User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]
Rocco Stanzione
grasshopper at linuxkungfu.org
Thu Jul 6 14:57:56 BST 2006
I do think a firewall should be system-wide. We don't want individual users
clobbering each other's decisions about whether to allow PostgreSQL to be
accessible via the Internet, for example. But the rules can be systemwide
while allowing certain users (say, those with sudo rights) to make
firewalling decisions.
This assumes a setup that sends all packets to a target like QUEUE, which in
turn sends the packets to a userspace daemon to render a verdict. This is
how a lot of the popular win32 firewalls (including, I think I've heard, the
one built in to winxp sp2), and might be nice for a desktop machine.
While we're talking about firewalls, I'd like to point out that the package
(iptables) itself is badly out of date (bug #40601) and is built against a
hunk of kernel source that is even more badly out of date (#51044). Fixing
these would give us access to a lot of nifty new features that could come in
handy when building a desktop firewall, including the ability to manipulate
the connection tracking table from userspace, for example to terminate
existing connections (which doesn't happen when making a new rule that would
have blocked a connection that already exists).
Rocco Stanzione
On Tuesday 04 July 2006 11:10 am, Chris Jones wrote:
> On 11:40:57 am 04/07/2006 Patrick McFarland <diablod3 at gmail.com> wrote:
> > No no no! This is a bad idea! Firewall has to be a system wide thing
> > that effects all users. (ie, the Firewall's config panel appears in
> > System->Administration).
>
> Firewalls don't necessarily have to be system-wide, nor do they necessarily
> have to affect all users.
>
> Having said that, the interactive, per-user model is really better suited
> to outgoing traffic, which is only a problem if you can't trust the
> software running on your machine (ie this doesn't really apply to Ubuntu
> and is something of a hinderance to users, who typically don't know or care
> what something is, just that it works without bothering them). In that
> scenario it would be pretty easy to only the ask the user running the
> process that generated the packets by handing the SYN request up to
> userspace for approval.
>
> >From a desktop user perspective, the only thing they need to care about is
>
> that the listening services they have installed can be accessed from where
> they want them to be, which does not require a complex UI or huge numbers
> of netfilter rules.
More information about the ubuntu-devel
mailing list