User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]
ksankar at doubleclix.net
Tue Jul 4 03:51:38 BST 2006
Good point. You are talking pseudo IDS/IPS.
IMHO, it is not the GUI that is difficult - as many have said, just opening
and closing ports statically is only 10% of the solution.
As you correctly mention, capturing the events, analyzing and making
inferences and *dynamically* changing the rules is the key. This requires an
understanding of the applications; a semantic firewall per se. I think we
can do it, by looking at the capabilities (i.e. applications/services) and
what they require and exhibit.
For example, we should take ZeroConf, figure out all the interactions (at
the UDP/TCP) level, map out the ports required and map out the ipTables
rules. Then, of course, a gui/log et al needs to be done. The question still
remains - can we open up just ZeroConf and still maintain the security
posture we are comfortable with ? (Now I am bringing the subject back to
Before Ivan chimes in, I will take a first cut at this ;o) This was the
reason for this subject in the first place - to get a feel for what needs to
be done. Here is the spec
us collect our thoughts on what needs to be done and figure out a way to do
One thing I need is the interfaces and mechanisms of how Apple does it -
essentials not a verbatim interface. We can figure out from the ZeroConf
specs as well.
BTW, if this is not the right thing, am OK to delete the spec and move on
> -----Original Message-----
> From: ubuntu-devel-bounces at lists.ubuntu.com
> [mailto:ubuntu-devel-bounces at lists.ubuntu.com] On Behalf Of
> Forest Bond
> Sent: Monday, July 03, 2006 7:08 PM
> To: Micah J. Cowan
> Cc: ubuntu-devel at lists.ubuntu.com
> Subject: Re: User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]
> On Mon, Jul 03, 2006 at 05:35:23PM -0700, Micah J. Cowan wrote:
> > I believe that Windows Firewall is actually a very
> excellent model for
> > a secure, user-friendly firewall interface. Pretty much
> everything is
> > locked down by default, and when an attempt to connect to
> your machine
> > that has not been explicitly authorized or blocked occurs,
> the system
> > prompts you to authorize or deny the request/future such requests.
> > I think a similar firewall system would be ideal for desktop Ubuntu.
> > Unfortunately, I think trying to implement such a thing for Linux
> > systems would be very difficult: it's just not the way that
> the kernel
> > /thinks/ about such things. It's either allowed or
> rejected, there's
> > not a way to mark patterns as "ask user". And even if there
> were a way
> > to do that, how would the system "ask the user", especially
> when the
> > windowing options are varied and optional? Ultimately, it would
> > probably take a great deal of thought and work, and likely
> kernel modifications.
> I don't think so. It's easy to have the kernel log packets
> that match rules.
> Why can't you just have your UI software monitor the logs, or
> (don't know if this part is possible) redirect those messages
> into a daemon that is query-able via the system message bus
> (since we're all hip Gnome folks here).
> It may be worthwhile to examine the m0n0wall web interface.
> m0n0wall is a firewall-in-a-box package based on FreeBSD, and
> the interface makes it quite
More information about the ubuntu-devel