F19 Firewall

Miloslav Trmač mitr at volny.cz
Thu Sep 26 14:09:04 UTC 2013 

On Tue, Sep 24, 2013 at 8:11 PM, Kurt Seifried <kseifried at redhat.com> wrote:
> 1) it would be nice to have capabilities like "do you want to let
> program X talk to the internet/receive connections" for client
> software with a GUI notification (like basically all the windows
> client/Mac OS X client firewall stuff). I would say this is probably
> the biggest capability needed for normal end users.

This really doesn't work.  On the UI level:

* It's impossible to ask about outgoing connections: "Do you want
/usr/bin/yncp program to connect to 23.56.68.226 port 31337"?  At
best, the user will be afraid and click "no"; or perhaps they will
guess that yncp stands for "your new chat program" that has been
recently installed, and understand that it is wanting to connect - and
of course they want the chat program to connect.  Nobody will ever
realize that that IP address is what www.nsa.gov resolves to, and that
the port is the default for Black Orifice.

* It's impossible to ask about opening listening sockets: "Do you want
/usr/bin/yncp to accept connection requests over the Internet?"  - "Of
course I want my chat program to accept conversations!"

* There isn't any practical difference between the two any more
anyway, due to the prevalence of NAT firewalls.

On the security architecture level, we don't have a concept of
"program X" that is good enough for making security decisions (e.g.
due to ptrace, shared access to the configuration in home directory,
lack of X11 access control).  This is a known problem, and is being
slowly worked on, and will hopefully eventually be solved; however the
UI problems are pretty much unsolvable.


> Overall I'm not really sure firewalld solves much, anyone running a
> server will probably be able to tweak iptables to allow incoming
> services they want.
Anyone running a server will probably be able to learn iptables if
they have to.  Still,
> -A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
is a pretty sad thing to have to type in 2013 - we have all these
computer things that are supposedly good at automating boring work, so
why shouldn't this be automated/abstracted away by the computer?

> So do we aim it at the end user/workstation style
> usage primarily (especially ones that move around networks)?

No, firewalld is primarily aimed at "network end-points", managed by
an administrator who understands IP networks but not necessarily
knowing iptables by heart.
    Mirek

More information about the security mailing list