* Is the current firewall model static?
@ 2011-12-20 9:25 Hansa
2011-12-20 10:11 ` Andrew Beverley
0 siblings, 1 reply; 6+ messages in thread
From: Hansa @ 2011-12-20 9:25 UTC (permalink / raw)
To: netfilter
Hi there,
Fedora is running a project called firewalld. Firewalld manages the firewall
dynamically via D-BUS
(http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon). They say:
"the current firewall model is static and **every** change requires a
complete firewall restart. This includes also to unload the firewall
netfilter kernel modules and to load the modules that are needed for the new
configuration."
I would be very surprised if their claim is true. Because that would break
statefull connections when changing the rules. I'm not familiar with the
code so I can't comment on that. Hence my question. Is the current firewall
model static?
Best regards,
-Hansa
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Is the current firewall model static?
2011-12-20 9:25 Is the current firewall model static? Hansa
@ 2011-12-20 10:11 ` Andrew Beverley
2011-12-21 9:18 ` Hansa
0 siblings, 1 reply; 6+ messages in thread
From: Andrew Beverley @ 2011-12-20 10:11 UTC (permalink / raw)
To: Hansa; +Cc: netfilter
On Tue, 2011-12-20 at 10:25 +0100, Hansa wrote:
> Hi there,
>
> Fedora is running a project called firewalld. Firewalld manages the firewall
> dynamically via D-BUS
> (http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon). They say:
> "the current firewall model is static and **every** change requires a
> complete firewall restart. This includes also to unload the firewall
> netfilter kernel modules and to load the modules that are needed for the new
> configuration."
>
> I would be very surprised if their claim is true. Because that would break
> statefull connections when changing the rules. I'm not familiar with the
> code so I can't comment on that. Hence my question. Is the current firewall
> model static?
I think that what they mean is that the current *Fedora* firewall model
is static. It looks like firewalld still uses iptables, but is slightly
more intelligent as to how it processes changes to rules and so on.
Andy
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Is the current firewall model static?
2011-12-20 10:11 ` Andrew Beverley
@ 2011-12-21 9:18 ` Hansa
2011-12-21 9:27 ` Andrew Beverley
0 siblings, 1 reply; 6+ messages in thread
From: Hansa @ 2011-12-21 9:18 UTC (permalink / raw)
To: 'Andrew Beverley'; +Cc: netfilter
From: Andrew Beverley [mailto:andy@andybev.com]
Sent: dinsdag 20 december 2011 11:11
> On Tue, 2011-12-20 at 10:25 +0100, Hansa wrote:
> > Hi there,
> >
> > Fedora is running a project called firewalld. Firewalld manages the
> firewall
> > dynamically via D-BUS
> > (http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon).
> They say:
> > "the current firewall model is static and **every** change requires a
> > complete firewall restart. This includes also to unload the firewall
> > netfilter kernel modules and to load the modules that are needed for
> the new
> > configuration."
> >
> > I would be very surprised if their claim is true. Because that would
> break
> > statefull connections when changing the rules. I'm not familiar with
> the
> > code so I can't comment on that. Hence my question. Is the current
> firewall
> > model static?
>
> I think that what they mean is that the current *Fedora* firewall model
> is static. It looks like firewalld still uses iptables, but is slightly
> more intelligent as to how it processes changes to rules and so on.
I wasn't aware the firewall model is implemented differently across different Linux flavors. I thought netfilter implements a packet filtering framework into the Linux kernel. Shouldn't it work the work the same on every Linux flavor? I did the following test.
Ssh on port 22 into a Linux box with following filter rules
# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1.
# iptables -D INPUT 3
# echo "yup it does"
yup it does
Seems pretty much dynamic to me :)
Am I missing something?
-Hansa
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Is the current firewall model static?
2011-12-21 9:18 ` Hansa
@ 2011-12-21 9:27 ` Andrew Beverley
2011-12-21 10:16 ` Hansa
0 siblings, 1 reply; 6+ messages in thread
From: Andrew Beverley @ 2011-12-21 9:27 UTC (permalink / raw)
To: Hansa; +Cc: netfilter
On Wed, 2011-12-21 at 10:18 +0100, Hansa wrote:
> > I think that what they mean is that the current *Fedora* firewall model
> > is static. It looks like firewalld still uses iptables, but is slightly
> > more intelligent as to how it processes changes to rules and so on.
>
> I wasn't aware the firewall model is implemented differently across
> different Linux flavors. I thought netfilter implements a packet
> filtering framework into the Linux kernel. Shouldn't it work the work
> the same on every Linux flavor?
Once the iptables binary has been called and the rules have been set,
then yes, it's the same across any flavour of Linux (I guess).
I meant that the distro's implementation of how the rules are managed is
different. There are loads of different ways. A quick search on a Ubuntu
system reveals the following. I'm guessing that all of these use
iptables, but some are better than others at changing rules "on the
fly".
ufw - program for managing a Netfilter firewall
apf-firewall - easy iptables based firewall system
dtc-xen-firewall - A small firewall script for your dom0
ebox-firewall - eBox - Firewall
ferm - maintain and setup complicated firewall rules
fiaif - An easy to use, yet complex firewall
filtergen - packet filter generator for various firewall systems
firehol - An easy to use but powerful iptables stateful firewall
firestarter - gtk program for managing and observing your firewall
guarddog - firewall configuration utility for KDE
ipkungfu - iptables-based Linux firewall
kmyfirewall - iptables based firewall configuration tool for KDE
mason - Interactively creates a Linux packet filtering firewall
pyroman - Very fast firewall configuration tool
uif - Advanced iptables-firewall script
uruk - Very small firewall script, for configuring iptables
> I did the following test.
>
> Ssh on port 22 into a Linux box with following filter rules
> # iptables -L -n --line-numbers
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
> 4 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1.
>
> # iptables -D INPUT 3
> # echo "yup it does"
> yup it does
>
> Seems pretty much dynamic to me :)
With any of the above wrappers, you'll always be able to add and remove
rules directly using iptables commands.
Andy
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Is the current firewall model static?
2011-12-21 9:27 ` Andrew Beverley
@ 2011-12-21 10:16 ` Hansa
2011-12-21 10:22 ` Andrew Beverley
0 siblings, 1 reply; 6+ messages in thread
From: Hansa @ 2011-12-21 10:16 UTC (permalink / raw)
To: 'Andrew Beverley'; +Cc: netfilter
On Wed, 2011-12-21 at 10:27 +0100, Andrew Beverley wrote:
> On Wed, 2011-12-21 at 10:18 +0100, Hansa wrote:
> > > I think that what they mean is that the current *Fedora* firewall model
> > > is static. It looks like firewalld still uses iptables, but is slightly
> > > more intelligent as to how it processes changes to rules and so on.
> >
> > I wasn't aware the firewall model is implemented differently across
> > different Linux flavors. I thought netfilter implements a packet
> > filtering framework into the Linux kernel. Shouldn't it work the work
> > the same on every Linux flavor?
>
> Once the iptables binary has been called and the rules have been set,
> then yes, it's the same across any flavour of Linux (I guess).
>
> I meant that the distro's implementation of how the rules are managed is
> different. There are loads of different ways. A quick search on a Ubuntu
> system reveals the following. I'm guessing that all of these use
> iptables, but some are better than others at changing rules "on the
> fly".
So it's all about 'how' the firewall is managed (by which tools that is). Netfilter by itself isn't static. Using iptables you can change the firewall dynamically. Using system-config-firewall you're static.
Thanks for clarifying!
-Hansa
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Is the current firewall model static?
2011-12-21 10:16 ` Hansa
@ 2011-12-21 10:22 ` Andrew Beverley
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Beverley @ 2011-12-21 10:22 UTC (permalink / raw)
To: Hansa; +Cc: netfilter
On Wed, 2011-12-21 at 11:16 +0100, Hansa wrote:
> So it's all about 'how' the firewall is managed (by which tools that
> is). Netfilter by itself isn't static. Using iptables you can change
> the firewall dynamically. Using system-config-firewall you're static.
Correct.
>
> Thanks for clarifying!
No problem :-)
Andy
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-12-21 10:22 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-20 9:25 Is the current firewall model static? Hansa
2011-12-20 10:11 ` Andrew Beverley
2011-12-21 9:18 ` Hansa
2011-12-21 9:27 ` Andrew Beverley
2011-12-21 10:16 ` Hansa
2011-12-21 10:22 ` Andrew Beverley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).