All entries for Monday 24 March 2008
March 24, 2008
openSUSE comes with a firewall (SuSEfirewall2) which is enabled by default on desktop installation and drops all incoming traffic. There are often discussions as to whether this is a good thing or not, with strong opinions on either side. I won’t get into those.
The problem for users is that some things such as
- Samba share browsing
- File sharing
- Remote access
will fail to work, often silently. Some people just assume that the function is broken. A fewer think to disable the firewall and try again. Still fewer are able to open just the ports they require open in the firewall. One of the most frequently asked questions on IRC is why samba browsing does not work.
Obviously simply having the firewall disabled by default for internal networks would solve the problem. However, this is an unpopular option amongst some, and if the firewall is enabled it should still be possible to help the user know what to do.
I knocked up a little proof of concept application which
- Watches events in the firewall log
- Matches those events against predefined suggestions
- Proposes relevant suggestions to the user.
- If user approves, will open ports automatically using YaST
So, for example, if the user is trying to set up a webserver and the firewall is blocking access to it, it will suggest opening port 80.
Or if the user tries to browse samba shares and the firewall blocks the responses it will suggest opening high ports to allow these responses to get back.
What do people think about this idea? Does anyone know of any other similar projects for interactive firewalls on linux? Mandriva has “mandi” but this seems more geared towards being an interactive fail2ban than offering suggestions.
My little demo source code is available if anyone is interested.
I fixed a few bugs/wishes in the openSUSE “one click install” handler last week.
Amongst potentially interesting changes are
- Addition of command line support as I previously mentioned
- Tidied up the UI a little removed the somewhat cryptic “advanced mode” checkbox in favour of an editable proposal, as used elsewhere in YaST.
- Don’t show this again support for nag warning
Clicking customise gives the equivalent of the old advanced mode