Is the current firewall model static?

Is the current firewall model static?

[Hansa]

Hi there,

Fedora is running a project called firewalld. Firewalld manages the firewall
dynamically via D-BUS
(http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon). They say:
"the current firewall model is static and **every** change requires a
complete firewall restart. This includes also to unload the firewall
netfilter kernel modules and to load the modules that are needed for the new
configuration."

I would be very surprised if their claim is true. Because that would break
statefull connections when changing the rules. I'm not familiar with the
code so I can't comment on that. Hence my question. Is the current firewall
model static?

Best regards,

-Hansa

Re: Is the current firewall model static?

[Andrew Beverley]

On Tue, 2011-12-20 at 10:25 +0100, Hansa wrote:
> Hi there,
> 
> Fedora is running a project called firewalld. Firewalld manages the firewall
> dynamically via D-BUS
> (http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon). They say:
> "the current firewall model is static and **every** change requires a
> complete firewall restart. This includes also to unload the firewall
> netfilter kernel modules and to load the modules that are needed for the new
> configuration."
> 
> I would be very surprised if their claim is true. Because that would break
> statefull connections when changing the rules. I'm not familiar with the
> code so I can't comment on that. Hence my question. Is the current firewall
> model static?

I think that what they mean is that the current *Fedora* firewall model
is static. It looks like firewalld still uses iptables, but is slightly
more intelligent as to how it processes changes to rules and so on.

Andy

RE: Is the current firewall model static?

[Hansa]

From: Andrew Beverley [mailto:andy@andybev.com]
Sent: dinsdag 20 december 2011 11:11
> On Tue, 2011-12-20 at 10:25 +0100, Hansa wrote:
> > Hi there,
> >
> > Fedora is running a project called firewalld. Firewalld manages the
> firewall
> > dynamically via D-BUS
> > (http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon).
> They say:
> > "the current firewall model is static and **every** change requires a
> > complete firewall restart. This includes also to unload the firewall
> > netfilter kernel modules and to load the modules that are needed for
> the new
> > configuration."
> >
> > I would be very surprised if their claim is true. Because that would
> break
> > statefull connections when changing the rules. I'm not familiar with
> the
> > code so I can't comment on that. Hence my question. Is the current
> firewall
> > model static?
> 
> I think that what they mean is that the current *Fedora* firewall model
> is static. It looks like firewalld still uses iptables, but is slightly
> more intelligent as to how it processes changes to rules and so on.

I wasn't aware the firewall model is implemented differently across different Linux flavors. I thought netfilter implements a packet filtering framework into the Linux kernel. Shouldn't it work the work the same on every Linux flavor? I did the following test.

Ssh on port 22 into a Linux box with following filter rules
# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
4    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1.

# iptables -D INPUT 3
# echo "yup it does"
yup it does

Seems pretty much dynamic to me :)
Am I missing something?

-Hansa

RE: Is the current firewall model static?

[Andrew Beverley]

On Wed, 2011-12-21 at 10:18 +0100, Hansa wrote:
> > I think that what they mean is that the current *Fedora* firewall model
> > is static. It looks like firewalld still uses iptables, but is slightly
> > more intelligent as to how it processes changes to rules and so on.
> 
> I wasn't aware the firewall model is implemented differently across
>  different Linux flavors. I thought netfilter implements a packet
>  filtering framework into the Linux kernel. Shouldn't it work the work
>  the same on every Linux flavor?

Once the iptables binary has been called and the rules have been set,
then yes, it's the same across any flavour of Linux (I guess).

I meant that the distro's implementation of how the rules are managed is
different. There are loads of different ways. A quick search on a Ubuntu
system reveals the following. I'm guessing that all of these use
iptables, but some are better than others at changing rules "on the
fly".

ufw - program for managing a Netfilter firewall
apf-firewall - easy iptables based firewall system
dtc-xen-firewall - A small firewall script for your dom0
ebox-firewall - eBox - Firewall
ferm - maintain and setup complicated firewall rules
fiaif - An easy to use, yet complex firewall
filtergen - packet filter generator for various firewall systems
firehol - An easy to use but powerful iptables stateful firewall
firestarter - gtk program for managing and observing your firewall
guarddog - firewall configuration utility for KDE
ipkungfu - iptables-based Linux firewall
kmyfirewall - iptables based firewall configuration tool for KDE
mason - Interactively creates a Linux packet filtering firewall
pyroman - Very fast firewall configuration tool
uif - Advanced iptables-firewall script
uruk - Very small firewall script, for configuring iptables

>  I did the following test.
> 
> Ssh on port 22 into a Linux box with following filter rules
> # iptables -L -n --line-numbers
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> 2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
> 4    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
> 
> Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1.
> 
> # iptables -D INPUT 3
> # echo "yup it does"
> yup it does
> 
> Seems pretty much dynamic to me :)

With any of the above wrappers, you'll always be able to add and remove
rules directly using iptables commands.

Andy

RE: Is the current firewall model static?

[Hansa]

On Wed, 2011-12-21 at 10:27 +0100, Andrew Beverley wrote:
> On Wed, 2011-12-21 at 10:18 +0100, Hansa wrote:
> > > I think that what they mean is that the current *Fedora* firewall model
> > > is static. It looks like firewalld still uses iptables, but is slightly
> > > more intelligent as to how it processes changes to rules and so on.
> >
> > I wasn't aware the firewall model is implemented differently across
> >  different Linux flavors. I thought netfilter implements a packet
> >  filtering framework into the Linux kernel. Shouldn't it work the work
> >  the same on every Linux flavor?
> 
> Once the iptables binary has been called and the rules have been set,
> then yes, it's the same across any flavour of Linux (I guess).
> 
> I meant that the distro's implementation of how the rules are managed is
> different. There are loads of different ways. A quick search on a Ubuntu
> system reveals the following. I'm guessing that all of these use
> iptables, but some are better than others at changing rules "on the
> fly".

So it's all about 'how' the firewall is managed (by which tools that is). Netfilter by itself isn't static. Using iptables you can change the firewall dynamically. Using system-config-firewall you're static.

Thanks for clarifying!
-Hansa

RE: Is the current firewall model static?

[Andrew Beverley]

On Wed, 2011-12-21 at 11:16 +0100, Hansa wrote:
> So it's all about 'how' the firewall is managed (by which tools that
>  is). Netfilter by itself isn't static. Using iptables you can change
>  the firewall dynamically. Using system-config-firewall you're static.

Correct.

> 
> Thanks for clarifying!

No problem :-)

Andy