Persistent configuration ===<br />
<br />
The {{ic|FONT}} variable in {{ic|/etc/vconsole.conf}} is used to set the font at boot, persistently for all consoles. See {{man|5|vconsole.conf}} for details.<br />
<br />
For displaying characters such as ''Č, ž, đ, š'' or ''Ł, ę, ą, ś'' using the font {{ic|lat2-16.psfu.gz}}:<br />
<br />
{{hc|/etc/vconsole.conf|2=<br />
...<br />
FONT=lat2-16<br />
FONT_MAP=8859-2<br />
}}<br />
<br />
It means that second part of ISO/IEC 8859 characters are used with size 16. You can change font size using other values (e.g. {{ic|lat2-08}}). For the regions determined by 8859 specification, look at the [[Wikipedia:ISO/IEC 8859#The parts of ISO/IEC 8859]].<br />
<br />
To use the specified font in early userspace, use the {{ic|consolefont}} hook in {{ic|/etc/mkinitcpio.conf}}. See [[Mkinitcpio#HOOKS]] for more information. <br />
<br />
If the fonts seems to not change on boot, or change only temporarily, it is most likely that they got reset when graphics driver was initialized and console was switched to framebuffer. To avoid this, load your graphics driver earlier. See for example [[Kernel mode setting#Early KMS start]], [https://bbs.archlinux.org/viewtopic.php?id=145765] or other ways to setup your framebuffer before {{ic|/etc/vconsole.conf}} is applied.<br />
<br />
== Font packages ==<br />
<br />
This is a selective list that includes many font packages from the [[AUR]] along with those in the official repositories. Fonts are tagged "Unicode" if they have wide Unicode support, see the project or <br />
Wikipedia pages for detail.<br />
<br />
The [https://github.com/ternstor/distrofonts Archfonts Python script] can be used to generate an overview of all the TTF fonts found in the official repositories / the AUR (the image generation is done using {{AUR|ttf2png}}).<br />
<br />
=== Bitmap ===<br />
<br />
* Default 8x16<br />
* [http://www.dcmembers.com/jibsen/download/61/ Dina] ({{Pkg|dina-font}}) – 6pt, 8pt, 9pt, 10pt, monospaced, based on Proggy<br />
* [http://openlab.jp/efont/unicode/ Efont] ({{AUR|efont-unicode-bdf}}) – 10px, 12px, 14px, 16px, 24px, normal, bold and italic<br />
* [http://font.gohu.org/ Gohu] ({{AUR|gohufont}}) – 11px, 14px, normal and bold<br />
* [http://artwizaleczapka.sourceforge.net/ Lime] ({{Pkg|artwiz-fonts}})<br />
* [http://tobiasjung.name/profont/ ProFont] ({{Pkg|profont}}) – 10px, 11px, 12px, 15px, 17px, 22px, 29px, normal<br />
* [[Wikipedia:Proggy programming fonts|Proggy]] ({{AUR|proggyfonts}}) – has different variants<br />
* [http://www.fial.com/~scott/tamsyn-font/ Tamsyn] ({{Pkg|tamsyn-font}})<br />
* [http://terminus-font.sourceforge.net/ Terminus] ({{Pkg|terminus-font}})<br />
* [https://github.com/lucy/tewi-font Tewi] ({{AUR|bdf-tewi-git}})<br />
* [http://unifoundry.com/unifont.html Unifont] ([[Wikipedia:Unicode font#Comparison of fonts|most extensive]] Unicode coverage of any font) ({{Pkg|bdf-unifont}})<br />
<br />
=== Latin script ===<br />
<br />
==== Families ====<br />
<br />
* [[Wikipedia:Luxi fonts|Luxi fonts]] ({{Pkg|font-bh-ttf}}) – X.Org Luxi fonts<br />
* [[Wikipedia:Bitstream Vera|Bitstream Vera]] ({{Pkg|ttf-bitstream-vera}}) – serif, sans-serif, and monospace<br />
* [https://quoteunquoteapps.com/courierprime/ Courier Prime] ({{AUR|ttf-courier-prime}}) – Courier font alternative optimized for screenplays<br />
* [[Wikipedia:Croscore fonts|Croscore fonts]] ({{Pkg|ttf-croscore}}) – Google's substitute for Windows' Arial, Times New Roman, and Courier New<br />
* [[Wikipedia:DejaVu fonts|DejaVu fonts]] ({{Pkg|ttf-dejavu}}) – Bitstream Vera modified for greater Unicode coverage<br />
* [[Wikipedia:Droid (font)|Droid]] ({{Pkg|ttf-droid}}, included in {{AUR|ttf-google-fonts-git}}) – default font for older Android versions<br />
* [[Wikipedia:Roboto|Roboto]] ({{Pkg|ttf-roboto}}) – default font for newer Android versions<br />
* [[Wikipedia:Noto fonts|Google Noto]] ({{Pkg|noto-fonts}}) – Unicode<br />
* [[Wikipedia:Liberation fonts|Liberation fonts]] ({{Pkg|ttf-liberation}}) – free metric-compatible substitute for the Arial, Arial Narrow, Times New Roman and Courier New fonts found in Windows and Microsoft Office products<br />
* [[Wikipedia:Ubuntu Font Family|Ubuntu Font Family]] ({{Pkg|ttf-ubuntu-font-family}})<br />
* [[Microsoft fonts]] ({{AUR|ttf-ms-win10}}) – Windows 10 fonts<br />
Legacy Microsoft font packages:<br />
* [http://corefonts.sourceforge.net/ Microsoft fonts] ({{AUR|ttf-ms-fonts}}) – Andalé Mono, Courier New, Arial, Arial Black, Comic Sans, Impact, Lucida Sans, Microsoft Sans Serif, Trebuchet, Verdana, Georgia, Times New Roman<br />
* Vista fonts ({{AUR|ttf-vista-fonts}}) – Consolas, Calibri, Candara, Corbel, Cambria, Constantia<br />
<br />
==== Monospaced ====<br />
<br />
For more monospaced fonts see [[#Bitmap]] and [[#Families]].<br />
<br />
* [http://www.marksimonson.com/fonts/view/anonymous-pro Anonymous Pro] ({{pkg|ttf-anonymous-pro}}, included in {{AUR|ttf-google-fonts-git}})<br />
* [https://damieng.com/blog/2008/05/26/envy-code-r-preview-7-coding-font-released Envy Code R] ({{AUR|ttf-envy-code-r}})<br />
* Fantasque Sans Mono ({{AUR|ttf-fantasque-sans-git}})<br />
* [[Wikipedia:Fira Sans|Fira Mono]] ({{pkg|ttf-fira-mono}}, {{pkg|otf-fira-mono}}) – designed for Firefox OS<br />
* [[Wikipedia:GNU FreeFont|FreeMono]] ({{Pkg|ttf-freefont}}) - Unicode<br />
* [https://sourcefoundry.org/hack/ Hack] ({{pkg|ttf-hack}}) - an open source monospaced font, used as the default in KDE Plasma<br />
* [[Wikipedia:Inconsolata|Inconsolata]] ({{Pkg|ttf-inconsolata}}, included in {{AUR|ttf-google-fonts-git}}) - inspired by Consolas<br />
* [https://leonardo-m.livejournal.com/77079.html Inconsolata-g] ({{AUR|ttf-inconsolata-g}}) - adds some programmer-friendly modifications<br />
* [[Wikipedia:Lucida Typewriter|Lucida Typewriter]] (included in package {{AUR|jre}})<br />
* [[Wikipedia:Menlo (typeface)|Menlo]] (derivative: {{AUR|ttf-meslo}}) - default monospaced font of OS X<br />
* [[Wikipedia:Monaco (typeface)|Monaco]] ({{AUR|ttf-monaco}}) - proprietary font designed by Apple for OS X<br />
* Monofur ({{AUR|ttf-monofur}})<br />
* [https://madmalik.github.io/mononoki Mononoki] ({{AUR|ttf-mononoki}})<br />
* [[Wikipedia:Source_Code_Pro|Source Code Pro]] ({{pkg|adobe-source-code-pro-fonts}})<br />
<br />
Relevant websites:<br />
<br />
* [http://hivelogic.com/articles/top-10-programming-fonts Dan Benjamin's Top 10 Programming Fonts].<br />
* [http://www.lowing.org/fonts/ Trevor Lowing's font list]<br />
* [https://www.slant.co/topics/67/~what-are-the-best-programming-fonts Slant: What are the best programming fonts?]<br />
* [https://stackoverflow.com/questions/4689/recommended-fonts-for-programming Stack Overflow: Recommended fonts for programming]<br />
<br />
==== Sans-serif ====<br />
<br />
* [http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=andika Andika] ({{AUR|ttf-andika}})<br />
* [[Wikipedia:GNU FreeFont|FreeSans]] ({{Pkg|ttf-freefont}}) - Unicode<br />
* [https://github.com/rsms/inter Inter UI] ({{AUR|ttf-inter-ui}}) – designed for user interfaces<br />
* [[Wikipedia:Linux Libertine|Linux Biolinum]] ({{Pkg|ttf-linux-libertine}}) – free substitute for Times New Roman<br />
* [[Wikipedia:PT Sans|PT Sans]] ({{AUR|ttf-google-fonts-git}}) - 3 major variations: normal, narrow, and caption - Unicode: Latin, Cyrillic<br />
* [[Wikipedia:Source Sans Pro|Source Sans Pro]] ({{pkg|adobe-source-sans-pro-fonts}})<br />
* [[Wikipedia:Tahoma (typeface)|Tahoma]] ({{AUR|ttf-tahoma}})<br />
<br />
==== Serif ====<br />
<br />
* [http://www.georgduffner.at/ebgaramond/ EB Garamond] ({{AUR|otf-eb-garamond}})<br />
* [[Wikipedia:GNU FreeFont|FreeSerif]] ({{Pkg|ttf-freefont}}) - Unicode<br />
* [[Wikipedia:Gentium|Gentium]] ({{Pkg|ttf-gentium}}) - Unicode: Latin, Greek, Cyrillic, Phonetic Alphabet<br />
* [[Wikipedia:Linux Libertine|Linux Libertine]] ({{Pkg|ttf-linux-libertine}}) - Unicode: Latin, Greek, Cyrillic, Hebrew<br />
<br />
==== Unsorted ====<br />
<br />
{{Style|This section should be absorbed into the Monospace/Serif/Sans-Serif structure}}<br />
<br />
* {{Pkg|ttf-cheapskate}} - Font collection from ''dustismo.com''<br />
* {{Pkg|ttf-junicode}} - Junius font containing almost complete medieval latin script glyphs<br />
* {{Pkg|ttf-mph-2b-damase}} - Covers full plane 1 and several scripts<br />
* {{Pkg|xorg-fonts-type1}} - IBM Courier and Adobe Utopia sets of [[Wikipedia:PostScript fonts|PostScript fonts]]<br />
* {{AUR|all-repository-fonts}} - Meta package for all fonts in the official repositories.<br />
* {{AUR|ttf-google-fonts-git}} - a huge collection of free fonts (including Ubuntu, Inconsolata, Droid, etc.) - Note: Your font dialog might get very long as >100 fonts will be added.<br />
<br />
=== Non-latin scripts ===<br />
<br />
==== Ancient Scripts ====<br />
<br />
* {{AUR|ttf-ancient-fonts}} - Font containing Unicode symbols for Aegean, Egyptian, Cuneiform, Anatolian, Maya, and Analecta scripts<br />
<br />
==== Arabic ====<br />
<br />
* {{AUR|ttf-amiri}} - A classical Arabic typeface in Naskh style poineered by Amiria Press<br />
* {{AUR|ttf-arabeyes-fonts}} - Collection of free Arabic fonts<br />
* {{AUR|ttf-qurancomplex-fonts}} - Fonts by King Fahd Glorious Quran Printing Complex in al-Madinah al-Munawwarah<br />
* {{AUR|ttf-sil-lateef}} - Unicode Arabic font from SIL<br />
* {{AUR|ttf-sil-scheherazade}} - Unicode Arabic font from SIL<br />
<br />
==== Braille ====<br />
<br />
*{{Pkg|ttf-ubraille}} - Font containing Unicode symbols for ''braille''<br />
<br />
==== Chinese, Japanese, Korean, Vietnamese ====<br />
<br />
===== Pan-CJK =====<br />
*adobe source han fonts - Large collection of fonts which comprehensively support Simplified Chinese, Traditional Chinese, Japanese, and Korean, with a consistent design and look.<br />
**{{Pkg|adobe-source-han-sans-otc-fonts}} - Sans fonts<br />
**{{Pkg|adobe-source-han-serif-otc-fonts}} - Serif fonts<br />
<br />
*{{Pkg|noto-fonts-cjk}} - Large collection of fonts which comprehensively support Simplified Chinese, Traditional Chinese, Japanese, and Korean, with a consistent design and look. It is currently a rebadged version of {{Pkg|adobe-source-han-sans-otc-fonts}}.<br />
<br />
===== Chinese =====<br />
<br />
{{Move|Internationalization/Chinese#Fonts|It makes sense to group language-specific things together.}}<br />
<br />
* adobe source han fonts<br />
** {{Pkg|adobe-source-han-sans-cn-fonts}} - Simplified Chinese OpenType/CFF Sans fonts<br />
** {{Pkg|adobe-source-han-sans-tw-fonts}} - Traditional Chinese OpenType/CFF Sans fonts<br />
** {{Pkg|adobe-source-han-serif-cn-fonts}} - Simplified Chinese OpenType/CFF Serif fonts<br />
** {{Pkg|adobe-source-han-serif-tw-fonts}} - Traditional Chinese OpenType/CFF Serif fonts<br />
<br />
* noto Chinese fonts<br />
** {{AUR|noto-fonts-sc}} - Noto CJK-SC fonts for Simplified Chinese<br />
** {{AUR|noto-fonts-tc}} - Noto CJK-TC fonts for Traditional Chinese<br />
<br />
* wqy fonts<br />
** {{Pkg|wqy-microhei}} - WenQuanYi Micro Hei font family (also known as Hei, Gothic or Dotum) is a sans-serif style derived from Droid Sans Fallback, it offers high quality CJK outline font and it is extremely compact (~5M).<br />
** {{Pkg|wqy-zenhei}} - Hei Ti Style (sans-serif) Chinese Outline font embedded with bitmapped Song Ti (also supporting Japanese (partial) and Korean characters).<br />
** {{Pkg|wqy-bitmapfont}} - Bitmapped Song Ti (serif) Chinese font.<br />
<br />
* arphic fonts<br />
** {{Pkg|ttf-arphic-ukai}} - ''Kaiti'' (brush stroke) Unicode font (enabling anti-aliasing is suggested)<br />
** {{Pkg|ttf-arphic-uming}} - ''Mingti'' (printed) Unicode font<br />
<br />
* {{Pkg|opendesktop-fonts}} - ''New Sung'' font, previously is ttf-fireflysung package<br />
<br />
* {{Pkg|ttf-hannom}} - Chinese and Vietnamese ttf fonts<br />
<br />
* Standart fonts of the Republic of China ministry of education in Taiwan<br />
** {{AUR|ttf-tw}} - Kai and Song traditional Chinese font from the Ministry of Education of Taiwan<br />
** {{AUR|ttf-twcns-fonts}} Chinese TrueType fonts by Ministry of Education of Taiwan government, support CNS11643 standard, including Kai and Sung fontface.<br />
<br />
*Windows Chinese fonts<br />
**{{AUR|ttf-ms-win8-zh_cn}} - windows8 simple Chinese fonts。<br />
**{{AUR|ttf-ms-win8-zh_tw}} - windows8 traditional Chinese fonts。<br />
**{{AUR|ttf-ms-win10-zh_cn}} - windows10 simple Chinese fonts。<br />
**{{AUR|ttf-ms-win10-zh_tw}} - windows10 traditional Chinese fonts。<br />
<br />
* {{AUR|ttf-i.bming}} - CJK serif font that emphasis on an old-style typeface.<br />
<br />
===== Japanese =====<br />
<br />
{{Move|Internationalization/Japanese#Fonts|It makes sense to group language-specific things together.}}<br />
<br />
* {{Pkg|adobe-source-han-sans-jp-fonts}} - Japanese OpenType/CFF fonts<br />
* {{Pkg|otf-ipafont}} - Formal style Japanese Gothic (sans-serif) and Mincho (serif) fonts set; one of the highest quality open source font. Default of openSUSE-ja.<br />
* {{Pkg|ttf-hanazono}} - A free Japanese kanji font, style Mincho (serif).<br />
* {{Pkg|ttf-sazanami}} - Japanese free TrueType font. This is outdated and not maintained any more, but may be defined as a fallback font on several environments.<br />
* {{AUR|ttf-koruri}} - Japanese TrueType font obtained by mixing {{AUR|ttf-mplus}} and Open Sans<br />
* {{AUR|ttf-monapo}} - Japanese fonts to show [[wikipedia:2channel_Shift_JIS_art|2channel Shift JIS art]] properly.<br />
* {{AUR|ttf-mplus}} - Modern Gothic style Japanese outline fonts. It includes all of Japanese Hiragana/Katakana, Basic Latin, Latin-1 Supplement, Latin Extended-A, IPA Extensions and most of Japanese Kanji, Greek, Cyrillic, Vietnamese with 7 weights (proportional) or 5 weights (monospace).<br />
* {{AUR|ttf-vlgothic}} - Japanese Gothic fonts. Default of Debian/Fedora/Vine Linux<br />
<br />
===== Korean =====<br />
<br />
{{Move|Internationalization/Korean#Fonts|It makes sense to group language-specific things together.}}<br />
<br />
* {{Pkg|adobe-source-han-sans-kr-fonts}} - Korean OpenType/CFF fonts<br />
* {{Pkg|ttf-baekmuk}} - Collection of Korean TrueType fonts<br />
* {{AUR|spoqa-han-sans}} - Source Han Sans customized by Spoqa<br />
* {{AUR|ttf-d2coding}} - D2Coding fixed width TrueType font made by Naver<br />
* {{AUR|ttf-nanum}} - Nanum series TrueType fonts<br />
* {{AUR|ttf-nanumgothic_coding}} - Nanum series fixed width TrueType fonts<br />
<br />
===== Vietnamese =====<br />
<br />
* {{Pkg|ttf-hannom}} - Vietnamese TrueType font for chữ Nôm characters<br />
<br />
==== Cyrillic ====<br />
<br />
See also [[#Latin script]].<br />
<br />
* {{AUR|ttf-paratype}} - Font family by ParaType: sans, serif, mono, extended cyrillic and latin, OFL license<br />
* {{AUR|otf-russkopis}} - A free OpenType cursive font for Cyrillic script<br />
<br />
==== Greek ====<br />
<br />
Almost all Unicode fonts contain the Greek character set (polytonic included). Some additional font packages, which might not contain the complete Unicode set but utilize high quality Greek (and Latin, of course) typefaces are:<br />
<br />
* {{AUR|otf-gfs}} - Selection of OpenType fonts from the Greek Font Society<br />
* {{AUR|ttf-mgopen}} - Professional TrueType fonts from Magenta<br />
<br />
==== Hebrew ====<br />
<br />
* {{AUR|culmus}} - Nice collection of free Hebrew fonts<br />
<br />
==== Indic ====<br />
<br />
* {{Pkg|ttf-freebanglafont}} - Font for Bangla<br />
* {{Pkg|ttf-indic-otf}} - Indic OpenType Fonts collection (containing ttf-freebanglafont), provides the character [http://www.fileformat.info/info/unicode/char/ca0/index.htm U+0CA0] "ಠ"<br />
* {{AUR|lohit-fonts}} - Indic TrueType fonts from Fedora Project (containing Oriya Fonts and more)<br />
* {{AUR|ttf-devanagarifonts}} - Devanagari TrueType fonts (contains 283 fonts)<br />
* {{AUR|ttf-gurmukhi-fonts_sikhnet}} - TrueType Gurmukhi fonts (gurbaniwebthick,prabhki)<br />
* {{AUR|ttf-gurmukhi_punjabi}} - TTF Gurmukhi / Punjabi (contains 252 fonts)<br />
* {{AUR|ttf-gujrati-fonts}} - TTF Gujarati fonts (Avantika,Gopika,Shree768)<br />
* {{AUR|ttf-kannada-font}} - Kannada, the language of Karnataka state in India<br />
* {{AUR|ttf-lklug}} - Sinhala Unicode font<br />
* {{AUR|ttf-tamil}} - Tamil Unicode fonts<br />
* {{AUR|ttf-urdufonts}} - Urdu fonts (Jameel Noori Nastaleeq (+kasheeda), Nafees Web Naskh, PDMS Saleem Quran Font) and font configuration to set Jameel Noori Nastaleeq as default font for Urdu<br />
* {{AUR|fonts-smc-malayalam}} - Malayalam Unicode Fonts released by 'Swathanthra Malayalam Computing' (contains 11 fonts).<br />
<br />
==== Khmer ====<br />
<br />
* {{Pkg|ttf-khmer}} - Font covering glyphs for Khmer language<br />
* [https://www.google.com/fonts/specimen/Hanuman Hanuman] ({{AUR|ttf-google-fonts-git}})<br />
<br />
==== Mongolic and Tungusic ====<br />
<br />
* {{AUR|ttf-abkai}} - Fonts for Sibe, Manchu and Daur scripts (incomplete, currently in development)<br />
<br />
==== Persian ====<br />
<br />
* {{AUR|persian-fonts}} - Meta package for installing all Persian fonts in AUR.<br />
* {{AUR|borna-fonts}} - Borna Rayaneh Co. Persian B font series.<br />
* {{AUR|iran-nastaliq-fonts}} - A free Unicode calligraphic Persian font.<br />
* {{AUR|iranian-fonts}} - Iranian-Sans and Iranian-Serif Persian font family.<br />
* {{AUR|ir-standard-fonts}} - Iran Supreme Council of Information and Communication Technology (SCICT) standard Persian fonts.<br />
* {{AUR|persian-hm-ftx-fonts}} - A Persian font series derived from X Series 2, Metafont and FarsiTeX fonts with Kashida feature.<br />
* {{AUR|persian-hm-xs2-fonts}} - A Persian font series derived from X Series 2 fonts with Kashida feature.<br />
* {{AUR|sina-fonts}} - Sina Pardazesh Co. Persian font series.<br />
* {{AUR|gandom-fonts}}, {{AUR|parastoo-fonts}}, {{AUR|sahel-fonts}}, {{AUR|samim-fonts}}, {{AUR|shabnam-fonts}}, {{AUR|tanha-fonts}}, {{AUR|vazir-fonts}}, {{AUR|vazir-code-fonts}} - Beautiful Persian fonts made by Ali Rasti Kerdar.<br />
* {{AUR|ttf-yas}} - The Yas Persian font series (with '''hollow zero''').<br />
* {{AUR|ttf-x2}} - Free fonts with support for Persian, Arabic, Urdu, Pashto, Dari, Uzbek, Kurdish, Uighur, old Turkish (Ottoman) and modern Turkish (Roman).<br />
<br />
==== Tai–Kadai ====<br />
<br />
* {{Pkg|fonts-tlwg}} - Collection of scalable Thai fonts<br />
* {{AUR|ttf-lao}} - Lao TTF font (Phetsarath_OT)<br />
* {{AUR|ttf-lao-fonts}} - Lao TTF fonts, both Unicode and non-Unicode for Windows<br />
<br />
==== Tibeto-Burman ====<br />
<br />
* {{Pkg|ttf-tibetan-machine}} - Tibetan Machine TTFont<br />
* {{AUR|ttf-myanmar-fonts}} - 121 Fonts from myordbok.com<br />
<br />
=== Emoji and symbols ===<br />
<br />
A section of the Unicode standard is designated for pictographic characters called "emoji".<br />
<br />
* {{Pkg|noto-fonts-emoji}} - Google's own emoji font, like on Android or Google Hangouts.<br />
* {{AUR|ttf-symbola}} - provides many Unicode symbols, including emoji, in outline style.<br />
* {{AUR|ttf-emojione}} - Official colorful EmojiOne font.<br />
* {{AUR|ttf-emojione-color}} - a color and B&W emoji SVGinOT font built from EmojiOne.<br />
* {{AUR|ttf-twemoji-color}} - Twitter's open-sourced emoji glyphs.<br />
<br />
[[wikipedia:Emoticon#Japanese_style|Kaomoji]] are sometimes referred to as "Japanese emoticons" and are composed of characters from various character sets, including CJK and Indic fonts. For example, the following set of packages covers most of existing kaomoji: {{Pkg|ttf-freefont}}, {{Pkg|ttf-arphic-uming}}, and {{Pkg|ttf-indic-otf}}.<br />
<br />
=== Math ===<br />
<br />
* {{Pkg|font-mathematica}} - Mathematica fonts by Wolfram Research, Inc.<br />
* {{Pkg|texlive-core}} and {{Pkg|texlive-fontsextra}} contain many math fonts such as Latin Modern Math and [[Wikipedia:STIX Fonts project|STIX Fonts]]. See [[TeX Live#Fonts]] for configuration.<br />
* {{AUR|otf-stix}} - A standalone, more recent version of STIX<br />
* {{Pkg|otf-latin-modern}}, {{Pkg|otf-latinmodern-math}} - Improved version of Computer Modern fonts as used in LaTeX<br />
* {{AUR|ttf-computer-modern-fonts}}, {{AUR|otf-cm-unicode}} - [[wikipedia:Computer Modern|Computer Modern]] (of TeX fame)<br />
* {{AUR|ttf-mathtype}} - MathType fonts<br />
<br />
=== Other operating system fonts ===<br />
<br />
* {{AUR|ttf-mac-fonts}} - Apple MacOS TrueType fonts<br />
<br />
See [[Metric-compatible fonts]], which lists available alternatives for [[Microsoft fonts]].<br />
<br />
== Fallback font order with X11 ==<br />
<br />
Fontconfig automatically chooses a font that matches the current requirement. That is to say, if one is looking at a window containing English and Chinese for example, it will switch to another font for the Chinese text if the default one does not support it.<br />
<br />
Fontconfig lets every user configure the order they want via {{ic|$XDG_CONFIG_HOME/fontconfig/fonts.conf}}.<br />
If you want a particular Chinese font to be selected after your favorite Serif font, your file would look like this:<br />
<br />
<?xml version="1.0"?><br />
<!DOCTYPE fontconfig SYSTEM "fonts.dtd"><br />
<fontconfig><br />
<alias><br />
<family>serif</family><br />
<prefer><br />
<family>Your favorite Latin Serif font name</family><br />
<family>Your Chinese font name</family><br />
</prefer><br />
</alias><br />
</fontconfig><br />
<br />
{{Tip|If you use a Chinese locale, set {{ic|LC_LANG}} to {{ic|und}} to make this work. Otherwise both English and Chinese text will be rendered in the Chinese font.}}<br />
<br />
You can add a section for sans-serif and monospace as well. For more information, have a look at the fontconfig manual.<br />
<br />
See also [[Font configuration#Replace or set default fonts]].<br />
<br />
== Font alias ==<br />
<br />
There are several font aliases which represent other fonts in order that applications may use similar fonts. The most common aliases are: {{ic|serif}} for a font of the serif type (e.g. DejaVu Serif); {{ic|sans-serif}} for a font of the sans-serif type (e.g. DejaVu Sans); and {{ic|monospace}} for a monospaced font (e.g. DejaVu Sans Mono). However, the fonts which these aliases represent may vary and the relationship is often not shown in font management tools, such as those found in [[KDE]] and other [[desktop environments]].<br />
<br />
To reverse an alias and find which font it is representing, run:<br />
<br />
{{hc|$ fc-match monospace|<br />
DejaVuSansMono.ttf: "DejaVu Sans Mono" "Book"<br />
}}<br />
<br />
In this case, {{ic|DejaVuSansMono.ttf}} is the font represented by the monospace alias.<br />
<br />
== Tips and tricks ==<br />
<br />
=== List all installed fonts ===<br />
<br />
You can use the following command to list all installed Fontconfig fonts that are available on your system. <br />
<br />
$ fc-list<br />
<br />
=== Lists installed fonts for a particular language ===<br />
<br />
Applications and browsers select and display fonts depending upon fontconfig preferences and available font glyph for Unicode text. To list installed fonts for a particular language, issue a command {{ic|<nowiki>fc-list :lang="two letter language code"</nowiki>}}. For instance, to list installed Arabic fonts or fonts supporting Arabic glyph:<br />
{{hc|$ fc-list -f '%{file}\n' :lang&#61;ar|2=<br />
<nowiki><br />
/usr/share/fonts/TTF/FreeMono.ttf<br />
/usr/share/fonts/TTF/DejaVuSansCondensed.ttf<br />
/usr/share/fonts/truetype/custom/DroidKufi-Bold.ttf<br />
/usr/share/fonts/TTF/DejaVuSansMono.ttf<br />
/usr/share/fonts/TTF/FreeSerif.ttf<br />
</nowiki><br />
}}<br />
<br />
=== Set terminal font on-the-fly ===<br />
<br />
{{Expansion|Which terminals specifically support this method? Where is the documentation for the escape codes?}}<br />
<br />
For terminal emulators that use {{ic|Xresources}}, fonts can be set by using escape sequences. Specifically, {{ic|echo -e "\033]710;$font\007"}} to change the normal font ({{ic|*font}} in {{ic|~/.Xresources}}), and replace {{ic|710}} with {{ic|711}}, {{ic|712}}, and {{ic|713}} to change the {{ic|*boldFont}}, {{ic|*italicFont}}, and {{ic|*boldItalicFont}}, respectively.<br />
<br />
{{ic|$font}} uses the same syntax as in {{ic|~/.Xresources}} and can be anything the terminal emulator will support. (Example: {{ic|1=xft:dejavu sans mono:size=9}})<br />
<br />
=== Application-specific font cache ===<br />
<br />
Matplotlib ({{pkg|python-matplotlib}} or {{pkg|python2-matplotlib}}) uses its own font cache, so after updating fonts, be sure to remove {{ic|~/.matplotlib/fontList.cache}}, <br />
{{ic|~/.cache/matplotlib/fontList.cache}}, {{ic|~/.sage/matplotlib-1.2.1/fontList.cache}}, etc. so it will regenerate its cache and find the new fonts [http://matplotlib.1069221.n5.nabble.com/getting-matplotlib-to-recognize-a-new-font-td40500.html].<br />
<br />
== See also ==<br />
<br />
* [http://behdad.org/text/ State of Text Rendering]<br />
* [https://fontlibrary.org/en Font Library] - Fonts under Free licenses<br />
* [https://screenshots.debian.net/packages?search=fonts&show=with Fonts on screenshots.debian.net]</div>Naim42https://wiki.archlinux.org/index.php?title=User:Naim42/common.css&diff=503342User:Naim42/common.css2017-12-19T20:53:59Z<p>Naim42: Blanked the page</p>
<hr />
<div></div>Naim42https://wiki.archlinux.org/index.php?title=User:Naim42/common.css&diff=503321User:Naim42/common.css2017-12-19T18:37:28Z<p>Naim42: Created page with "html, body { font-family: serif; }"</p>
<hr />
<div>html, body {<br />
font-family: serif;<br />
}</div>Naim42https://wiki.archlinux.org/index.php?title=XDG_MIME_Applications&diff=501134XDG MIME Applications2017-12-05T15:22:55Z<p>Naim42: s/affect/effect/</p>
<hr />
<div>[[Category:Desktop environments]]<br />
[[ja:デフォルトアプリケーション]]<br />
[[ru:Default applications]]<br />
[[zh-hans:Default applications]]<br />
{{Related articles start}}<br />
{{Related|Desktop entries}}<br />
{{Related|Desktop environment}}<br />
{{Related|Window manager}}<br />
{{Related articles end}}<br />
<br />
There is frequently more than one application able to handle data of a certain type, so users and even some packages assemble lists of default applications for each [[#MIME types|#MIME type]]. While the base install of Arch Linux does not define default applications, [[desktop environments]] you install may do so. Some desktop environments also provide a GUI or a file-manager which can interactively configure default applications. If you do not use a desktop environment, you may need to install additional software in order to conveniently manage default applications.<br />
<br />
== MIME types ==<br />
<br />
Before setting the default application per file type, the file type must be detected. There are two common ways that this detection is done:<br />
<br />
* using the file name extension e.g. ''.html'' or ''.jpeg''<br />
* using a [[w:List of file signatures|magic number]] in the first few bytes of the file<br />
<br />
However it is possible that a single file type is identified by several different magic numbers and file name extensions, therefore [[w:MIME type|MIME types]] are used to represent distinct file types. MIME types are specified by two parts separated by a slash: {{ic|''type''/''subtype''}}. The type describes the general category of the content, while the subtype identifies the specific data type. For example, {{ic|image/jpeg}} is the MIME type for [[w:JPEG|JPEG]] images, while {{ic|video/H264}} is the MIME type for [[w:H.264/MPEG-4 AVC|H.264]] video.<br />
<br />
Technically, every MIME type should be registered with the [[w:Internet Assigned Numbers Authority|IANA]][http://www.iana.org/assignments/media-types/media-types.xhtml], however many applications use unofficial MIME types; these often have a type starting with {{ic|x-}}, for example {{ic|x-scheme-handler/https}} for a HTTPS URL. For local use, the [[#MIME database]] can be used by other packages to register new MIME types.<br />
<br />
=== MIME database ===<br />
<br />
The system maintains a database of recognized MIME types: the [https://specifications.freedesktop.org/shared-mime-info-spec/shared-mime-info-spec-0.11.html#idm139839923550176 Shared MIME-info Database]. The database is built from the XML files installed by packages in {{ic|/usr/share/mime/packages}} using the tools from the {{Pkg|shared-mime-info}} package.<br />
<br />
The files in {{ic|/usr/share/mime/}} should not be directly edited, however it is possible to maintain a separate database on a per-user basis in the {{ic|~/.local/share/mime/}} tree.<br />
<br />
==== New MIME types ====<br />
<br />
{{expansion|Is the process different for assigning an extension to an existing MIME type?}}<br />
<br />
This example defines a new MIME type {{ic|application/x-foobar}} and assigns it to any file with a name ending in ''.foo''. Simply create the following file:<br />
<br />
{{hc|~/.local/share/mime/packages/application-x-foobar.xml|2=<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<nowiki><mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info"></nowiki><br />
'''<mime-type type="application/x-foobar">'''<br />
<comment>foo file</comment><br />
<icon name="application-x-foobar"/><br />
<glob-deleteall/><br />
'''<glob pattern="*.foo"/>'''<br />
</mime-type><br />
</mime-info><br />
}}<br />
<br />
And then update the MIME database<br />
<br />
$ update-mime-database ~/.local/share/mime<br />
<br />
Of course this will not have any effect if no desktop entries are associated with the MIME type. You may need to create new [[desktop entries]] or modify [[#XDG standard|#mimeapps.list]].<br />
<br />
=== Desktop entries ===<br />
<br />
Each package can use [[desktop entries]] to provide information about the MIME types that can be handled by the packaged software. In order to provide fast search in the reverse direction, the system uses the tools from the {{Pkg|desktop-file-utils}} package to analyze the desktop files and to create an inverse mapping stored in the {{ic|/usr/share/applications/mimeinfo.cache}} file. This is the only file that programs need to read to find all desktop files that might be used to handle given MIME type. Using the database is easier and faster than reading hundreds of ''.desktop'' files directly.<br />
<br />
The files in {{ic|/usr/share/applications/}} should not be edited directly, it is possible to maintain a separate database on a per-user basis in the {{ic|~/.local/share/applications/}} tree. See [[Desktop entries]] for details.<br />
<br />
== Set default applications ==<br />
<br />
The configuration of default applications depends on which launcher is used. Unfortunately there are multiple incompatible standards and many programs even have their own custom formats.<br />
<br />
The most common standards are explained below for manual editing. There are also several [[#Utilities]] which can do the job, which may or may not implement the following standards.<br />
<br />
=== Environment variables ===<br />
<br />
Console programs in particular are configured by setting an appropriate [[environment variable]], e.g. {{ic|BROWSER}} or {{ic|EDITOR}}. See [[Environment variables#Examples]].<br />
<br />
=== XDG standard ===<br />
<br />
The [https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-1.0.html XDG standard] is the most common for configuring desktop environments. Default applications for each MIME type are stored in {{ic|mimeapps.list}} files, which can be stored in several locations. They are searched in the following order, with earlier associations taking precedence over later ones:<br />
<br />
{| class="wikitable"<br />
! Path !! Usage<br />
|-<br />
| {{ic|~/.config/mimeapps.list}} || user overrides<br />
|-<br />
| {{ic|/etc/xdg/mimeapps.list}} || system-wide overrides<br />
|-<br />
| {{ic|~/.local/share/applications/mimeapps.list}} || ('''deprecated''') user overrides<br />
|-<br />
| {{ic|/usr/local/share/applications/mimeapps.list}}<br>{{ic|/usr/share/applications/mimeapps.list}} || distribution-provided defaults<br />
|}<br />
<br />
Additionally, it is possible to define [[desktop environment]]-specific default applications in a file named {{ic|''desktop''-mimeapps.list}} where {{ic|''desktop''}} is the name of the desktop environment (from the {{ic|XDG_CURRENT_DESKTOP}} environment variable). For example, {{ic|/etc/xdg/xfce-mimeapps.list}} defines system-wide default application overrides for [[Xfce]]. These desktop-specific overrides take precedence over the corresponding non-desktop-specific file. For example, {{ic|/etc/xdg/xfce-mimeapps.list}} takes precedence over {{ic|/etc/xdg/mimeapps.list}} but is still overridden by {{ic|~/.config/mimeapps.list}}.<br />
<br />
{{Tip|1=Although deprecated, several applications still read/write to {{ic|~/.local/share/applications/mimeapps.list}}. To simplify maintenance, simply symlink it {{bc|$ ln -s ~/.config/mimeapps.list ~/.local/share/applications/mimeapps.list}}. Note that the symlink must be in this direction because [[#xdg-utils]] deletes and recreates {{ic|~/.config/mimeapps.list}} when it writes to it, which will break any symbolic/hard links}}<br />
<br />
{{Note|You might also find files in these locations named {{ic|defaults.list}}. This file is similar to {{ic|mimeapps.list}} except it only lists default applications (not added/removed associations). It is now deprecated and should be manually merged with {{ic|mimeapps.list}}.}}<br />
<br />
==== Format ====<br />
<br />
Consider the following example:<br />
<br />
{{hc|mimeapps.list|2=<br />
[Added Associations]<br />
image/jpeg=bar.desktop;baz.desktop<br />
video/H264=bar.desktop<br />
[Removed Associations]<br />
video/H264=baz.desktop<br />
[Default Applications]<br />
image/jpeg=foo.desktop}}<br />
<br />
Each section assigns one or more desktop entries to MIME types.<br />
* '''Added Associations''' indicates that the applications support opening that MIME type. For example, {{ic|bar.desktop}} and {{ic|baz.desktop}} can open JPEG images. This might affect the application list you see when right-clicking a file in a file browser.<br />
* '''Removed Associations''' indicates that the applications ''do not'' support that MIME type. For example, {{ic|baz.desktop}} cannot open H.264 video.<br />
* '''Default Applications''' indicates that the applications should be the default choice for opening that MIME type. For example, JPEG images should be opened with {{ic|foo.desktop}}. This implicitly adds an association between the application and the MIME type. If there are multiple applications, they are tried in order.<br />
<br />
Each section is optional and can be omitted if unneeded.<br />
<br />
=== mailcap ===<br />
<br />
{{Accuracy|According to {{man|4|mailcap|url=http://linux.die.net/man/4/mailcap}}, wildcards are only supported for the subtype, not for (main) type.|section=Wildcards in mailcap}}<br />
<br />
The {{man|4|mailcap|url=http://linux.die.net/man/4/mailcap}} file format is used by mail programs such as {{Pkg|mutt}} and {{Pkg|sylpheed}} to open non-text files. To have those programs use [[#xdg-utils|xdg-open]], edit {{ic|~/.mailcap}}:<br />
<br />
{{hc|~/.mailcap|<br />
*/*; xdg-open "%s"<br />
}}<br />
<br />
{{Warning|If you use {{AUR|run-mailcap}}, it is possible for {{ic|xdg-open}} to delegate to it. This will cause an infinite loop if you configured your {{ic|.mailcap}} as described above.}}<br />
<br />
== Utilities ==<br />
<br />
While it is possible to configure default applications and MIME types by directly editing [[#XDG standard|#mimeapps.list]] and the [[#MIME database]], there are many tools that can simplify the process. These tools are also important because applications may delegate opening of files to these tools rather than trying to implement the MIME type standard themselves.<br />
<br />
If you use a [[desktop environment]] you should first check if it provides its own utility. That should be preferred over these alternatives.<br />
<br />
=== xdg-utils ===<br />
<br />
{{pkg|xdg-utils}} provides the official utilities for managing MIME types and default applications according to the [[#XDG standard]]. Most importantly, it provides {{ic|/usr/bin/xdg-open}} which many applications use to open a file with its default application. It is desktop-environment-independent in the sense that it attempts to use each environment's native default application tool and provides its own mechanism if no known environment is detected. Examples:<br />
<br />
# determine a file's MIME type<br />
$ xdg-mime query filetype photo.jpeg<br />
image/jpeg<br />
<br />
# determine the default application for a MIME type<br />
$ xdg-mime query default image/jpeg<br />
gimp.desktop<br />
<br />
# change the default application for a MIME type<br />
$ xdg-mime default feh.desktop image/jpeg<br />
<br />
# open a file with its default application<br />
$ xdg-open photo.jpeg<br />
<br />
# shortcut to open all web MIME types with a single application<br />
$ xdg-settings set default-web-browser firefox.desktop<br />
<br />
# shortcut for setting the default application for a URL scheme<br />
$ xdg-settings set default-url-scheme-handler irc xchat.desktop<br />
<br />
{{Tip|If no desktop environment is detected, MIME type detection falls back to using {{pkg|file}} which&mdash;ironically&mdash;does not implement the XDG standard. If you want {{pkg|xdg-utils}} to work properly without a desktop environment, you will need to install [[#perl-file-mimeinfo]] or one of the [[#xdg-open alternatives]].}}<br />
<br />
=== xdg-open alternatives ===<br />
<br />
Because of the complexity of the [[#xdg-utils]] version of {{ic|xdg-open}}, it can be difficult to debug when the wrong default application is being opened. Because of this, there are many alternatives that attempt to improve upon it. Several of these alternatives replace the {{ic|/usr/bin/xdg-open}} binary, thus changing the default application behavior of most applications. Others simply provide an alternative method of choosing default applications.<br />
<br />
==== perl-file-mimeinfo ====<br />
<br />
{{Pkg|perl-file-mimeinfo}} provides the tools {{ic|mimeopen}} and {{ic|mimetype}}. These have a slightly nicer interface than their {{pkg|xdg-utils}} equivalents:<br />
# determine a file's MIME type<br />
$ mimetype photo.jpeg<br />
photo.jpeg: image/jpeg<br />
<br />
# choose the default application for this file<br />
$ mimeopen -d photo.jpeg<br />
Please choose an application<br />
<br />
1) Feh (feh)<br />
2) GNU Image Manipulation Program (gimp)<br />
3) Pinta (pinta)<br />
<br />
use application #<br />
<br />
# open a file with its default application<br />
$ mimeopen -n photo.jpeg<br />
<br />
Most importantly, [[#xdg-utils]] apps will actually call {{ic|mimetype}} instead of {{ic|file}} for MIME type detection, if it does not detect your [[desktop environment]]. This is important because {{ic|file}} does not follow the [[#XDG standard]].<br />
<br />
{{Note|{{pkg|perl-file-mimeinfo}} before 0.28-1 does not ''entirely'' follow the [[#XDG standard]]. For example it does not read [https://github.com/mbeijen/File-MimeInfo/issues/20 distribution-wide defaults] and it saves its config in [https://github.com/mbeijen/File-MimeInfo/issues/8 deprecated locations].}}<br />
<br />
==== mimeo ====<br />
<br />
{{aur|mimeo}} provides the tool {{ic|mimeo}}, which unifies the functionality of {{ic|xdg-open}} and {{ic|xdg-mime}}.<br />
<br />
# determine a file's MIME type<br />
$ mimeo -m photo.jpeg<br />
photo.jpeg<br />
image/jpeg<br />
<br />
# choose the default application for this MIME type<br />
$ mimeo --add image/jpeg feh.desktop<br />
<br />
# open a file with its default application<br />
$ mimeo photo.jpeg<br />
<br />
However a big difference with ''xdg-utils'' is that mimeo also supports custom "association files" that allow for more complex associations. For example, passing specific command line arguments based on a regular expression match:<br />
<br />
# open youtube links in VLC without opening a new instance<br />
vlc --one-instance --playlist-enqueue %U<br />
^https?://(www.)?youtube.com/watch\?.*v=<br />
<br />
{{aur|xdg-utils-mimeo}} patches ''xdg-utils'' so that {{ic|xdg-open}} falls back to mimeo if no desktop environment is detected.<br />
<br />
==== whippet ====<br />
<br />
{{aur|whippet}} provides the tool {{ic|whippet}}, which is similar to {{ic|xdg-open}}. It has X11 integration by using {{pkg|libnotify}} to display errors and {{pkg|dmenu}} to display choices between applications to open.<br />
<br />
# open a file with its default application<br />
$ whippet -M photo.jpeg<br />
<br />
# choose from all possible applications for opening a file (without setting a default)<br />
$ whippet -m photo.jpeg<br />
<br />
In addition to the standard [[#XDG standard|#mimeapps.list]], ''whippet'' can also use a SQlite database of weighted application/MIME type/regex associations to determine which app to use.<br />
<br />
==== Naive replacements ====<br />
<br />
The following packages replace {{pkg|xdg-utils}} however they only provide an {{ic|xdg-open}} script. These versions of {{ic|xdg-open}} do not do any delegation to desktop-environment-specific tools and do not read/write the standard [[#XDG standard|#mimeapps.list]] config file (each has its own custom config), so they may not integrate well with other programs that manipulate default applications. However you may find them simpler to use if you do not use a desktop environment.<br />
<br />
{{Warning|If you need any {{ic|xdg-*}} binaries from {{pkg|xdg-utils}} other than {{ic|xdg-open}} you should not use these applications, since they do not provide them.}}<br />
<br />
{| class="wikitable"<br />
! Package !! Features<br />
|-<br />
| {{AUR|linopen}} || Allows regex rules, can specify fallback file opener<br />
|-<br />
| {{AUR|mimi-git}} || Can change command arguments for each MIME type<br />
|-<br />
| {{AUR|busking-git}} || similar to ''mimi'' but also supports regex rules<br />
|-<br />
| {{AUR|sx-open}} || uses a simple shell-based config file<br />
|-<br />
|}<br />
<br />
=== lsdesktopf ===<br />
<br />
{{AUR|lsdesktopf}} provides several methods of searching the MIME database and desktop MIME entries.<br />
<br />
For example, to see all MIME extensions in the system's ''.desktop'' files that have MIME type {{ic|video}} you can use {{ic|lsdesktopf --gm -gx video}} or to search in the XML database files use {{ic|lsdesktopf --gdx -gx video}}. To get a quick overview of how many and which ''.desktop'' files can be associated with a certain MIME type, use {{ic|lsdesktopf --gen-mimeapps}}. To see all file name extensions in XML database files, use {{ic|lsdesktopf --gdx -gfx}}.<br />
<br />
== Troubleshooting ==<br />
<br />
If a file is not being opened by your desired default application, there are several possible causes. You may need to check each case.<br />
<br />
=== Missing .desktop file ===<br />
<br />
A [[desktop entry]] is required in order to associate an application with a MIME type. Ensure that such an entry exists and can be used to (manually) open files in the application.<br />
<br />
=== Missing association ===<br />
<br />
If the application's desktop entry does not specify the MIME type under its {{ic|MimeType}} key, it will not be considered when an application is needed to open that type. Edit [[#XDG standard|#mimeapps.list]] to add an association between the .desktop file and the MIME type.<br />
<br />
=== Non-default application ===<br />
<br />
If the desktop entry is associated with the MIME type, it may simply not be set as the default. Edit [[#XDG standard|#mimeapps.list]] to set the default association.<br />
<br />
=== Nonstandard association ===<br />
<br />
Applications are free to ignore or only partially implement the [[#XDG standard]]. Check for usage of deprecated files such as {{ic|~/.local/share/applications/mimeapps.list}} and {{ic|~/.local/share/applications/defaults.list}}. If you are attempting to open the file from another application (e.g. a web browser or file manager) check if that application has its own method of selecting default applications.<br />
<br />
=== Variables in .desktop files that affect application launch ===<br />
<br />
{{Expansion|1=The fact {{ic|MimeType}} entries may be missing in the desktop files is only implied here, i.e. "Even if an application...", though this is a common cause of errors. Some openers may also associate mime types not explicitly listed in a desktop file (such as {{Pkg|exo}}). Further environment-specific factors are at play, e.g. whether {{ic|1=Terminal=true}} has an effect, though latter should arguably be expanded on in [[Desktop entries]].}}<br />
<br />
Desktop environments and file managers supporting the specifications launch programs according to definition in the ''.desktop'' files. See [[Desktop entries#Application entry]]. <br />
<br />
Usually, configuration of the packaged ''.desktop'' files is not required, but it may not be bug-free. Even if an application containing necessary MIME type description in the ''.desktop'' file {{ic|MimeType}} variable that is used for association, it can fail to start correctly, not start at all or start without opening a file. <br />
<br />
This may happen, for example, if the {{ic|Exec}} variable is missing internal options needed for how to open a file, or how the application is shown in the menu. The {{ic|Exec}} variable usually begins with {{ic|%}}; for its currently supported options, see [https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables exec-variables].<br />
<br />
The following table lists the main variable entries of ''.desktop'' files that affect how an application starts, if it has a MIME type associated with it. <br />
<br />
{| class="wikitable"<br />
! Variable names !! Example 1 content !! Example 2 content !! Description<br />
|-<br />
| DBusActivatable || DBusActivatable=true || DBusActivatable=false || Application interact with [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus]. <br> See also configuration: [https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#dbus D-Bus].<br />
|-<br />
| MimeType || MimeType=application/vnd.oasis.opendocument.text || MimeType=application/vnd.sun.xml.math || List of MIME types supported by application<br />
|-<br />
| StartupWMClass || StartupWMClass=google-chrome || StartupWMClass=xpad || Associate windows with the owning application<br />
|-<br />
| Terminal || Terminal=true || Terminal=false || Start in default terminal<br />
|}</div>Naim42