User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]

Krishna Sankar ksankar at doubleclix.net
Tue Jul 4 03:51:38 BST 2006 

Good point. You are talking pseudo IDS/IPS.

IMHO, it is not the GUI that is difficult - as many have said, just opening
and closing ports statically is only 10% of the solution.

As you correctly mention, capturing the events, analyzing and making
inferences and *dynamically* changing the rules is the key. This requires an
understanding of the applications; a semantic firewall per se. I think we
can do it, by looking at the capabilities (i.e. applications/services) and
what they require and exhibit. 

For example, we should take ZeroConf, figure out all the interactions (at
the UDP/TCP) level, map out the ports required and map out the ipTables
rules. Then, of course, a gui/log et al needs to be done. The question still
remains - can we open up just ZeroConf and still maintain the security
posture we are comfortable with ? (Now I am bringing the subject back to
ZeroConf ;o))

Before Ivan chimes in, I will take a first cut at this ;o) This was the
reason for this subject in the first place - to get a feel for what needs to
be done. Here is the spec
https://launchpad.net/distros/ubuntu/+spec/application-aware-firewall. Let
us collect our thoughts on what needs to be done and figure out a way to do
it.

One thing I need is the interfaces and mechanisms of how Apple does it -
essentials not a verbatim interface. We can figure out from the ZeroConf
specs as well.

BTW, if this is not the right thing, am OK to delete the spec and move on
... 

Cheers
<k/> 

> -----Original Message-----
> From: ubuntu-devel-bounces at lists.ubuntu.com 
> [mailto:ubuntu-devel-bounces at lists.ubuntu.com] On Behalf Of 
> Forest Bond
> Sent: Monday, July 03, 2006 7:08 PM
> To: Micah J. Cowan
> Cc: ubuntu-devel at lists.ubuntu.com
> Subject: Re: User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]
> 
> On Mon, Jul 03, 2006 at 05:35:23PM -0700, Micah J. Cowan wrote:
> > I believe that Windows Firewall is actually a very 
> excellent model for 
> > a secure, user-friendly firewall interface. Pretty much 
> everything is 
> > locked down by default, and when an attempt to connect to 
> your machine 
> > that has not been explicitly authorized or blocked occurs, 
> the system 
> > prompts you to authorize or deny the request/future such requests.
> > 
> > I think a similar firewall system would be ideal for desktop Ubuntu.
> > Unfortunately, I think trying to implement such a thing for Linux 
> > systems would be very difficult: it's just not the way that 
> the kernel 
> > /thinks/ about such things. It's either allowed or 
> rejected, there's 
> > not a way to mark patterns as "ask user". And even if there 
> were a way 
> > to do that, how would the system "ask the user", especially 
> when the 
> > windowing options are varied and optional? Ultimately, it would 
> > probably take a great deal of thought and work, and likely 
> kernel modifications.
> 
> I don't think so.  It's easy to have the kernel log packets 
> that match rules.
> Why can't you just have your UI software monitor the logs, or 
> (don't know if this part is possible) redirect those messages 
> into a daemon that is query-able via the system message bus 
> (since we're all hip Gnome folks here).
> 
> It may be worthwhile to examine the m0n0wall web interface.  
> m0n0wall is a firewall-in-a-box package based on FreeBSD, and 
> the interface makes it quite
> flexible:
> 
> http://m0n0.ch/wall/
> 
> -Forest
>

More information about the ubuntu-devel mailing list