Firewall settings: User interface review and questions

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Firewall settings: User interface review and questions

Matthew Paul Thomas
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Part of the planned "Desktop-side networking enhancements"
<https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
is the addition of a graphical interface for configuring a firewall.

Mathieu Trudel-Lapierre and I have been working on a design for the
firewall settings. Here's what we have so far:
<https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>

We'd appreciate a general sanity check for these settings, from people
who know more about security than we do. Are they missing anything
highly useful? Or is there anything there that shouldn't be?

There are also two specific questions we have:

*   Does Ubuntu have any "essential" incoming connections, which should
    be allowed in the normal case even when the firewall is turned on?
    (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
    essential.)

    -   If so, how much use is it to have a graphical setting for
        blocking even those "essential" connection types?

*   Does Ubuntu have any "essential" outgoing connections? Web
    browsing? E-mail? Avahi?

Thanks
- --
mpt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DZdwACgkQ6PUxNfU6ecoDrACgrtXCB2DRPVCRnGbgdWP0VZD7
k4gAn33YQoYa+g+ivPqXXWU5762EhkL3
=f4pS
-----END PGP SIGNATURE-----

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Firewall settings: User interface review and questions

Kees Cook-8
Hi,

On Thu, Jun 23, 2011 at 05:12:13PM +0100, Matthew Paul Thomas wrote:

> Part of the planned "Desktop-side networking enhancements"
> <https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
> is the addition of a graphical interface for configuring a firewall.
>
> Mathieu Trudel-Lapierre and I have been working on a design for the
> firewall settings. Here's what we have so far:
> <https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>
>
> We'd appreciate a general sanity check for these settings, from people
> who know more about security than we do. Are they missing anything
> highly useful? Or is there anything there that shouldn't be?

First, please make sure the UI will interface correctly with "ufw",
which is the official Ubuntu firewall tool. Jamie Strandboge, as the
author, can help guide you there.

> There are also two specific questions we have:
>
> *   Does Ubuntu have any "essential" incoming connections, which should
>     be allowed in the normal case even when the firewall is turned on?
>     (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
>     essential.)

Yes, they are outlined in what we consider "Infrastructure Services":
https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports
and we make case-by-case exceptions for them (presently DHCP and Avahi/mDNS).

>     -   If so, how much use is it to have a graphical setting for
>         blocking even those "essential" connection types?

Since they would break the functionality of most systems, I'm not sure it's
a great idea, but ufw does allow control over it, so it's really up to us
about how to present it in the UI.

> *   Does Ubuntu have any "essential" outgoing connections? Web
>     browsing? E-mail? Avahi?

At present, we view everything as essential. Since there is no way
currently to sanely hook outgoing traffic and pop up dialogs about "do you
want Program talking to the internet?" it doesn't make much sense to try to
filter it.

In fact, we don't believe in filtering _incoming_ traffic by default
because of the no open ports policy. There's nothing listening, so why
confuse things and make it harder for people to install services they want
listening only to have the firewall block them by default?

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Firewall settings: User interface review and questions

Jamie Strandboge-3
On Thu, 2011-06-23 at 10:30 -0700, Kees Cook wrote:

> Hi,
>
> On Thu, Jun 23, 2011 at 05:12:13PM +0100, Matthew Paul Thomas wrote:
> > Part of the planned "Desktop-side networking enhancements"
> > <https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
> > is the addition of a graphical interface for configuring a firewall.
> >
> > Mathieu Trudel-Lapierre and I have been working on a design for the
> > firewall settings. Here's what we have so far:
> > <https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>
> >
> > We'd appreciate a general sanity check for these settings, from people
> > who know more about security than we do. Are they missing anything
> > highly useful? Or is there anything there that shouldn't be?
>
> First, please make sure the UI will interface correctly with "ufw",
> which is the official Ubuntu firewall tool. Jamie Strandboge, as the
> author, can help guide you there.
>
Indeed, Mathieu and I have been in discussions about this and I have a
work item already. :)

> > There are also two specific questions we have:
> >
> > *   Does Ubuntu have any "essential" incoming connections, which should
> >     be allowed in the normal case even when the firewall is turned on?
> >     (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
> >     essential.)
>
> Yes, they are outlined in what we consider "Infrastructure Services":
> https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports
> and we make case-by-case exceptions for them (presently DHCP and Avahi/mDNS).
ufw takes these into account as well. When it is enabled and in
enforcing mode, it allows dhcp, avahi, ping and some other stuff that is
generally needed. For a full list, see /etc/ufw/before*.rules

> >     -   If so, how much use is it to have a graphical setting for
> >         blocking even those "essential" connection types?
>
> Since they would break the functionality of most systems, I'm not sure it's
> a great idea, but ufw does allow control over it, so it's really up to us
> about how to present it in the UI.

The ufw API and cli command do not currently expose turning off these
'essential' connection types. I don't think it is worthwhile exposing
this in the gui. ufw uses good defaults for most people. Those who need
more can edit the /etc/ufw/before*rules directly IMHO.

> > *   Does Ubuntu have any "essential" outgoing connections? Web
> >     browsing? E-mail? Avahi?
>
> At present, we view everything as essential. Since there is no way
> currently to sanely hook outgoing traffic and pop up dialogs about "do you
> want Program talking to the internet?" it doesn't make much sense to try to
> filter it.

This is correct. The ufw API and cli command do provide for egress
filtering though, so this could be exposed in the gui if desired. In
general I don't think this needs to be exposed in the gui.

> In fact, we don't believe in filtering _incoming_ traffic by default
> because of the no open ports policy. There's nothing listening, so why
> confuse things and make it harder for people to install services they want
> listening only to have the firewall block them by default?

This could conceivably be revisited if there was a gui tool to adjust
the firewall. In general, I think opting into the firewall is a good
idea since people have the chance to realize if something breaks it is
because of something they did. ufw does have debconf functionality for
preseeding (enable/disable and basic opening of ports), so it is
possible to add a question in ubiquity if desired, though I'm not sure
that is desirable if the firewall configuration is easily discoverable
via network manager.

--
Jamie Strandboge             | http://www.canonical.com

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Firewall settings: User interface review and questions

Jim Tarvid
In reply to this post by Kees Cook-8
On Thu, Jun 23, 2011 at 1:30 PM, Kees Cook <[hidden email]> wrote:

> Hi,
>
> On Thu, Jun 23, 2011 at 05:12:13PM +0100, Matthew Paul Thomas wrote:
>> Part of the planned "Desktop-side networking enhancements"
>> <https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
>> is the addition of a graphical interface for configuring a firewall.
>>
>> Mathieu Trudel-Lapierre and I have been working on a design for the
>> firewall settings. Here's what we have so far:
>> <https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>
>>
>> We'd appreciate a general sanity check for these settings, from people
>> who know more about security than we do. Are they missing anything
>> highly useful? Or is there anything there that shouldn't be?
>
> First, please make sure the UI will interface correctly with "ufw",
> which is the official Ubuntu firewall tool. Jamie Strandboge, as the
> author, can help guide you there.
>
>> There are also two specific questions we have:
>>
>> *   Does Ubuntu have any "essential" incoming connections, which should
>>     be allowed in the normal case even when the firewall is turned on?
>>     (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
>>     essential.)
>
> Yes, they are outlined in what we consider "Infrastructure Services":
> https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports
> and we make case-by-case exceptions for them (presently DHCP and Avahi/mDNS).
>
>>     -   If so, how much use is it to have a graphical setting for
>>         blocking even those "essential" connection types?
>
> Since they would break the functionality of most systems, I'm not sure it's
> a great idea, but ufw does allow control over it, so it's really up to us
> about how to present it in the UI.
>
>> *   Does Ubuntu have any "essential" outgoing connections? Web
>>     browsing? E-mail? Avahi?
>
> At present, we view everything as essential. Since there is no way
> currently to sanely hook outgoing traffic and pop up dialogs about "do you
> want Program talking to the internet?" it doesn't make much sense to try to
> filter it.
>
> In fact, we don't believe in filtering _incoming_ traffic by default
> because of the no open ports policy. There's nothing listening, so why
> confuse things and make it harder for people to install services they want
> listening only to have the firewall block them by default?
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
As one of the guys with boots on the ground, this discussion fails to
recognize real world issues.

In our practice, primary focus of security is on gateways not
individual machines. Some of these gateways are appliances, many of
those run DD-WRT or Open-WRT, others are Ubuntu servers. Better
integration with appliance gateways would be welcome.

The Ubuntu gateways are firewalled and depend on netfilter. The most
convivial interface for us has been Webmin. An amazing amount of
effort has been spent on alternatives to and deprecation of Webmin.
After getting burned by this apostasy, I am reluctant to enter that
battle. Webmin works for me.

I need to insure administrative access for a handful of machines,
access to a few public servers, deny access to a substantial number of
hostile subnets and permit my users to do largely do what they want in
peace.

Jim Tarvid

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened