UncomplicatedFirewall
|
Size: 4795
Comment:
|
Size: 5139
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| It is important to note that this is not simply 'Yet Another Firewall Tool', but rather a high level firewall language to make firewall configuration easier for both users, packaging, and tools. | It is important to note that this is not simply 'Yet Another Firewall Tool', but rather a high level firewall language to make firewall configuration easier for users, packaging, and tools. |
| Line 14: | Line 14: |
| Line 17: | Line 17: |
| Ubuntu currently does not have an integrated firewall in its base installation. Additionally, the tools that are available to create a firewall are largely based on GUI applications, or create iptables scripts that are dependent on the tool to update them. Users are left to choose between one of the many firewall tools available, or roll their own firewall scripts. Existing tools also do not provide package integration so that when a network daemon is installed, users have to manually determine and add the necessary firewall rules (usually with their tool of choice). | Ubuntu currently does not have an integrated firewall in its base installation. Additionally, the tools that are available to create a firewall are largely based on GUI applications and/or create iptables scripts that are dependent on the tool to update them. Users are left to choose between one of the many firewall tools available, or roll their own firewall scripts. Creation and auditing of the firewall for correctness can be difficult because of the complexity of iptables and the files created by existing tools. Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to manually determine and add the necessary firewall rules (usually with their tool of choice). |
| Line 24: | Line 24: |
Charlie wants to configure a system to use as perimeter firewall/router. Because of ubuntu-firewall's simplified configuration syntax, the firewall can be more easily created and audited. |
|
| Line 32: | Line 34: |
| 1. Integrate with package management by creating an /etc/uf/rules.d directory | |
| Line 33: | Line 36: |
| * Parse and load the resulting iptables/proc/(and eventually ip) values | * Parse uf.conf and files in /etc/uf/rules.d * Load the results of the parse via iptables/proc/(and eventually ip) |
| Line 37: | Line 41: |
| 1. Integrate with package management by creating an /etc/uf/rules.d directory, and have ubuntu-firewall parse the files in /etc/uf/rules.d | |
| Line 43: | Line 46: |
| There are no specific UI changes for ufctl. Simple CLI or GUI tools could | There are no specific UI changes for ufctl. Simple CLI or GUI tools could |
| Line 45: | Line 48: |
| implementation could be like RedHat's system-config-securitylevel, which basically declares what protocol and port to open. | implementation could similar to RedHat's system-config-securitylevel, which essentially declares what protocol and port to open. |
* Launchpad Entry: ubuntu-firewall
Summary
Create a high level language for iptables firewall configuration. The language would be based on OpenBSD's PF syntax, along with any improvements to make it easier for users (PF provides a compact, easy to understand firewall language). Initially, the language will consist of only a subset of PF functionality, but eventually could include queuing and traffic optimization.
In addition to the higher level language, ubuntu-firewall should provide packaging integration to make it easier for network daemon packages to integrate with the firewall.
It is important to note that this is not simply 'Yet Another Firewall Tool', but rather a high level firewall language to make firewall configuration easier for users, packaging, and tools.
Release Note
ubuntu-firewall will not affect users in the default installation as the tool will not dictate a default firewall policy for all users. Users will have to explicitly enable ubuntu-firewall if they want to use it.
Rationale
Ubuntu currently does not have an integrated firewall in its base installation. Additionally, the tools that are available to create a firewall are largely based on GUI applications and/or create iptables scripts that are dependent on the tool to update them. Users are left to choose between one of the many firewall tools available, or roll their own firewall scripts. Creation and auditing of the firewall for correctness can be difficult because of the complexity of iptables and the files created by existing tools. Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to manually determine and add the necessary firewall rules (usually with their tool of choice).
Use Cases
Bob uses a desktop system and wants to add a firewall as another layer of protection. Bob can enable ubuntu-firewall to provide this protection. When new packages are added, Bob can optionally enable the firewall rules provided by these packages.
Alice administers many server machines and wants to create a host-based firewall for them. Alice can create a base firewall policy for all the servers using the PF-based ubuntu-firewall language. Once the default policy for her servers is setup and pushed to each machine, she can then install the server packages she wants on the individual servers, and enable the firewall rules provided by those packages.
Charlie wants to configure a system to use as perimeter firewall/router. Because of ubuntu-firewall's simplified configuration syntax, the firewall can be more easily created and audited.
Assumptions
While the PF-based abstraction that ubuntu-firewall provides would be a great benefit to users on its own, to fully realize the benefits of ubuntu-firewall, packages providing network services should also provide firewall policy for the applications they provide. For example, apache2 should let ubuntu-firewall know that it provides a TCP service on port 80. It should be noted that ubuntu-firewall is still very useful on its own, so a slow transition for these packages is tolerable.
Design
- Create the high level language for iptables firewall configuration
- Integrate with package management by creating an /etc/uf/rules.d directory
- Create a tool for parsing the high level language. This tool would be called 'ufctl'. Default configuration would be in /etc/uf/uf.conf. ufctl would be smart enough to turn on things like IP forwarding, depending on the configuration in uf.conf. This tool should:
- Parse uf.conf and files in /etc/uf/rules.d
- Load the results of the parse via iptables/proc/(and eventually ip)
- Provide a means to specify another configuration file
- Provide a 'dry-run' or 'config test' mechanism
- Provide a means to load the ubuntu-firewall policy on boot
Implementation
UI Changes
There are no specific UI changes for ufctl. Simple CLI or GUI tools could eventually be created which simply add files to /etc/uf/rules.d. One implementation could similar to RedHat's system-config-securitylevel, which essentially declares what protocol and port to open.
Code Changes
Depending on the method chosen for boot integration, there may be changes to the loopback entry ('lo') in /etc/network/interfaces.
Migration
As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. It should be possible to generate an ubuntu-firewall policy from an existing firewall policy. Another migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall.
Test/Demo Plan
TBD
Outstanding Issues
- User space tools for generating policies for ubuntu-firewall
BoF agenda and discussion
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarizing what was discussed and note any options that were rejected.
UncomplicatedFirewall (last edited 2025-10-09 17:40:56 by hlibk)