This spec describes our planned firewall management features, which should provide services like that nice utility that ships in Mac OS X and enables security settings can be turned on and off with the click of the button.
Firewalls & Security are important to end-users. We can recognize that importance by giving them tools to manage their firewall.
Ubuntu should be as secure as possible whilst remaining usable and featureful. To combine these two goals, we require a functional firewall admin tool.
We should enable users to effectively and simply enable and disable services such as web or file serving, and allow peer-to-peer services such as BitTorrent, all without compromising overall security.
Scope and Use Cases
- Charles wishes to protect his machine, which is directly on the Internet, from attackers. He wishes to be able to continue to use his peer-to-peer clients.
- William wishes to enable his machine, which is directly conected to the Internet, to serve web pages to his friends, whilst remaining protected otherwise.
- Harry wishes to share the connection on his computer to the rest of his family.
- John has a laptop with multiple interfaces (ppp0, eth0, ath0, wlan0) and wants a generic firewall to be in place before any of these interfaces come up.
- Design and implement a reasonable set of levels of security
- Design and implement a graphical tool to allow the user to switch between these security levels
- Add functionality to debhelper to allow packages to add descriptions of which ports they require to the graphical tool
- iptables.d directory for applications to put in rules?
- Add functionality to both Network Admin and the firewall tool to allow internet connection sharing.
The user should be presented with a simple tool that allows them to select various levels of security. These would be:
- Paranoid - lock everything down to only allow outgoing connections
- High - allow outgoing connections and certain incoming high ports for P2P apps
- Medium - allow outgoing connections, incoming ports for selected applications, and incoming ports for P2P apps.
- None - "get out of my face" mode.
- Laptop Mode - firewall starts without binding to an interface.
Packages which provide daemons that should be listening on networked ports (eg apache2, samba) should provide a file in /etc/iptables.d/ that lists the ports they wish to use. In medium mode, these ports could be configured to be opened automatically.
We would extended debhelper to enable people to use dh_iptables to install and configure these files automatically.
Data Preservation and Migration
- Many packages that provide daemons
User Interface Requirements
- simple graphical tool that enables the user to change security level.
potentially extend the network tool or create another tool to allow services to be activated or deactivated. (MattZimmerman: I don't feel that this should be part of a firewall configuration tool; we already have services-admin for this)
- interface for sharing a connection trivially.
Madriva have done some work here: http://qa.mandriva.com/twiki/bin/view/Main/InteractiveFirewall
The "levels of security" concept described in the implementation plan isn't at all the same as the Mac OS interface praised in the introduction. It is rather more similar to the "security level" settings in Microsoft Internet Explorer.
The Sharing section of the Mac OS System Preferences interface is very nice indeed, and well worth looking to as a good example. It has 3 tabs: Services, Firewall, and Internet.
The Services tab has a list of services that can be turned on or off with a checkbox. Highlighting an entry in this list (with or without checking the box to enable it) displays a short description of the service off to the side. These descriptions use plain language but also mention in parentheses the specific acronyms and technical names that will be familiar to technical users (e.g. SSH, SMB/CIFS). The existing GNOME System Tools start stop services tool does exactly this.
- The Firewall tab has a list of items with check boxes next to them. Each item has a one line description. In parentheses at the end each line are the port numbers that will be opened when the item is enabled by checking the box. The list includes an item for each service in the list on the Services tab. New items can be added by the user with a simple two field dialogue (1: description, 2: list of port numbers). Starting a service in the Services tab enables the corresponding item in the Firewall tab (checks and greys out that firewall item's checkbox).
The Internet tab has a selection box to choose one interface from-which-to-share your connection and a list-with-checkboxes of the remaining interfaces on-which-to-share your connection. For GNOME this sort of thing likely belongs in (or at least needs to coordinate with) NetworkManager.
I believe that the Mac OS style of per-service firewall settings is more useful to common classes of users than are "levels" based settings. I don't think that security "levels" map well onto practical ways of thinking about security. They can't always be ordered linearly from "more secure" to "less secure" either. For example, will the "High" security level listed above allow incoming connections on ports used by many different p2p applications even if I am only running one particular p2p application?
Technically knowledgeable users will want to open and close specific ports by number. They'll also want to see familiar technical names for services listed in the GUI (GNOME System Tools does this well). Non-hacker types will want to start and stop services service based on plain language descriptions of the service (GNOME System Tools does this well too). They'll expect the firewall to be adjusted appropriately for the services that they've selected at any given time.
It's tempting to recommend borrowing the concept of "locations" from Mac OS (unordered groups of network settings) and extending it to include firewall and service settings. NetworkManager, however, have specifically rejected this concept (calling it "profiles") from their design goals and, I think, with good reason.
This "zones" abstraction is not enough. It would be great to have such functionality as in FireFlier - interactive reaction for every connection attempt on per-application, per-host etc. basis, that eventually can be made persistent. There is a lot of noisy applications that tries to connect to the Internet without permission and this functionality will be very useful - i.e. when testing an application or starting with maven. This is a false perception that Linux doesn't need such such a thing - I want to know what happens to my box. As an example - Windoze's Kerio Personal Firewall is such an ultimate tool - it allows to control traffic, spawning one aplication by another etc. We should learn from it's functionality.
It would be great to have a firewall that could be enabled/disabled automatically based on different locations (work, home, internet-cafe). If I'm on an unsafe network I'd want to close absolutely everything, but on my home LAN I want a more open setup.