[ubuntu-hardened] Firewall settings: User interface review and questions

Kees Cook kees.cook at canonical.com
Thu Jun 23 17:30:09 UTC 2011 

Hi,

On Thu, Jun 23, 2011 at 05:12:13PM +0100, Matthew Paul Thomas wrote:
> Part of the planned "Desktop-side networking enhancements"
> <https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
> is the addition of a graphical interface for configuring a firewall.
> 
> Mathieu Trudel-Lapierre and I have been working on a design for the
> firewall settings. Here's what we have so far:
> <https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>
> 
> We'd appreciate a general sanity check for these settings, from people
> who know more about security than we do. Are they missing anything
> highly useful? Or is there anything there that shouldn't be?

First, please make sure the UI will interface correctly with "ufw",
which is the official Ubuntu firewall tool. Jamie Strandboge, as the
author, can help guide you there.

> There are also two specific questions we have:
> 
> *   Does Ubuntu have any "essential" incoming connections, which should
>     be allowed in the normal case even when the firewall is turned on?
>     (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
>     essential.)

Yes, they are outlined in what we consider "Infrastructure Services":
https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports
and we make case-by-case exceptions for them (presently DHCP and Avahi/mDNS).

>     -   If so, how much use is it to have a graphical setting for
>         blocking even those "essential" connection types?

Since they would break the functionality of most systems, I'm not sure it's
a great idea, but ufw does allow control over it, so it's really up to us
about how to present it in the UI.

> *   Does Ubuntu have any "essential" outgoing connections? Web
>     browsing? E-mail? Avahi?

At present, we view everything as essential. Since there is no way
currently to sanely hook outgoing traffic and pop up dialogs about "do you
want Program talking to the internet?" it doesn't make much sense to try to
filter it.

In fact, we don't believe in filtering _incoming_ traffic by default
because of the no open ports policy. There's nothing listening, so why
confuse things and make it harder for people to install services they want
listening only to have the firewall block them by default?

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list