User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]

Krishna Sankar ksankar at
Tue Jul 4 03:51:38 BST 2006

Good point. You are talking pseudo IDS/IPS.

IMHO, it is not the GUI that is difficult - as many have said, just opening
and closing ports statically is only 10% of the solution.

As you correctly mention, capturing the events, analyzing and making
inferences and *dynamically* changing the rules is the key. This requires an
understanding of the applications; a semantic firewall per se. I think we
can do it, by looking at the capabilities (i.e. applications/services) and
what they require and exhibit. 

For example, we should take ZeroConf, figure out all the interactions (at
the UDP/TCP) level, map out the ports required and map out the ipTables
rules. Then, of course, a gui/log et al needs to be done. The question still
remains - can we open up just ZeroConf and still maintain the security
posture we are comfortable with ? (Now I am bringing the subject back to
ZeroConf ;o))

Before Ivan chimes in, I will take a first cut at this ;o) This was the
reason for this subject in the first place - to get a feel for what needs to
be done. Here is the spec Let
us collect our thoughts on what needs to be done and figure out a way to do

One thing I need is the interfaces and mechanisms of how Apple does it -
essentials not a verbatim interface. We can figure out from the ZeroConf
specs as well.

BTW, if this is not the right thing, am OK to delete the spec and move on


> -----Original Message-----
> From: ubuntu-devel-bounces at 
> [mailto:ubuntu-devel-bounces at] On Behalf Of 
> Forest Bond
> Sent: Monday, July 03, 2006 7:08 PM
> To: Micah J. Cowan
> Cc: ubuntu-devel at
> Subject: Re: User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]
> On Mon, Jul 03, 2006 at 05:35:23PM -0700, Micah J. Cowan wrote:
> > I believe that Windows Firewall is actually a very 
> excellent model for 
> > a secure, user-friendly firewall interface. Pretty much 
> everything is 
> > locked down by default, and when an attempt to connect to 
> your machine 
> > that has not been explicitly authorized or blocked occurs, 
> the system 
> > prompts you to authorize or deny the request/future such requests.
> > 
> > I think a similar firewall system would be ideal for desktop Ubuntu.
> > Unfortunately, I think trying to implement such a thing for Linux 
> > systems would be very difficult: it's just not the way that 
> the kernel 
> > /thinks/ about such things. It's either allowed or 
> rejected, there's 
> > not a way to mark patterns as "ask user". And even if there 
> were a way 
> > to do that, how would the system "ask the user", especially 
> when the 
> > windowing options are varied and optional? Ultimately, it would 
> > probably take a great deal of thought and work, and likely 
> kernel modifications.
> I don't think so.  It's easy to have the kernel log packets 
> that match rules.
> Why can't you just have your UI software monitor the logs, or 
> (don't know if this part is possible) redirect those messages 
> into a daemon that is query-able via the system message bus 
> (since we're all hip Gnome folks here).
> It may be worthwhile to examine the m0n0wall web interface.  
> m0n0wall is a firewall-in-a-box package based on FreeBSD, and 
> the interface makes it quite
> flexible:
> -Forest

More information about the ubuntu-devel mailing list