Re: The state of firewall management...

[Graham Lyon <graham lyon gmail com>]

2009/7/1 Dan Williams <dcbw redhat com>

Firewall UI is a hard problem, and the current Linux stuff just doesn't
make sense for most users, because they are fundamentally trying to
provide a UI shell around a simple list of port-based allow/deny rules,
or worse, a UI shell around every option that iptables provides.  That's
not how you create a usable interface for 85% of the people out there.

Yes, this has always irked me about firewall management on linux. The most powerful interface I've ever used was the one in webmin, but I suppose that's one of the ones that supplies all options iptables offers under the sun.
 

In any case, it's also not a battle I think NM should by trying to
fight, nor is it entirely within NM's area of responsibility.  Firewalls
are a level above NM, and the risk of becoming an amoeba gets pretty
large when talking about adding Firewall, proxy, Captive Portal, etc to
NM itself.

Agreed.
 

What I think *should* happen is fairly intelligent integration between
NM and some other firewall manager.  NM can provide information that a
firewall definitely wants; if you connect to a WPA or 802.1x protected
or 3G network, then you can worry a lot less because you're on a fairly
secure network.  If you connect in a public coffee shop with no
encryption at all, then you definitely want higher security policy in
the firewall.

Finally, someone agrees :D
 

Thus, I think that a firewall should interact with NM on a pretty
fundamental level, and after getting details about the current network
connection from NM, the firewall manager could make some intelligent
policy decisions about what security level to enforce.

So all we need to do is export a "security level" property over D-bus and then a sepparate daemon can manage the firewall. I like this idea.

I think there's a lot of room to improve on Vista's "what location are
you in" dialog that comes up every time you connect to something new.  I
think it both over-simplifies the problem *and* mis-characterizes it at
the same time, but I didn't do any UI research that Microsoft presumably
did.  Note that Apple doesn't do this at all, they appear to run with
maximum firewall at all times, and let specific services punch through
the firewall automatically (like file sharing) with appropriate warnings
when you start the service up.

A good point - the Vista GUI has some flaws, but at the moment I can't think of anything better to assertain the level of security of the network short of outright asking the user. I'd be happy to hear ideas on how we could infer it but to comment on what you said about 3G networks - they're an internet connection and should therefore be implicitly untrusted and so grouped with public wifi...

We could certainly store some sort of "security level" tag on a
per-connection basis in NetworkManager that would be available to apps
like a firewall manager, which users could set either in the connection
editor, or via some other method which we should get user-interaction
experts to think about.  We can even set that tag to reasonable defaults
based on the connection type.

Does that sound anything like what you were thinking about?

Yes.

--Graham