Feature: Firewall

Bhakti Bhikne edited this page Feb 15, 2017 · 47 revisions
Clone this wiki locally

Notes

https://github.com/cockpit-project/cockpit/issues/1094

Trello Card

Firewall feature comparisons and screenshots

Stories

As a system admin,I want to be able to block and unblock ports ,so that I can allow/block certain applications on my system.

As an experienced system admin,I want to monitor and control incoming and outgoing traffic,so that I can optimise performance and block or delay datagram packets.

As a system admin,I want to be able to troubleshoot the errors encountered while using the system so that I know the cause of the errors.

As an inexperienced system admin,I want to allow only web servers and SSH so that all other applications are blocked.

Rolando D. Price is a junior system administrator. He has trouble accessing a HTTP webserver. He realises that port 80 is blocked by the firewall.He discusses this with his senior system administrator,Mike R. Stephens. Mike and Rolando discuss that they should configure the settings while setting up the network. They can block and unblock ports to allow or block certain applications. Mike points out that he can also monitor and control incoming and outgoing traffic to the network. In case of any errors arising,Rolando and Mike should be able to troubleshoot the errors and get to the root cause of it.

Workflows

Rolando logs in to the server using Cockpit.Rolando identifies the ports required for accessing the web server applications. He allows only these specific ports and blocks remaining ports. Mike also sets up the firewall log to monitor the incoming and outgoing traffic.

When an error arises,Rolando and Mike have the option to either dismiss or troubleshoot the error. On choosing troubleshooting,the firewall should show a possible solution and the cause of the error.

Wireframes

Inkscape Mockup: A) Inkscape Mockup: Traffic log (1) Traffic log(1) SVG

Updated mockup SVG of updated mockup Complete  mockup Mockup with ports and traffic rules Add-port ( SVG ) Add-port(with error states) Add port (PNG)

1) Parallel layout of port access rules and traffic log (similar to Storage layout) Can get clustered if the data is huge and more features are to be added at later stages.

2) Using Button bar to navigate between features a) Launching page be the port access rules:

b)Error message for invalid port numbers

c) The traffic log feature can be navigated by clicking on the Traffic Log button

3)The below mockup will be problematic if the number of ports and traffic at the server is huge.

4) Firewall landing page To add new ports,the user can insert ports inline and click on '+' or '-' to save the changes.

5)Firewall traffic log

6)Control incoming and outgoing traffic

7) Troubleshooting errors

a)The user can enable or disable error alerts.

b)If the user chooses 'troubleshoot' option ,possible solutions to solve the error can be displayed:

c)For multiple errors:

Prior art

1)Untangle

2)IPFire

3)Smoothwall

4)Endian ( Version2.1, Version 2.2)

5)ClearOS

6)Zentyal

7)Sophos UTM

8)OPN Sense

Feedback

Scenarios

1) The ports needs to have a protocol specified. Additionally, I may want to add range of ports like 20-21/tcp or 6988-6999/udp.

As an inexperienced admin, I may want to enable well-known services by their name.

As an experienced admin, I want to select to deny or to drop all non-permitted incomming traffic.

troubleshooting: As an inexperienced admin, I may want to see a list of ports that are being publicly listened on by running daemons which are/not enabled.

As an inexperienced admin, I want to allow specific IPs/networks to access the host via any port/proto. Additionally, I may want to see which communication paths I did already used for communication to the server's services.

Technical

logging

Logs can cause high load on the server's IO and potentially open server to DoS attack if it is exposed. If logging is required, it should be short-lived, rate-limited and/or limited to specific services or source addresses.

system integration

The firewall applet should take care of whole system's firewall settings; other existing firewalling solution will probably fail to concurrently operate. Firewall rules are too complex to be ad-hoc changed by various processes.

Firewalld daemon can provide backend solution for the frontend. It provides dbus API to change and manage firewall configuration. It allows addition of many well-known services by name, custom defined ports or port ranges. All configuration is encapsulated to zones which can be modified with user configuration or optionally bound to individual interfaces or source addresses. More on its features here. Firewalld is by default enabled on Fedora an RHEL/CentOS 7 installations.