All entries for Monday 24 March 2008

March 24, 2008

Interactive Firewalls?

openSUSE comes with a firewall (SuSEfirewall2) which is enabled by default on desktop installation and drops all incoming traffic. There are often discussions as to whether this is a good thing or not, with strong opinions on either side. I won’t get into those.

The problem for users is that some things such as

  • Samba share browsing
  • File sharing
  • Remote access
  • Avahi

will fail to work, often silently. Some people just assume that the function is broken. A fewer think to disable the firewall and try again. Still fewer are able to open just the ports they require open in the firewall. One of the most frequently asked questions on IRC is why samba browsing does not work.

Obviously simply having the firewall disabled by default for internal networks would solve the problem. However, this is an unpopular option amongst some, and if the firewall is enabled it should still be possible to help the user know what to do.

I knocked up a little proof of concept application which

  • Watches events in the firewall log
  • Matches those events against predefined suggestions
  • Proposes relevant suggestions to the user.
  • If user approves, will open ports automatically using YaST

So, for example, if the user is trying to set up a webserver and the firewall is blocking access to it, it will suggest opening port 80.

Or if the user tries to browse samba shares and the firewall blocks the responses it will suggest opening high ports to allow these responses to get back.

More screenshots here

What do people think about this idea? Does anyone know of any other similar projects for interactive firewalls on linux? Mandriva has “mandi” but this seems more geared towards being an interactive fail2ban than offering suggestions.

My little demo source code is available if anyone is interested.


One–Click–Install improvements

I fixed a few bugs/wishes in the openSUSE “one click install” handler last week.

Amongst potentially interesting changes are

  • Tidied up the UI a little removed the somewhat cryptic “advanced mode” checkbox in favour of an editable proposal, as used elsewhere in YaST.

  • Don’t show this again support for nag warning

Clicking customise gives the equivalent of the old advanced mode

Click here to install on 10.3


March 2008

Mo Tu We Th Fr Sa Su
Feb |  Today  | Apr
               1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31                  

Search this blog

Tags

Galleries

Most recent comments

  • Hey skx, how do you do that ? I run into the fu….. problem, that curl terminate with unspec. error… by David on this entry
  • With some minor changes this will also work for updating from 11.0 to 11.1. by skx on this entry
  • You are the man!!! Great work and good documentation! It worked without any problem for me. Thanks a… by Vany on this entry
  • didn't work for me. In fact killed the system. Have to download 11.0 and burn to dvd to fix it. by maybe windows on this entry
  • Will this method work for 11 => 11.1 ? by Erik Jakobsen on this entry

Blog archive

Loading…
Not signed in
Sign in

Powered by BlogBuilder
© MMXVII