March 24, 2008

Interactive Firewalls?

openSUSE comes with a firewall (SuSEfirewall2) which is enabled by default on desktop installation and drops all incoming traffic. There are often discussions as to whether this is a good thing or not, with strong opinions on either side. I won’t get into those.

The problem for users is that some things such as

  • Samba share browsing
  • File sharing
  • Remote access
  • Avahi

will fail to work, often silently. Some people just assume that the function is broken. A fewer think to disable the firewall and try again. Still fewer are able to open just the ports they require open in the firewall. One of the most frequently asked questions on IRC is why samba browsing does not work.

Obviously simply having the firewall disabled by default for internal networks would solve the problem. However, this is an unpopular option amongst some, and if the firewall is enabled it should still be possible to help the user know what to do.

I knocked up a little proof of concept application which

  • Watches events in the firewall log
  • Matches those events against predefined suggestions
  • Proposes relevant suggestions to the user.
  • If user approves, will open ports automatically using YaST

So, for example, if the user is trying to set up a webserver and the firewall is blocking access to it, it will suggest opening port 80.

Or if the user tries to browse samba shares and the firewall blocks the responses it will suggest opening high ports to allow these responses to get back.

More screenshots here

What do people think about this idea? Does anyone know of any other similar projects for interactive firewalls on linux? Mandriva has “mandi” but this seems more geared towards being an interactive fail2ban than offering suggestions.

My little demo source code is available if anyone is interested.

- 24 comments by 1 or more people Not publicly viewable

[Skip to the latest comment]
  1. Justin Haygood

    Something like this would be very useful. Maybe SuSEfirewall2 should implement a dbus API so that KDE/GNOME clients can listen to and monitor the happenings, as well as potentially unlock services, etc.. via PolicyKit.

    24 Mar 2008, 16:01

  2. houghi

    This is OK, if the aplication first checks if there is actualy something running behind it. So no warnings when you have no Apache running for example. Also it should be easy to turn off, as many people do not have the root password anyway on a multi-user system.

    Might I sugest to change the ‘someone’ in an IP adress and domain name.

    Obviously there should be a HIGE warning that openeing it, will allow everybody to access the machine. Also please NEVER include port 25 in this.

    24 Mar 2008, 17:05

  3. dh

    As a plain old user I’ve often struggled with opening only the right ports in order to get things like samba and bittorent working. Something like this would help alot.

    This is about the only area that I envy my wife and daughters winders installs for. Why?
    because zone alarm pays attention to what is happening and asks if I (they) want to allow it.
    It’s also nice to know what program is asking for access to the internet.

    Good luck, I hope this leads to something good.

    24 Mar 2008, 17:29

  4. Felix-Nicolai Mueller

    I like the idea. So go for it. Just keep in mind that the user is the weakest vector security wise. So the application should do more than just make the user click “OK”, “next” “accept”


    24 Mar 2008, 17:34

  5. Christopher

    I would be game for the idea so long as it could be disabled. The last thing I need is more tray icons popping up. Reminds me too much of Windows.

    24 Mar 2008, 17:43

  6. Michael Wright

    I have wondering weather such feature would be implemented in opensuse. Really cool!!!!
    I agree with Justin Haygood susefirewall2 should used DBUS API. Rock on

    24 Mar 2008, 19:01

  7. Anon

    I almost never post for anything, but after giving up on samba because I could never get the right ports open (disabling the firewall is obviously not an option) this sounds like the best idea I’ve read in weeks.

    Please, Please, Please implement something like this.

    25 Mar 2008, 08:37

  8. Marcus Meissner

    This dialog just disables the firewall (allowing all high ports is basically just the same as disabling in the end).

    You dont need a firewall then at all and program this even simpler by “rcSuSEfirewall stop”.

    There needs to be NAT iptables knowledge or similar for such a thing, not just “open all ports”.

    25 Mar 2008, 14:10

  9. Angst

    This is a good example that shows how to not do that. Opening almost all ports in the external zone defeats the purpose of having the firewall in the first place.
    Correct solutions would be for example to
    - put the interface into the internal zone
    - use FW_TRUSTED_NETS or FW_SERVICES_ACCEPT_EXT to only grant specific networks additional access
    - load nf_conntrack_netbios_ns

    25 Mar 2008, 14:13

  10. walter

    This would be really helpful. In my opinion, the firewall is the only drawback of OpenSuse for regular home users. I’ve done multiple installs of Suse 9.3 through OpenSuse10.3, and the only problem was always the firewall. An alternative would be to make the Yast-module easier to understand, or include some kind of wizard.

    Good luck with you idea, i hope it will make it into OpenSuse11.0

    25 Mar 2008, 14:31

  11. Lukas Ocilka

    Users might get annoyed very soon if their desktop kept opening pop-up windows over and over again. You’ll maybe need a “Ignore this (request) next time” functionality. I know exactly this behavior from Kerio Personal Firewall (Windows) and it actually IS very annoying.

    Of course, there should be some better logic than just offering to open a port which is requested but I’m sure you know that ;) Nevertheless, your idea and the quick demo presented here looks very promising.

    25 Mar 2008, 14:34

  12. Lukas Ocilka

    The current YaST Firewall is on one hand quite uneasy-to-understand, on the other hand, some users still want to add expert features. The only possible solution would be to have something like having user-level configurable (e.g., “[x] I’m an expert user” ;) option).

    Of course, Walter, if there was anything hard-to-understand I’ like to hear what was that and why. Thx

    25 Mar 2008, 14:40

  13. Gabriel Stein

    Hey man! Congratulations! Really, is perfect! This things improve the users experience with linux. I will make a suggestion, about connections. If you have a Apache server, for example, its a good thing to decide if you will open to external connections or only localhost connections.

    Think about a little option, like “What kind of use you will make?” (X) localhost ( ) External Access

    This is so important to allow or deny outcoming connections of basic services, like apache, samba and dns.

    PS: I will put your suggestion on my blog(link), its a great idea!


    25 Mar 2008, 17:10

  14. @Marcus Indeed – but it is just an example of matching an event to a solution. In the samba case it is not a good solution. The event can be anything the firewall provides, the solution can be anything that is possible with the firewall.

    25 Mar 2008, 17:23

  15. @Angst I think you’re missing the point. I was only trying to demonstrate the possibility of matching an event to a solution.

    Incidentally I couldn’t get load netbios connection tracking to work, does it work for you with ipv6 enabled?

    25 Mar 2008, 17:27

  16. bill

    I think the idea is great, I’d also like a linux firewall like ZoneAlarm where it prohibits internal applications from accessing the internet without permission (ie a pop states the following app is attempting to access the internet – allow?).

    25 Mar 2008, 19:13

  17. qwe

    Maybe like this ?

    26 Mar 2008, 10:44

  18. andrew

    Great idea. This addresses something that is often a real pain to get working and is often handled better for the average user in windows. Good luck with completing the concept and I hope to see it available in OpenSUSE soon.

    27 Mar 2008, 08:43

  19. Angst

    I perfectly understand that you match firewall events to actions and the example shows that something like that just leads the user to a wrong solution. An applet like that is going to be annoying as hell if you are actually connected to the internet. There are portscans and connection attempts on all kinds of ports all the time. I’m still convinced that the key to making the firewall understandable is the UI of the yast firewall module. IMHO there hasn’t been enough research on that topic esp from non low level, technical thinking persons.
    The best configuration actually would be to not start cups and sshd by default so a firewall isn’t needed in the first place. No one was brave enough to demand that yet though :-)

    Wrt ipv6, yes there is a lot still missing on the kernel side. File bug reports against the kernel/netfilter.

    27 Mar 2008, 08:54

  20. @Angst
    I completely agree about the user interface of the firewall module.

    sshd is not started by default (you have to select to start it during installation), and I believe cupsd only listens on localhost. So by your definition we don’t need a firewall in the first place. This is an unpopular option though.

    I somewhat agree with your other points, certainly many issues to consider as to whether or how to develop the idea.

    27 Mar 2008, 11:00

  21. @Angst
    If I remember correctly, Ubuntu does the no firewall, no servers bit by default (on the Desktop version at least).

    I thought most people were behind NAT these days anyway, this reduces the problem of random crap coming in from the internet.

    I like the idea in general though, just needs a few tweaks to control the amount of information being displayed IMHO.

    27 Mar 2008, 16:04

  22. Galo

    That is wonderfull!
    It is this kind of interactive applications that some windows users feel it is missing on linux. Some “wizard” to guide the simple user (like me) to setup the linux firewall. It would be nice to also see reports from connections attempts from the outside to the suse box.
    PS: where can I download the rpm to my 10.3 opensuse?

    29 Mar 2008, 00:12

  23. Jan Engelhardt

    Why bother with reading firewall logs? It is a technically ugly solution, especially if you can just directly tap into the system with TuxGuardian .

    29 Mar 2008, 22:31

  24. Peter

    Yea, that new idea of a firewall sounds really good! What also would be very good to have is an real time network monitor where you can see what goes in and out and where you can deny or allow eachs singe connection. Then it would also be usefull if the firewall would have different modes like “deny all”, “allow all”, “allow all what is not denyed”, “deny all whar is not allowed” and an “assistent” (which will ask for everything and maybe suggest a preset for often used programms and protocols (web browsing, ICQ, IRC, Samba, and so on).

    11 Apr 2008, 17:36

Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

March 2008

Mo Tu We Th Fr Sa Su
Feb |  Today  | Apr
               1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Search this blog



Most recent comments

  • Hey skx, how do you do that ? I run into the fu….. problem, that curl terminate with unspec. error… by David on this entry
  • With some minor changes this will also work for updating from 11.0 to 11.1. by skx on this entry
  • You are the man!!! Great work and good documentation! It worked without any problem for me. Thanks a… by Vany on this entry
  • didn't work for me. In fact killed the system. Have to download 11.0 and burn to dvd to fix it. by maybe windows on this entry
  • Will this method work for 11 => 11.1 ? by Erik Jakobsen on this entry

Blog archive

Not signed in
Sign in

Powered by BlogBuilder