User-Friendly Firewalling [Re: ZeroConf in Ubuntu Edgy]

Chris Jones cmsj at tenshu.net
Thu Jul 6 15:20:14 BST 2006 

Hi

On 2:57:56 pm 06/07/2006 Rocco Stanzione <grasshopper at linuxkungfu.org> wrote:
> I do think a firewall should be system-wide.  We don't want

My entire point here is that considering all of netfilter's capabilities as
a single firewall is a mistake. Some parts of it aren't firewall related at
all and many parts of it are indeed system wide, but not everything has a
sane system-wide paradigm.

> individual users clobbering each other's decisions about whether to
> allow PostgreSQL to be accessible via the Internet, for example.  But

I would expect to see system services like postgres controlled from a
system admin tool (as was suggested elsewhere, this could go in the tool
that controls which services are started when the machine boots).

> This assumes a setup that sends all packets to a target like QUEUE,

that's a really really bad idea - what happens if two sudo capable users
are logged in and one says yes and one says no, or there are no authorised
users logged in, or nobody is logged in at all? There are just too many
variables.
Incoming connections to system services should certainly not be bumped up
into userspace. The only ones that might be suitable would be incoming SYN
packets to ports being used by applications running as the currently logged
in user. Even then, as has been pointed out elsewhere, users will most
likely not read the questions they are asked and will just say yes anyway.

> verdict.  This is how a lot of the popular win32 firewalls

and as I've said at least twice (including in the message you replied to),
they are more concerned without *outgoing* traffic, because you can't trust
a windows system not to be attacking other ones through malware.

So again, my suggestion is that system services be controlled through the
System Administration tools and ports >1024 be open, with applications that
listen on those ports expected to notify the user of the potential risks
(which they can do far better than some central tool which has to be taught
about all of the permutations of every listening userspace application).

Cheers,
---
Chris Jones
  cmsj at tenshu.net
  www.tenshu.net

More information about the ubuntu-devel mailing list