User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]

Rocco Stanzione grasshopper at
Thu Jul 6 14:57:56 BST 2006

I do think a firewall should be system-wide.  We don't want individual users 
clobbering each other's decisions about whether to allow PostgreSQL to be 
accessible via the Internet, for example.  But the rules can be systemwide 
while allowing certain users (say, those with sudo rights) to make 
firewalling decisions.

This assumes a setup that sends all packets to a target like QUEUE, which in 
turn sends the packets to a userspace daemon to render a verdict.  This is 
how a lot of the popular win32 firewalls (including, I think I've heard, the 
one built in to winxp sp2), and might be nice for a desktop machine.

While we're talking about firewalls, I'd like to point out that the package 
(iptables) itself is badly out of date (bug #40601) and is built against a 
hunk of kernel source that is even more badly out of date (#51044).  Fixing 
these would give us access to a lot of nifty new features that could come in 
handy when building a desktop firewall, including the ability to manipulate 
the connection tracking table from userspace, for example to terminate 
existing connections (which doesn't happen when making a new rule that would 
have blocked a connection that already exists).

Rocco Stanzione

On Tuesday 04 July 2006 11:10 am, Chris Jones wrote:
> On 11:40:57 am 04/07/2006 Patrick McFarland <diablod3 at> wrote:
> > No no no! This is a bad idea! Firewall has to be a system wide thing
> > that effects all users. (ie, the Firewall's config panel appears in
> > System->Administration).
> Firewalls don't necessarily have to be system-wide, nor do they necessarily
> have to affect all users.
> Having said that, the interactive, per-user model is really better suited
> to outgoing traffic, which is only a problem if you can't trust the
> software running on your machine (ie this doesn't really apply to Ubuntu
> and is something of a hinderance to users, who typically don't know or care
> what something is, just that it works without bothering them). In that
> scenario it would be pretty easy to only the ask the user running the
> process that generated the packets by handing the SYN request up to
> userspace for approval.
> >From a desktop user perspective, the only thing they need to care about is
> that the listening services they have installed can be accessed from where
> they want them to be, which does not require a complex UI or huge numbers
> of netfilter rules.

More information about the ubuntu-devel mailing list