Firewalls

Differences between revisions 10 and 11
Revision 10 as of 2005-04-29 05:09:11
Size: 3277
Editor: intern146
Comment: -> draft spec, add to queues.
Revision 11 as of 2005-04-29 05:20:12
Size: 3338
Editor: intern146
Comment: English okay, Colin checks for tech
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
 * Status: DraftSpec, DistroSpecification, NewSpec, ColinCharlesQueue or SimonSharwoodQueue [[BR]]  * Status: DraftSpecification, DistroSpecification, ColinCharlesQueue[[BR]]
Line 23: Line 23:
Firewalls & Security are important to end-users. Also, when users migrate from other operating systems (and even Linux distributions), there is a sense of wanting a Firewall Management tool. An example of this is how the nice utility that is shipped in Mac OS X, where settings can be turned on and off with the click of the button. This spec describes our planned firewall management features, which should provide services like that nice utility that ships in Mac OS X and enables security settings can be turned on and off with the click of the button.
Line 27: Line 27:
Firewalls & Security are important to end-users. We can recognize that importance by giving them tools to manage their firewall.
Line 28: Line 30:
We should enable users to effectively and simply enable and disable services such as web or file serving, and allow peer-to-peer services such as BitTorrent.
We should enable users to effectively and simply enable and disable services such as web or file serving, and allow peer-to-peer services such as BitTorrent, all without compromising overall security.
Line 32: Line 35:
 1. Charles wishes to protect his machine, which is directly on the internet, from attackers. He wishes to be able to continue to use his peer-to-peer clients.
 2. William wishes to enable his machine, which is directly conected to the internet, to serve web pages to his friends, whilst remaining protected otherwise.
 3. Harry wishes to share the connection on his computer to the rest of his family.		  1. Charles wishes to protect his machine, which is connected directly to the internet, from attackers. He wishes to continue using his peer-to-peer clients.

 2. William wishes to enable his machine, which is connected directly to the internet, to serve web pages to his friends, whilst remaining protected otherwise.

 3. Harry wishes to share his computer's internet connection with the rest of his family.
Line 39: Line 44:
 * Design and implement a graphical tool to allow the user to switch between these levels  * Design and implement a graphical tool to allow the user to switch between these security levels
Line 49: Line 54:
Packages which provide daemons that should be listening on networked ports (eg `apache2`, `samba`) should provide a file in /etc/iptables.d/ that lists the ports they wish to use. In medium mode, these ports could be configured to be opened automatically. Packages which provide daemons that should be listening on networked ports (eg `apache2`, `samba`) should provide a file in /etc/iptables.d/ that lists the ports they wish to use. In medium mode, these ports could be configured to be opened automatically. 
Line 63: Line 68:
 * simple graphical tool that enables the user to change security level  * simple graphical tool that enables the user to change security level.

Firewalls

Status

Introduction

This spec describes our planned firewall management features, which should provide services like that nice utility that ships in Mac OS X and enables security settings can be turned on and off with the click of the button.

Rationale

Firewalls & Security are important to end-users. We can recognize that importance by giving them tools to manage their firewall.

Ubuntu should be as secure as possible whilst remaining usable and featureful. To combine these two goals, we require a functional firewall admin tool.

We should enable users to effectively and simply enable and disable services such as web or file serving, and allow peer-to-peer services such as BitTorrent, all without compromising overall security.

Scope and Use Cases

  1. Charles wishes to protect his machine, which is connected directly to the internet, from attackers. He wishes to continue using his peer-to-peer clients.
  2. William wishes to enable his machine, which is connected directly to the internet, to serve web pages to his friends, whilst remaining protected otherwise.
  3. Harry wishes to share his computer's internet connection with the rest of his family.

Implementation Plan

  • Design and implement a reasonable set of levels of security
  • Design and implement a graphical tool to allow the user to switch between these security levels
  • Add functionality to debhelper to allow packages to add descriptions of which ports they require to the graphical tool
  • Add functionality to both Network Admin and the firewall tool to allow internet connection sharing.

The user should be presented with a simple tool that allows them to select various levels of security. These would be:

  1. Paranoid - lock everything down to only allow outgoing connections
  2. High - allow outgoing connections and certain incoming high ports for p2p apps
  3. Medium - allow outgoing connections, incoming ports for selected applications, and incoming ports for p2p apps.
  4. Low - "get out of my face" mode.

Packages which provide daemons that should be listening on networked ports (eg apache2, samba) should provide a file in /etc/iptables.d/ that lists the ports they wish to use. In medium mode, these ports could be configured to be opened automatically.

We would extended debhelper to enable people to use dh_iptables to install and configure these files automatically.

Data Preservation and Migration

Packages Affected

  • Many packages that provide daemons

  • gnome-system-tools

  • debhelper

User Interface Requirements

  • simple graphical tool that enables the user to change security level.
  • potentially extend the network tool or create another tool to allow services to be activated or deactivated.
  • interface for sharing a connection trivially.

Firewalls (last edited 2008-08-06 16:27:41 by localhost)