Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 22700 ideas, 138270 comments, 2629576 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas

Popular ideas Here are random ideas about Ubuntu.

need to automate transferring firewall rule configs to new proprietary format  
Written by mr_mike the 16 Apr 12 at 03:43. Global category: Internet & Networking. New
Firewalls are extremely utilitarian devices. After you've owned one for a while and perhaps you have ten or fifteen thousand lines of rules configured on it, you are probably not looking forward to the day where your current firewall goes end of life and you need to buy a new one. If you are like me, and you want to be able to choose your new firewall based on other reasons instead of: "I chose this one because it was the same proprietary language my existing rule base is in, and my existing rule base is too big and it would be too cumbersome to re-engineer for a new vendor's syntax", then you would probably try to devise a way to automate this procedure.
-1
votes
up equal down
Solution #1: cisco to junos acl converter
Written by mr_mike the 16 Apr 12 at 03:43.
This script will re-format all of the cisco firewall acl statments into juniper junos acl statements. Just pass it two arguments, the first being the name of the acl ( the cisco acl you are trying to convert into junos ) and the second argument is the name of the running config file of the cisco firewall:

#!/bin/bash

case $# in
0) echo "

Usage: cisco2junos_acl_cnvrtr < acl name > < fw running cfg file >

" ;;

1) echo "

Usage: cisco2junos_acl_cnvrtr < acl name > < fw running cfg file >

" ;;

2) grep "^access-list $1" $2 | sed '

s/\([0-9]\\+\.[0-9]\\+\.[0-9]\\+\.[0-9]\\+\) 255.255.255.255/\1\/32/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.254/\1\/31/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.252/\1\/30/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.248/\1\/29/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.240/\1\/28/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.224/\1\/27/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.192/\1\/26/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.128/\1\/25/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.255.0/\1\/24/g

s/host \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)/\1\/32/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.254.0/\1\/23/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.252.0/\1\/22/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.248.0/\1\/21/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.240.0/\1\/20/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.224.0/\1\/19/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.192.0/\1\/18/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.128.0/\1\/17/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.255.0.0/\1\/16/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.254.0.0/\1\/15/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.252.0.0/\1\/14/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.248.0.0/\1\/13/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.240.0.0/\1\/12/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.224.0.0/\1\/11/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.192.0.0/\1\/10/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.128.0.0/\1\/9/g

s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\) 255.0.0.0/\1\/8/g

s/object-group //g

s/eq //g

s/host //g' |

nl |

awk '

/access-list/ id = $1; acl_name = $3; action = $5; prot = $6; src = $7; dest = $8; srv = $9;\
\
print "set security policies from-zone src-x to-zone dst-y policy acl-" id "-5555-" acl_name " match source-address " $7\
\
"\nset security policies from-zone src-x to-zone dst-y policy acl-" id "-5555-" acl_name " match destination-address " $8\
\
"\nset security policies from-zone src-x to-zone dst-y policy acl-" id "-5555-" acl_name " match application " prot "-d-"$9\
\
"\nset security policies from-zone src-x to-zone dst-y policy acl-" id "-5555-" acl_name " then " action\
\
"\nset security policies from-zone src-x to-zone dst-y policy acl-" id "-5555-" acl_name " then log session-init"\
\
"\nset security policies from-zone src-x to-zone dst-y policy acl-" id "-5555-" acl_name " then log session-close\n" ' ;;

*) echo "

Usage: cisco2junos_acl_cnvrtr < acl name > < fw running cfg file >

" ;;

esac
-3
votes
up equal down
Solution #2: addendum to first, this one converts the object groups
Written by mr_mike the 16 Apr 12 at 03:50.
#!/bin/bash

case $# in
0) echo "

Usage: cisco2junos_obj-grp_cnvrtr < fw running cfg file >

" ;;


1) grep -v '^access-list' $1 | sed '

s/object-group/\nobject-group/

' | awk '

/^object-group/ type = $2; name = $3; prot = $4; next

/network-object/ print "object-group " type, name $0

/port-object/ print "object-group " type, name, prot $0

' | sed '

s/network-object \(.*\) 255.255.255.255/address \1\/32/

s/network-object \(.*\) 255.255.255.254/address \1\/31/

s/network-object \(.*\) 255.255.255.252/address \1\/30/

s/network-object \(.*\) 255.255.255.248/address \1\/29/

s/network-object \(.*\) 255.255.255.240/address \1\/28/

s/network-object \(.*\) 255.255.255.224/address \1\/27/

s/network-object \(.*\) 255.255.255.192/address \1\/26/

s/network-object \(.*\) 255.255.255.128/address \1\/25/

s/network-object \(.*\) 255.255.255.0/address \1\/24/

s/network-object host \(.*\)/address \1\/32/

s/network-object \(.*\) 255.255.254.0/address \1\/23/

s/network-object \(.*\) 255.255.252.0/address \1\/22/

s/network-object \(.*\) 255.255.248.0/address \1\/21/

s/network-object \(.*\) 255.255.240.0/address \1\/20/

s/network-object \(.*\) 255.255.224.0/address \1\/19/

s/network-object \(.*\) 255.255.192.0/address \1\/18/

s/network-object \(.*\) 255.255.128.0/address \1\/17/

s/network-object \(.*\) 255.255.0.0/address \1\/16/

s/network-object \(.*\) 255.254.0.0/address \1\/15/

s/network-object \(.*\) 255.252.0.0/address \1\/14/

s/network-object \(.*\) 255.248.0.0/address \1\/13/

s/network-object \(.*\) 255.240.0.0/address \1\/12/

s/network-object \(.*\) 255.224.0.0/address \1\/11/

s/network-object \(.*\) 255.192.0.0/address \1\/10/

s/network-object \(.*\) 255.128.0.0/address \1\/9/

s/network-object \(.*\) 255.0.0.0/address \1\/8/

s/^object-group network /\
set security zones security-zone src-x address-book address-set /

s/address \(.*\)/address \1\
set security zones security-zone src-x address-book address \1 \1/


s/^object-group service \(.*\) \(.*\) port-object eq \(.*\)/\
set applications application-set \1 application \2-d-\3\
set applications application \2-d-\3 protocol \2\
set applications application \2-d-\3 destination-port \3/

s/^object-group service \(.*\) \(.*\) port-object range \(.*\) \(.*\)/\
set applications application-set \1 application \2-d-\3-\4\
set applications application \2-d-\3-\4 protocol \2\
set applications application \2-d-\3-\4 destination-port \3-\4/' ;;

2) echo "

Usage: cisco2junos_obj-grp_cnvrtr < acl name > < fw running cfg file >

" ;;

esac


See the 3 comments or propose a solution >>

fail2ban could be installed by default for extra security  
Written by turbolad the 19 Nov 10 at 00:35. Global category: Security. New
If you directly connected to a modem without a built-in firewall, you log files will be flooded with hacking attempts.
-2
votes
up equal down
Solution #1: Install and configure fail2ban automatically.
Written by turbolad the 19 Nov 10 at 00:35.
As per title, to keep hackers locked out forever.

See the 3 comments or propose a solution >>

Pidgin without http tunneling for Google Talk - firewall blocks default port   forum
Written by grofaty the 25 Jan 09 at 15:16. Related project: Pidgin Internet Messenger. New
When using Pidgin inside corporate network there is firewall that blocks almost all ports to the internet. So when Pidgin is using default ports to communicate to MSN, Google Talk, Yahoo etc firewall blocks ports and communication is not possible.

Pidgin has nice feature "Use HTTP Method" instead of default 1863 port when using MSN type of account. But for "Google Talk" there is no such option. I know Google Talk is able to communicate through http tunneling, because now I use Firefox web browser to communicate, but this approach has one limitation: the web browsers Google Talk web page has to be displayed and there is no notification if someone likes to talk to me.
90
votes
up equal down
Solution #1: Add http tunneling for Google Talk
Written by grofaty the 25 Jan 09 at 15:16.
Implement http tunneling for Google Talk, just like as it is already implemented for MSN type of accounts.

See the 3 comments or propose a solution >>

Firewall in default install  
Written by cmayoros the 29 Feb 08 at 04:07. Global category: System. New
Ubuntu should have a firewall installed in the default system and also include a simple to use program to administer it, very similar in approach to Fedora/CentOS.
97
votes
up equal down
Solution #1: Auto-generated solution of idea #861
Written by cmayoros the 29 Feb 08 at 04:07.
Ubuntu Brainstorm was updated in January 2009. Since the idea #861 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!

See the 6 comments or propose a solution >>

Internet firewall for HOME users that runs invisibly  
Written by turbolad the 23 Dec 10 at 17:38. Global category: Security. New
This idea is no duplicate of any other...

Ubuntu needs a maximum-security firewall by configuring iptables, so home users don't have to install gufw, firestarter etc. and NOT KNOW that a firewall is running silently, so nobody can turn off the firewall accidentally (the firewall could be setup so it can only be turned off by editing files from the terminal).

Since home users tend to connect to the internet just for web browsing, checking e-mails, online gaming etc. and not normally using advanced networking, a "ready to use" firewall with maximum security would be ideal.
28
votes
up equal down
Solution #1: Ubuntu installation options for a firewall: Home users and non-home users
Written by turbolad the 23 Dec 10 at 17:38.
During the installation of Ubuntu, offer a firewall for home users (i.e. maximum security and minimum networking for internet-only use) and another option for advanced network customisation.

For Ubuntu to pass the Sheilds Up test, the user must manually configure a firewall. Why not have this done automatically for home users?

See the 13 comments or propose a solution >>

Firestarter should detect all network connections by default.  
No information about this blueprint
Information is updated every 5 minutes.
Please wait till the next update.
spec
forum
Written by TWO the 19 Dec 08 at 12:57. Global category: Security. New
Currently, the Firestarter program requires that the user specifies an "Internet connected network device" and a "Local network connected device." Should the user happen to start the GUI whilst connected to the internet via an alternate device: For example, say that in Firestarter, your default connection is set to 'Ethernet Device (eth0)', but you one day happen to connect to the Internet via, say, 'Wireless Device (wlan0)', Firestarter GUI will display the error message: "Failed to start firewall. The device eth0 is not ready..." and shows a red circle and square indicating that it is not running, when it is ran after making the change to the network connection.

I think Firestarter should be monitoring all network connections automatically, so that the user doesn't have to change the setting each time they change the method by which they connect to the internet.

Also, is it not a bit of a security issue that the firewall fails to start on the basis that the program is not yet able to monitor all connections simultaneously?
45
votes
up equal down
Solution #1: Auto-generated solution of idea #16631
Written by TWO the 19 Dec 08 at 12:57.
Ubuntu Brainstorm was updated in January 2009. Since the idea #16631 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!
3
votes
up equal down
Solution #2: Allow Firestarter to monitor all potential connections to the internet
Written by TWO the 17 Mar 09 at 10:14.
Redesign Firestarter so that it is simultaneously monitoring all possible connections to the internet. So for example, should a laptop user switch from being connected to a LAN via Ethernet cable, to using a wireless connection, Firestarter will still be monitoring the new connection method.


See the 2 comments or propose a solution >>

Firewall should support IPv6  
Written by emil.s the 19 Jan 09 at 21:36. Global category: Internet & Networking. New
Since Ubuntu is IPv6 enabled by default, it will get an IPv6 unicast-address automatically when connected to an IPv6 enabled network.

ip(6)tables is installed by default, and it works fine for filtering IPv6.
But since most users prefer a GUI, which is Firestarter for Intrepid, it should support IPv6 for keeping the users safe.
60
votes
up equal down
Solution #1: Add IPv6-support for Firestarter
Written by emil.s the 19 Jan 09 at 21:36.
Make Firestarter support IPv6.
16
votes
up equal down
Solution #2: use gufw
Written by kulight the 20 Jan 09 at 16:46.

Add a comment or propose a solution >>

Application-based filtering  
Written by cdenley the 4 Sep 08 at 14:50. Global category: Security. New
There should be a tool available that can filter which applications are allowed to connect to the internet. It could warn you if the file trying to connect has been altered recently, but this might give a sense of false security since many applications rely on external libraries.

I realize that if users use good security practices and stick to open-source software from the repos, this shouldn't be necessary. However, it would be a powerful extra layer of security. Some people insist on using software from other sources, and it would be useful if you wanted to test if questionable software was phoning home. It would also put people with a windows mindset at ease, since that is the type of user ubuntu seems to target.

There is a tool like this called tuxguardian, but I can't seem to make it work in hardy.
http://tuxguardian.sourceforge.net/
32
votes
up equal down
Solution #1: Auto-generated solution of idea #12787
Written by cdenley the 4 Sep 08 at 14:50.
Ubuntu Brainstorm was updated in January 2009. Since the idea #12787 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!

See the 2 comments or propose a solution >>

Give users "global control" over applications' outgoing internet connections  
Written by nickr the 6 Jan 11 at 20:18. Global category: Others. New
Presently, Ubuntu users do not have a user-friendly way of controlling what applications can connect to the internet. They also do not have a user-friendly way of learning what applications are making internet connections.

Being able to stay abreast of and control outgoing internet connections provides users with increased privacy and security while giving them more control in general over the "comings and goings" on their computer. Having control over outgoing connections is also needed for financial reasons. I have to use a mobile-broadband connection for work. The mobile-broadband plans available to me all limit the amount of data I can use per month. To conserve as much broadband data usage as possible, it would be helpful to have global control over what applications can connect to the internet. With Microsoft Windows, this can be accomplished via an outgoing application-based firewall. Unfortunately, no such firewall exists for Ubuntu and there appears to be no way of globally blocking all applications from accessing the internet until they are given explicit permission by the user to connect. For example, if I am using Firefox to browse the web (I obviously need Firefox to have an internet connection), but if I then open Rhythmbox to simply listen to some mp3s on my hardrive while I am using Firefox, Rhythmbox will automatically establish an internet connection when it is opened. I don't need nor want Rhythmbox to connect to the internet unless it is specifically required for the task I'm trying to accomplish. Unnecessary connections it establishes are "wasting" the mobile-broadband data available to me for the month.

It seems to me that a solution to the problem will involve:
1.) some method for communicating an application's internet connections to the user.
2.) giving users control over if and when an application is allowed an internet connection. For example, when I start Rhythmbox, if it was to ask, "Can I connect to the internet now?" before connecting, I would have control over its connection behavior and I could give it permission when an internet connection is needed.
74
votes
up equal down
Solution #1: Create an application-based firewall for Ubuntu
Written by nickr the 6 Jan 11 at 20:18.
This problem would be solved if a firewall for Ubuntu could provide outgoing application-based filtering as seen in firewalls that presently work for Microsoft Windows.
3
votes
up equal down
Solution #2: Give users the ability to create profiles for internet usage on network devices
Written by hazrpg the 9 Feb 11 at 05:13.
When a network device is connected to a network, give the user the ability to be able to pick a profile/rule-set to govern what applications are allowed access to the internet (WAN) or the local network (LAN/Intranet).

Default options could include (but not limited to): Public; Home; Work;

The user should be able to create their own profile(s), and be given the option to base the new profile on an existing profile.

This doesn't have to be a pop-up dialogue, this could simply be an option within network-manager or a separate application. With "Home" being the default option, unless changed explicitly by the user.

Calling this feature a "location" would be incorrect, since a user *may* want several different rules dispite being in the same physical location depending on what they are doing.
3
votes
up equal down
Solution #3: Use a "Windicator" to communicate an app's internet connections
Written by nickr the 5 May 11 at 19:16.
Here's an image that depicts how the Windicator might look: http://i.imgur.com/yDPkn.jpg

Here's the general idea:

In the right-corner of desktop windows, a Windicator "Connected" icon could communicate to the user if the application associated with the window is:
1.) connected to the internet.
2.) NOT connected to the internet.
3.) establishing a connection to the internet (a pre-connection state).

If the Windicator is communicating that the application is connected to the internet, the user could click the icon to discover what port is being used and learn other connection information like the IP address connected to and so forth.

An additional feature might be to provide a settings menu that the user could access through the Windicator "Connected" icon. This menu would allow the user to configure what type of internet connections are allowed for the application associated with that window. So from within this menu, the user could configure the application to:
1.) never be allowed access to the internet.
2.) always be allowed access to the internet.
3.) always ask for permission before being allowed access to the internet. This setting would generate a prompt that the user would have to respond to before an internet connection could be established. No response would result in no connection being established.
4.) conform to Profile rules. So the user would create Profiles where the user could say "Only allow connections if so and so Profile is active."


4
votes
up equal down
Solution #4: Watch and learn from Android
Written by sanderd17 the 12 Jul 11 at 18:20.
Use application specific security settings.

This way, not only internet connections can be protected, but also access to the home directory (apart from the settings directory), use of USB devices, use of the webcam, taking screenshot ...


This would off coarse ask a lot from the import team. I don't know if they have enough man-power to do it.

See the 30 comments or propose a solution >>

Better firewall  
Written by obZen the 10 Dec 08 at 20:22. Global category: Internet & Networking. New
Create a Firewall that allows you to lead the applications that connect to Internet

By default it should be on with a pre-configuration for Ubuntu default apps

It should show you a pop up for the new apps that ask you if you want to leave the app to connect, and give you two options: Yes or No. This should create a permissive rule that after you could make it more restrictive in a rules manager

The rules manager should have a General rules tab, and a app rules tab, listing all the apps
33
votes
up equal down
Solution #1: Auto-generated solution of idea #16405
Written by obZen the 10 Dec 08 at 20:22.
Ubuntu Brainstorm was updated in January 2009. Since the idea #16405 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!

See the 9 comments or propose a solution >>

2 Next >>