Re: The state of firewall management...

[Ludwig Nussel <ludwig nussel suse de>]

Dan Williams wrote:
> On Thu, 2009-06-18 at 21:35 +0100, Graham Lyon wrote:
> > I'm wondering what the plan of action is towards management of
> > firewalls on the desktop. Is this something that NetworkManager should
> > do? I think so. Firewalls, for the average end user, should "just
> > work". A great many linux distros don't come with a firewall
> > configured by default and there is no default mechanism for
> > interfacing with a firewall and opening ports etc for any software to
> > use. I'm interested in developing a system to allow NM to identify a
> > network, ask the user to classify this network if it has never been
> > visited before, and then act accordingly (users of Windows Vista will
> > recognise this process). I think it's needed as the average enduser
> > will not give themselves a proper firewall configuration. Ever.
> 
> Ideally yes, average users shouldn't have to care about ports or
> anything, they should care about *services*. 
> [...] 
> Firewall UI is a hard problem, and the current Linux stuff just doesn't
> make sense for most users, because they are fundamentally trying to
> provide a UI shell around a simple list of port-based allow/deny rules,
> or worse, a UI shell around every option that iptables provides.  That's
> not how you create a usable interface for 85% of the people out there.

Exactly. That's why SuSEfirewall2 allows packages to define what
ports belong to a service so the user no longer needs to care about
individual ports:
http://en.opensuse.org/SuSEfirewall2/Service_Definitions_Added_via_Packages

> What I think *should* happen is fairly intelligent integration between
> NM and some other firewall manager.  NM can provide information that a
> firewall definitely wants; if you connect to a WPA or 802.1x protected
> or 3G network, then you can worry a lot less because you're on a fairly
> secure network.  If you connect in a public coffee shop with no
> encryption at all, then you definitely want higher security policy in
> the firewall.

The network could be encrypted and still be untrustworthy. I've been
in a hospital recently which had a WPA2 network. Who knows what kind
of sick people are in that network ;-) IOW the machine can't judge.
You have to ask the user or default to untrustworthy.

> Thus, I think that a firewall should interact with NM on a pretty
> fundamental level, and after getting details about the current network
> connection from NM, the firewall manager could make some intelligent
> policy decisions about what security level to enforce.
> [...]
> We could certainly store some sort of "security level" tag on a
> per-connection basis in NetworkManager that would be available to apps
> like a firewall manager, which users could set either in the connection
> editor, or via some other method which we should get user-interaction
> experts to think about.  We can even set that tag to reasonable defaults
> based on the connection type.

I didn't know about the discussion here. I created this little app
recently to switch firewall zones as PoC (in SuSEfirewall2 you
configure zones and then associate interfaces to zones):
http://lizards.opensuse.org/2009/07/10/1453/ 
Ideally it should't need a separate tray icon of course. That could
be achieved by NM storing the zone for a network itself, ie your
'security level' tag. Another option is to query and monitor NM but
the NM D-Dus interface looked too complicated to me for a quick hack
like that :-)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)