FirewallBuddy

[Tejas Dinkar]

On Mon, 16 Feb 2009, Thiago Macieira sent out 1.6K bytes to say:
> Wouldn't that be intentional then?
> 
> I think we shouldn't provide an API for this. If the system is firewalled, it's 
> for a good reason. If you have an interactive firewall, you'll find out that 
> there are connection attempts going on, which means you may want to open the 
> port.

Well, most Fedora systems come with a strict IPTables policy that
doesn't have many ports open. It presents you with a dialog asking which
ports should be opened when you install, but I know more than a few
users who just skipped it.

> However, if you don't want to open the port, you're safe in knowing programs 
> will not do it behind your back.

I agree with this point whole heartedly. In my implementation, I REQUIRE
a dialog to be shown with a list of ports the app has requested to open,
and it will only try to open then iff the user clicks continue. And it's
a big dialog box.

And to be honest, the code itself is pretty simple. If an app wanted to
get your firewall open, and had the root password, they could already
use KDESu to do it. Of course, a formal API would encourage this.

> (I know this requires a root password, but it's better to rely on the 
> interactive firewall instead)

My beef is that so many user's don't realise that it's the firewall that
is blocking their applications. If firewalls poped up little windows
saying ${I Blocked FOO}, then users may think of modifying their
policies. 

> What's more, the big problem users face today is not the firewall on their 
> machines, but the fact that they are behind NAT and a firewall server.

I agree on this. The solution that I proposed would only be a part of a
larger solution involving UPnP and other pieces. But this would
immediately help those on a large LAN.
-- 
Tejas Dinkar
http://gja.in