blino's website

Free software developer and more

Interactive Firewall (2006.0 specs bits/ideas)

ipset

  • don't duplicate attackers list in mandi's memory, make ipset list the reference
  • use a libified ipset instead of calling the external program
  • handle manual editions in ipsets (make ipset send a signal to mandi)
  • use ipset lib to save/restore IP lists

IFW GUI

  • allow to edit default timeout for blacklists

Text mode interface

  • add notifications on console (using wall?)
  • provide text-mode tool to list attacks and control mandi for cases where ipset manipulation isn't enough
  • show examples or minimal help pointers in text notifications

Services monitoring

  • watch inbound server connections and notify them using a bubble (already available in cooker)
  • don't make the bubble look like it's an attack, show it's just a notification
  • use a specific icon per service type

SSH brute force attacks

  • detect ssh brute forces attacks using a PAM plugin like pam_abl
  • make mandi aware of the attacks

drakfirewall

  • SMB conntrack
  • NFS conntrack (rpc_conntrack)

Interactive Firewall, new feature: control ports opened in LISTEN state

The idea is to dynamically open a port in the firewall when an application listens on it, and close it when it is unneeded. This would be interactive (using net_applet) and controlled by users with enough power.

  • detect new ports in LISTEN state and their matching process (using a kernel patch that would send notifications on a netlink, received by mandi)
  • add opened/closed ports list drakids/drakfirewall, with process names
  • save opened ports in a ports ipset
  • remove ports from the ipset once they're closed (requires a kernel notification as well)
  • don't use and configure current /etc/shorewall/rules.drakx by default anymore, maybe add an advanced option "Don't use dynamic rules (use shorewall rules)"
  • require proper DBus permissions to flush configuration, console ownership isn't enough, allow it for root and the ifwadmin group only
  • allow to remember the choice

Interfaces

  • keep old drakfirewall layout: services list and checkboxes
  • new advanced interface (much like current drakids):
    • log window with process/port/verdict
    • opened ports window
    • closed ports window
  • popup in net_applet, with process/service labels, Open/Close/Ignore buttons, and a "Remember choice" checkbox

Security in other operating systems

Firewall redundancy

  • have a look at keepalived, ucarp, and ct_sync
  • provide a basic "Local network" control interface, allowing to specify nodes using their MAC address (detect hosts on network, and show hostname/IP address/MAC address)

Network tools

Drakconnect

  • bluetooth support
  • 3G/Edge/GPRS support (almost integrated)
  • use icons to represent connection type

Drakroam

  • Ad-hoc networks support
  • non-broadcasted SSID support
  • use different icons for WEP/WPA: open/weak/strong icons would be nice, I like how it's done on the N770
  • allow users to write settings (in a ~/.wireless.d/ for example, the initscripts would then try to use it if USERCTL is "yes"), be careful about security issues (shell sourcing)

Connection status

  • improve connection test: parse pppd/dhclient output if possible
  • add a "Network interface status" window:
    • link ok
    • modem synchronized
    • interface up
    • wireless authentication
    • wireless network association
    • current address

Profiles

  • move profiles from MCC menu to draknetprofile
  • maybe try to select profile based on location (see metaconf and guessnet)


Comments are closed for this story.

Trackbacks are closed for this story.

blosxom Optimised for standards.
Olivier Blin (2005)