Firewalls

Status

• Created: Date(2005-04-25T02:44:58Z) by JaneW

• Priority: LowPriority

• People: ThomMayLead, AnthonyBaxterSecond

• Contributors: JaneW

• Interested: JeffBailey

• Status: DraftSpec, DistroSpecification, NewSpec, ColinCharlesQueue or SimonSharwoodQueue BR

• Branch:
• Malone Bug:
• Packages:
• Depends:
• Dependents:

  FullSearch(Firewalls)

• UduSessions: 1, 4, 8, etc

Introduction

Firewalls & Security are important to end-users. Also, when users migrate from other operating systems (and even Linux distributions), there is a sense of wanting a Firewall Management tool. An example of this is how the nice utility that is shipped in Mac OS X, where settings can be turned on and off with the click of the button.

Rationale

Ubuntu should be as secure as possible whilst remaining usable and featureful. To combine these two goals, we require a functional firewall admin tool. We should enable users to effectively and simply enable and disable services such as web or file serving, and allow peer-to-peer services such as BitTorrent.

Scope and Use Cases

1. Charles wishes to protect his machine, which is directly on the internet, from attackers. He wishes to be able to continue to use his peer-to-peer clients.
2. William wishes to enable his machine, which is directly conected to the internet, to serve web pages to his friends, whilst remaining protected otherwise.
3. Harry wishes to share the connection on his computer to the rest of his family.

Implementation Plan

• Design and implement a reasonable set of levels of security
• Design and implement a graphical tool to allow the user to switch between these levels
• Add functionality to debhelper to allow packages to add descriptions of which ports they require to the graphical tool
• Add functionality to both Network Admin and the firewall tool to allow internet connection sharing.

The user should be presented with a simple tool that allows them to select various levels of security. These would be:

1. Paranoid - lock everything down to only allow outgoing connections
2. High - allow outgoing connections and certain incoming high ports for p2p apps
3. Medium - allow outgoing connections, incoming ports for selected applications, and incoming ports for p2p apps.
4. Low - "get out of my face" mode.

Packages which provide daemons that should be listening on networked ports (eg apache2, samba) should provide a file in /etc/iptables.d/ that lists the ports they wish to use. In medium mode, these ports could be configured to be opened automatically.

We would extended debhelper to enable people to use dh_iptables to install and configure these files automatically.

Data Preservation and Migration

Packages Affected

• Many packages that provide daemons

• gnome-system-tools

• debhelper

User Interface Requirements

• simple graphical tool that enables the user to change security level
• potentially extend the network tool or create another tool to allow services to be activated or deactivated.
• interface for sharing a connection trivially.