Dan Williams wrote: > On Thu, 2009-06-18 at 21:35 +0100, Graham Lyon wrote: > > I'm wondering what the plan of action is towards management of > > firewalls on the desktop. Is this something that NetworkManager should > > do? I think so. Firewalls, for the average end user, should "just > > work". A great many linux distros don't come with a firewall > > configured by default and there is no default mechanism for > > interfacing with a firewall and opening ports etc for any software to > > use. I'm interested in developing a system to allow NM to identify a > > network, ask the user to classify this network if it has never been > > visited before, and then act accordingly (users of Windows Vista will > > recognise this process). I think it's needed as the average enduser > > will not give themselves a proper firewall configuration. Ever. > > Ideally yes, average users shouldn't have to care about ports or > anything, they should care about *services*. > [...] > Firewall UI is a hard problem, and the current Linux stuff just doesn't > make sense for most users, because they are fundamentally trying to > provide a UI shell around a simple list of port-based allow/deny rules, > or worse, a UI shell around every option that iptables provides. That's > not how you create a usable interface for 85% of the people out there.
Exactly. That's why SuSEfirewall2 allows packages to define what ports belong to a service so the user no longer needs to care about individual ports: http://en.opensuse.org/SuSEfirewall2/Service_Definitions_Added_via_Packages > What I think *should* happen is fairly intelligent integration between > NM and some other firewall manager. NM can provide information that a > firewall definitely wants; if you connect to a WPA or 802.1x protected > or 3G network, then you can worry a lot less because you're on a fairly > secure network. If you connect in a public coffee shop with no > encryption at all, then you definitely want higher security policy in > the firewall. The network could be encrypted and still be untrustworthy. I've been in a hospital recently which had a WPA2 network. Who knows what kind of sick people are in that network ;-) IOW the machine can't judge. You have to ask the user or default to untrustworthy. > Thus, I think that a firewall should interact with NM on a pretty > fundamental level, and after getting details about the current network > connection from NM, the firewall manager could make some intelligent > policy decisions about what security level to enforce. > [...] > We could certainly store some sort of "security level" tag on a > per-connection basis in NetworkManager that would be available to apps > like a firewall manager, which users could set either in the connection > editor, or via some other method which we should get user-interaction > experts to think about. We can even set that tag to reasonable defaults > based on the connection type. I didn't know about the discussion here. I created this little app recently to switch firewall zones as PoC (in SuSEfirewall2 you configure zones and then associate interfaces to zones): http://lizards.opensuse.org/2009/07/10/1453/ Ideally it should't need a separate tray icon of course. That could be achieved by NM storing the zone for a network itself, ie your 'security level' tag. Another option is to query and monitor NM but the NM D-Dus interface looked too complicated to me for a quick hack like that :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
