openSUSE comes with a firewall (SuSEfirewall2) which is enabled by default on desktop installation and drops all incoming traffic. There are often discussions as to whether this is a good thing or not, with strong opinions on either side. I won’t get into those.
The problem for users is that some things such as
- Samba share browsing
- File sharing
- Remote access
will fail to work, often silently. Some people just assume that the function is broken. A fewer think to disable the firewall and try again. Still fewer are able to open just the ports they require open in the firewall. One of the most frequently asked questions on IRC is why samba browsing does not work.
Obviously simply having the firewall disabled by default for internal networks would solve the problem. However, this is an unpopular option amongst some, and if the firewall is enabled it should still be possible to help the user know what to do.
I knocked up a little proof of concept application which
- Watches events in the firewall log
- Matches those events against predefined suggestions
- Proposes relevant suggestions to the user.
- If user approves, will open ports automatically using YaST
So, for example, if the user is trying to set up a webserver and the firewall is blocking access to it, it will suggest opening port 80.
Or if the user tries to browse samba shares and the firewall blocks the responses it will suggest opening high ports to allow these responses to get back.
What do people think about this idea? Does anyone know of any other similar projects for interactive firewalls on linux? Mandriva has “mandi” but this seems more geared towards being an interactive fail2ban than offering suggestions.
My little demo source code is available if anyone is interested.