Interactive Firewall (2006.0 specs bits/ideas)
ipset
- don't duplicate attackers list in mandi's memory, make ipset list the reference
- use a libified ipset instead of calling the external program
- handle manual editions in ipsets (make ipset send a signal to mandi)
- use ipset lib to save/restore IP lists
IFW GUI
- allow to edit default timeout for blacklists
Text mode interface
- add notifications on console (using wall?)
- provide text-mode tool to list attacks and control mandi for cases where ipset manipulation isn't enough
- show examples or minimal help pointers in text notifications
Services monitoring
- watch inbound server connections and notify them using a bubble (already available in cooker)
- don't make the bubble look like it's an attack, show it's just a notification
- use a specific icon per service type
SSH brute force attacks
- detect ssh brute forces attacks using a PAM plugin like pam_abl
- make mandi aware of the attacks
drakfirewall
- SMB conntrack
- NFS conntrack (rpc_conntrack)
Interactive Firewall, new feature: control ports opened in LISTEN state
The idea is to dynamically open a port in the firewall when an application listens on it, and close it when it is unneeded. This would be interactive (using net_applet) and controlled by users with enough power.
- detect new ports in LISTEN state and their matching process (using a kernel patch that would send notifications on a netlink, received by mandi)
- add opened/closed ports list drakids/drakfirewall, with process names
- save opened ports in a ports ipset
- remove ports from the ipset once they're closed (requires a kernel notification as well)
- don't use and configure current /etc/shorewall/rules.drakx by default anymore, maybe add an advanced option "Don't use dynamic rules (use shorewall rules)"
- require proper DBus permissions to flush configuration, console ownership isn't enough, allow it for root and the ifwadmin group only
- allow to remember the choice
Interfaces
- keep old drakfirewall layout: services list and checkboxes
- new advanced interface (much like current drakids):
- log window with process/port/verdict
- opened ports window
- closed ports window
- popup in net_applet, with process/service labels, Open/Close/Ignore buttons, and a "Remember choice" checkbox
Security in other operating systems
- Interface Firewall should be far easier to implement than Ubuntu's deferred firewall proposal
- Windows Vista's centralized security could be worth a look
- Little Snitch for Mac OS X
Firewall redundancy
- have a look at keepalived, ucarp, and ct_sync
- provide a basic "Local network" control interface, allowing to specify nodes using their MAC address (detect hosts on network, and show hostname/IP address/MAC address)
Network tools
Drakconnect
- bluetooth support
- 3G/Edge/GPRS support (almost integrated)
- use icons to represent connection type
Drakroam
- Ad-hoc networks support
- non-broadcasted SSID support
- use different icons for WEP/WPA: open/weak/strong icons would be nice, I like how it's done on the N770
- allow users to write settings (in a ~/.wireless.d/ for example, the initscripts would then try to use it if USERCTL is "yes"), be careful about security issues (shell sourcing)
Connection status
- improve connection test: parse pppd/dhclient output if possible
- add a "Network interface status" window:
- link ok
- modem synchronized
- interface up
- wireless authentication
- wireless network association
- current address
Profiles
Comments are closed for this story.
Trackbacks are closed for this story.
