Send in your ideas. Deadline December 1, 2024
logo
Stay up to date
Mailinglist
Grant
Theme fund: NGI0 PET
Period: 2019-12 — 2022-10
More projects like this
Operating Systems

Usability of Linux firewall userspace tools

Userspace tooling for Linux kernel Netfilter

Netfilter is the project offering the packet classification framework for GNU/Linux operating systems. Netfilter supports for stateless and stateful packet filtering, mangling, logging and NAT. Netfilter provides a rule-based language to define the filtering policy through a linear list, sets and maps. This language is domain specific and it provides a simplified programming language to express filtering policies.

Firewall operators are usually not programmers, although they are typically knowledgeable about shell scripting. Humans currently have few means to check for mistakes when elaborating filtering policies, which as a result can interact in unpredictable ways or cause performance issues - meaning one can never be sure how much they can be trusted to protect users.

Lack of correctness and inconsistencies emerge as the rule set increases in complexity. Introducing ways to assist the operator to spot these problems and to provide hints to express the filtering policies in a better way would help to improve this situation. Error reporting is another key aspect to assist humans in troubleshooting. This project aims to extend the existing tooling to introduce infrastructure to cover this aspects.

Why does this actually matter to end users?

Most users rely on antivirus programs to keep their system and important data safe and private. Visited sites, downloaded files, email coming in and out, everything should pass through a digital border control that keeps malware and spyware out. Perform a complete system scan every other month and most users will be reassured: I am safe.

If your antivirus program is the main filter between the wild west of the internet and your device and data, you want to be sure you can trust that program to keep you safe. What do you do? Do you check out software reviews and ratings, ask a friend, simply rely on the default antivirus software that comes with your operating system?

How about using a firewall built into an open source operating system that is governed by a worldwide community that constantly checks and tests every cog and wheel? Netfilter is software built into the most popular open source operating system Linux that lets users control how incoming internet traffic is filtered, among many other useful features. This project will make netfilter and its many options more usable, inform you in greater detail about occuring errors and provide useful hints how to improve the firewall. Ultimately this can help make Linux a more safe operating system and give users more control over their online safety.

Run by Netfilter

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.