User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]

[Sam Morris]

On Mon, 03 Jul 2006 22:07:36 -0400, Forest Bond wrote:

> On Mon, Jul 03, 2006 at 05:35:23PM -0700, Micah J. Cowan wrote:
>> I believe that Windows Firewall is actually a very excellent model for
>> a secure, user-friendly firewall interface. Pretty much everything is
>> locked down by default, and when an attempt to connect to your machine
>> that has not been explicitly authorized or blocked occurs, the system
>> prompts you to authorize or deny the request/future such requests.
>> 
>> I think a similar firewall system would be ideal for desktop Ubuntu.
>> Unfortunately, I think trying to implement such a thing for Linux
>> systems would be very difficult: it's just not the way that the kernel
>> /thinks/ about such things. It's either allowed or rejected, there's
>> not a way to mark patterns as "ask user". And even if there were a way
>> to do that, how would the system "ask the user", especially when the
>> windowing options are varied and optional? Ultimately, it would
>> probably take a great deal of thought and work, and likely kernel
>> modifications.
> 
> I don't think so.  It's easy to have the kernel log packets that match
> rules. Why can't you just have your UI software monitor the logs, or
> (don't know if this part is possible) redirect those messages into a
> daemon that is query-able via the system message bus (since we're all
> hip Gnome folks here).

The solution doesn't have to be that horrible. :)

Netfilter provides the QUEUE and NFQUEUE targets, which queues packets for
delivery to a user space process. This would presumably be a system-wide
daemon that would talk to the 'current' user session via the system
message bus.

I've seen a couple of GNU/Linux firewall implementations use this
mechanism, but they never seemed to become very popular and I can't
remember their names any more. :(

-- 
Sam Morris
http://robots.org.uk/

PGP key id 5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078