[Setup-tool-hackers] firewall




Sorry I haven't replied to any messages lately, but here are my responses :)

> From: Tuomas Kuosmanen <tigert@ximian.com>
>
> Maybe have a look at the bunch of Windows based firewall tools, and how their
> user interfaces are done?

Yes, I have been looking at quite a few firewall guis lately.

> I have seen many gtk based ones, some looked like a graphical version of
> ipchains where you  just had to know the syntax of ipchains anyway to be able
> to use it. They sucked for the new/uneducated user.

Right, I want to make a tool for the uneducated user, not someone who
already knows how things work. I think we should eventually give the
option of adding your own rules, but that would not be the main goal.

> Alan's tool (Gnome Lokkit if I remember correctly) was wizard-based and
> I liked it a lot. It was easy to walk through, and it had questions that made
> sense.

Yep, a good tool to itegratesome ideas from.

> Also should handle dynamic IP numbers!
The code is there now, but needs some testing :)


> From: Arturo Espinosa Aldama <arturo@ximian.com>
>
> Remember the Ximian Setup Tools are oriented towards end-user workstations.

I think this is a good point. I think we should put off the nating for
now and concentrate on putting up a basic firewall.  Leave the NATing for
later :)

> The firewall stuff you've been talking about sounds great, but I would
> urge you to start from the backend, and face the problem of setting up the
> same rules for the different fw tools (ipfwadmin, ipchains, iptables and
> any others that may come, uncluding other unices).

Yes, this is what I am doing now. I think I responed to you before, but I
am right now setting up the backend script. I am right now supporting
Iptables, Ipchains, and ipfilter.

> You should see what kinds of rules can be set with all systems and
> determine an XML that describes the rules, in a platform-independent way.

Yep, taking my time with this one, so I get it right the first time :)

> Then start coding the backend. I recommend you this order because once the
> backend is ready for the first time, it won't be prone to much
> modification (if you do it the right way). On the other hand, the frontend
> can go through lots of reshaping before it reachs an acceptable design.

I am trying to get the backend right the first time (reuse alot of the
existing perl code), so it may take awhile for me to get code out to the list.

> From: Tuomas Kuosmanen <tigert@ximian.com>
>
> My point was most of the linux firewall software is pretty hard to use, and
> maybe there are good ideas to be found if we look around a bit. Also, the
> only way to find out if a interface we design is good or not, is to test it
> with a bunch of users. We just dont know what is easy and what is not,
> because we are technical users.

I agree.

> There are users who dont know what "pop" or "X11" means, so it needs
> to be simplified.

I like the "generic security level" Mitch setup here:
http://fluxstep.org/download/xst-firewall/firewallconfig.jpeg

I took that idea and made this mock-up:
http://ucsub.colorado.edu/~burra/firegui.jpg
This one is for the custom firewall option:
http://ucsub.colorado.edu/~burra/custom.jpg


> From: Telsa Gwynne <hobbit@aloss.ukuu.org.uk>
>
> How to explain spoofing, syn floods, port scans, packets and so on gets
> to be a lot of fun. I wrote the docs for gnome-lokkit (see below) and
> you also end up having to tell people "These programs won't work now
> you have a firewall; here are command-line equivalents". (Quake players
> who do not want to rea the IP-Masq-HOWTO are completely stuck, for
> example. I have found no simple way to fix that.)

Yeah, teaching all the network attacks might be a challange. We really
need to put alot of effort into the help/info parts and create the fw
rules carefully.

> From: Mitch Allmond <gte203h@prism.gatech.edu>
>
> sounds like a good start when installing a system but to be honest, it's the
> lazy way out. Taking the lazy and easy way out is one of gnome's number one
> problem. Take the panels, menus, and control panel that we currently have.
> It looks as if no one even attempted to design a good UI. Things are just
> stacked into menus and in submenus. There really isn't much sense in doing
> something if it's going to be done half ass. I realize that anyone that
> attempts the type of firewall utility I'm talking about is going to facei
> major issues and obstacles. However, they are all obstacles that can be
> overcome if a little time goes into the design. Most
> linux programmers are too quick to start coding and completely leave out the
> whole design part.  From what I can tell, most people that will actually
> care to use a firewall in any serious manner will do so for masquerading,
> port forwarding, and port blocking. People that are just on a dial up or
> cable modem with no lan will never need it beyond being a toy. The most
> they'll want is spoof and flood protection. That's really all they need if
> their distro doesn't start every last service known to man.

Actually, most of the distros do start alot of stuff that's dangerous
rpc, lpd, etc, even redhat... Sun is even worse, they start everything.

> In fact, distros
> like redhat, etc.... shouldn't start any service by default besides sshd.
> Anyway, looking at what people will most likely use the firewall for, I don't
> see how redhat's firewall script will be much of a help. I like my basic UI
> layout I gave via the jpeg.  It's pretty straight forward and can obviously
> take improvements.

Yes I like the "generic" part too.

> The trivial matters such as
> quake players, etc...... can also be ironed out with some elegance if thought
> is put into it.

I think stateful firewalls (iptables, ipf) should take care of the
quake/tibes/ftp problems that ipchains creates. If their using ipchains,
we need to create more complicated rule sets.

> We are talking about the setup utilities that will be part of
> the Gnome 2.0 platform guys. We all know that linux has no chance in the near
> future to ever make it as a major desktop os but there is already strong
> holding for linux as a server os. In that regards, shouldn't we have a set of
> utilities in the control panel that would be a admins dream? Such utilities
> would certainly get use more leverage.  You may say, a good admin would make
> his own scripts, edit his own files, etc.... That's very true and it's only
> true because there are no good tools to do it for him. However, take a look
> at (my personal favorite) mac os X. It's absolutely stunning and looses no
> power at all through it's UI cause it's UI is that good. Mac OS X Server is
> incredible. Yet, it's just a darwin kernel. Nothing that much more special
> than the linux kernel but it's the well thought out UI that makes it good.

I might get flamed for this, but I really agree here. OSX server is very
nice and I think we should create good UIs, so you don't have to get to
the script level. If there was a good firewall GUI program, I wouldn't
have written I the scripts I have. That's why I am making this firewall
utility... well, also to get people more secure cause tons of boxes are
wide open.

--------------------[-- burra@colorado.edu --]--------------------------




_______________________________________________
setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
http://lists.ximian.com/mailman/listinfo/setup-tool-hackers



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]