2009/7/1 Dan Williams <[email protected]> > Firewall UI is a hard problem, and the current Linux stuff just doesn't > make sense for most users, because they are fundamentally trying to > provide a UI shell around a simple list of port-based allow/deny rules, > or worse, a UI shell around every option that iptables provides. That's > not how you create a usable interface for 85% of the people out there.
Yes, this has always irked me about firewall management on linux. The most powerful interface I've ever used was the one in webmin, but I suppose that's one of the ones that supplies all options iptables offers under the sun. > In any case, it's also not a battle I think NM should by trying to > fight, nor is it entirely within NM's area of responsibility. Firewalls > are a level above NM, and the risk of becoming an amoeba gets pretty > large when talking about adding Firewall, proxy, Captive Portal, etc to > NM itself. Agreed. > What I think *should* happen is fairly intelligent integration between > NM and some other firewall manager. NM can provide information that a > firewall definitely wants; if you connect to a WPA or 802.1x protected > or 3G network, then you can worry a lot less because you're on a fairly > secure network. If you connect in a public coffee shop with no > encryption at all, then you definitely want higher security policy in > the firewall. Finally, someone agrees :D > Thus, I think that a firewall should interact with NM on a pretty > fundamental level, and after getting details about the current network > connection from NM, the firewall manager could make some intelligent > policy decisions about what security level to enforce. So all we need to do is export a "security level" property over D-bus and then a sepparate daemon can manage the firewall. I like this idea. I think there's a lot of room to improve on Vista's "what location are > you in" dialog that comes up every time you connect to something new. I > think it both over-simplifies the problem *and* mis-characterizes it at > the same time, but I didn't do any UI research that Microsoft presumably > did. Note that Apple doesn't do this at all, they appear to run with > maximum firewall at all times, and let specific services punch through > the firewall automatically (like file sharing) with appropriate warnings > when you start the service up. A good point - the Vista GUI has some flaws, but at the moment I can't think of anything better to assertain the level of security of the network short of outright asking the user. I'd be happy to hear ideas on how we could infer it but to comment on what you said about 3G networks - they're an internet connection and should therefore be implicitly untrusted and so grouped with public wifi... We could certainly store some sort of "security level" tag on a > per-connection basis in NetworkManager that would be available to apps > like a firewall manager, which users could set either in the connection > editor, or via some other method which we should get user-interaction > experts to think about. We can even set that tag to reasonable defaults > based on the connection type. > > Does that sound anything like what you were thinking about? Yes. --Graham
_______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
