[ubuntu-hardened] Firewall settings: User interface review and questions

Thu Jun 23 18:30:15 UTC 2011

On Thu, Jun 23, 2011 at 1:30 PM, Kees Cook <kees.cook at canonical.com> wrote:
> Hi,
>
> On Thu, Jun 23, 2011 at 05:12:13PM +0100, Matthew Paul Thomas wrote:
>> Part of the planned "Desktop-side networking enhancements"
>> <https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
>> is the addition of a graphical interface for configuring a firewall.
>>
>> Mathieu Trudel-Lapierre and I have been working on a design for the
>> firewall settings. Here's what we have so far:
>> <https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>
>>
>> We'd appreciate a general sanity check for these settings, from people
>> who know more about security than we do. Are they missing anything
>> highly useful? Or is there anything there that shouldn't be?
>
> First, please make sure the UI will interface correctly with "ufw",
> which is the official Ubuntu firewall tool. Jamie Strandboge, as the
> author, can help guide you there.
>
>> There are also two specific questions we have:
>>
>> *   Does Ubuntu have any "essential" incoming connections, which should
>>     be allowed in the normal case even when the firewall is turned on?
>>     (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
>>     essential.)
>
> Yes, they are outlined in what we consider "Infrastructure Services":
> https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports
> and we make case-by-case exceptions for them (presently DHCP and Avahi/mDNS).
>
>>     -   If so, how much use is it to have a graphical setting for
>>         blocking even those "essential" connection types?
>
> Since they would break the functionality of most systems, I'm not sure it's
> a great idea, but ufw does allow control over it, so it's really up to us
> about how to present it in the UI.
>
>> *   Does Ubuntu have any "essential" outgoing connections? Web
>>     browsing? E-mail? Avahi?
>
> At present, we view everything as essential. Since there is no way
> currently to sanely hook outgoing traffic and pop up dialogs about "do you
> want Program talking to the internet?" it doesn't make much sense to try to
> filter it.
>
> In fact, we don't believe in filtering _incoming_ traffic by default
> because of the no open ports policy. There's nothing listening, so why
> confuse things and make it harder for people to install services they want
> listening only to have the firewall block them by default?
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
As one of the guys with boots on the ground, this discussion fails to
recognize real world issues.

In our practice, primary focus of security is on gateways not
individual machines. Some of these gateways are appliances, many of
those run DD-WRT or Open-WRT, others are Ubuntu servers. Better
integration with appliance gateways would be welcome.

The Ubuntu gateways are firewalled and depend on netfilter. The most
convivial interface for us has been Webmin. An amazing amount of
effort has been spent on alternatives to and deprecation of Webmin.
After getting burned by this apostasy, I am reluctant to enter that
battle. Webmin works for me.

I need to insure administrative access for a handful of machines,
access to a few public servers, deny access to a substantial number of
hostile subnets and permit my users to do largely do what they want in
peace.

Jim Tarvid