User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]

Chris Jones cmsj at
Tue Jul 4 17:10:44 BST 2006


On 11:40:57 am 04/07/2006 Patrick McFarland <diablod3 at> wrote:
> No no no! This is a bad idea! Firewall has to be a system wide thing
> that effects all users. (ie, the Firewall's config panel appears in
> System->Administration).

Firewalls don't necessarily have to be system-wide, nor do they necessarily
have to affect all users.

Having said that, the interactive, per-user model is really better suited
to outgoing traffic, which is only a problem if you can't trust the
software running on your machine (ie this doesn't really apply to Ubuntu
and is something of a hinderance to users, who typically don't know or care
what something is, just that it works without bothering them). In that
scenario it would be pretty easy to only the ask the user running the
process that generated the packets by handing the SYN request up to
userspace for approval.

>From a desktop user perspective, the only thing they need to care about is
that the listening services they have installed can be accessed from where
they want them to be, which does not require a complex UI or huge numbers
of netfilter rules.

Chris Jones
  cmsj at

More information about the ubuntu-devel mailing list