Firewall and user services that needs open ports

[Alexander Boström]

mån 2008-06-23 klockan 12:58 -0400 skrev Chuck Anderson:

> Right, but the default firewall rules don't do that.

The default filrewall doesn't filter anything on the loopback interface,
does it? Or you mean traffic on an external interface but using a source
IP address of the host?

> By default maybe the firewall should be off.

Well, a firewall should only be an added protection. If you want a
caching nameserver locally then make sure it only binds to the loopback
interface even if you have a firewall. Same thing with sendmail. It only
listens locally by default, even though there's a firewall. That's how
it should be. Anything else is way too risky. A quick service iptables
stop shouldn't leave you wide open, just without a safety net.

It's probably good to have a firewall, but regular users needs a good
tool to manage it. The question is, what range of options does it need
and how much of the configuration can be automated?

Some thoughts:

 Not everyone would want the /proc/sys/net/ipv4/ip_local_port_range open
for UDP/TCP/SCTP, but it should be an option, perhaps the default.

 Options for specific service-related ports such as ssh or VNC. (Btw,
VNC, security and usability is unfortunately a topic for a whole
thread.)

 Profiles for "server", "desktop" and so on.

 Manage both iptables and ip6tables together.

 Open ports automatically based on running services? Then what's the
point?

 Perhaps a built-in view of listening sockets?

With sane defaults, users installing a desktop machine shouldn't have to
care about the firewall. And on server machines the sane defaults should
mean you have fairly good protection and only need to open up things for
services you start.

But yes, the above can be done with SELinux as well. Maybe that will
could actually provide a better user experience since you'd get error
messages when binding sockets instead of mostly silently dropped
packets.

/abo