User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]
Micah J. Cowan
micah at cowan.name
Tue Jul 4 01:35:23 BST 2006
On Mon, Jul 03, 2006 at 06:43:30PM -0400, Patrick McFarland wrote:
> On Monday 03 July 2006 18:21, Dennis Kaarsemaker wrote:
> > On ma, 2006-07-03 at 18:02 -0400, Patrick McFarland wrote:
> > > I'd like to see this added to the todo list as a required feature for
> > > Edgy release, because it really is a sore spot in the Linux desktop
> > > environment platform.
> >
> > Feel free to work on it, code says more than ranting.
>
> I've been trying to wrap my head around this one for awhile. My problem is I
> know how to use iptables pretty proficiently. and using iptables directly is
> always going to be an order of magnitude more powerful than any UI tool...
> and also an order of magnitude or two more difficult to use.
>
> So, basically, I haven't quite figured out how to yet.
I believe that Windows Firewall is actually a very excellent model for
a secure, user-friendly firewall interface. Pretty much everything is
locked down by default, and when an attempt to connect to your machine
that has not been explicitly authorized or blocked occurs, the system
prompts you to authorize or deny the request/future such requests.
I think a similar firewall system would be ideal for desktop Ubuntu.
Unfortunately, I think trying to implement such a thing for Linux
systems would be very difficult: it's just not the way that the kernel
/thinks/ about such things. It's either allowed or rejected, there's not
a way to mark patterns as "ask user". And even if there were a way to do
that, how would the system "ask the user", especially when the windowing
options are varied and optional? Ultimately, it would probably take a
great deal of thought and work, and likely kernel modifications.
Still, it seems like some good principles could be gathered from it.
It's a rather secure model, while at the same time imposing itself only
minimally to the user.
(I realize that this email has little to do actually with the specific
problems that were being discussed [part of why I changed the title]. I
see no real way to get around specifying such rules as might be needed
for ZeroConf by hand: the best that might be done would be to minimize
the amount of work necessary, or better abstracting some of the
concepts.)
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the ubuntu-devel
mailing list