RE: Is the current firewall model static?

[Andrew Beverley <andy@andybev.com>]

On Wed, 2011-12-21 at 10:18 +0100, Hansa wrote:
> > I think that what they mean is that the current *Fedora* firewall model
> > is static. It looks like firewalld still uses iptables, but is slightly
> > more intelligent as to how it processes changes to rules and so on.
> 
> I wasn't aware the firewall model is implemented differently across
>  different Linux flavors. I thought netfilter implements a packet
>  filtering framework into the Linux kernel. Shouldn't it work the work
>  the same on every Linux flavor?

Once the iptables binary has been called and the rules have been set,
then yes, it's the same across any flavour of Linux (I guess).

I meant that the distro's implementation of how the rules are managed is
different. There are loads of different ways. A quick search on a Ubuntu
system reveals the following. I'm guessing that all of these use
iptables, but some are better than others at changing rules "on the
fly".

ufw - program for managing a Netfilter firewall
apf-firewall - easy iptables based firewall system
dtc-xen-firewall - A small firewall script for your dom0
ebox-firewall - eBox - Firewall
ferm - maintain and setup complicated firewall rules
fiaif - An easy to use, yet complex firewall
filtergen - packet filter generator for various firewall systems
firehol - An easy to use but powerful iptables stateful firewall
firestarter - gtk program for managing and observing your firewall
guarddog - firewall configuration utility for KDE
ipkungfu - iptables-based Linux firewall
kmyfirewall - iptables based firewall configuration tool for KDE
mason - Interactively creates a Linux packet filtering firewall
pyroman - Very fast firewall configuration tool
uif - Advanced iptables-firewall script
uruk - Very small firewall script, for configuring iptables

>  I did the following test.
> 
> Ssh on port 22 into a Linux box with following filter rules
> # iptables -L -n --line-numbers
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> 2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
> 4    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
> 
> Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1.
> 
> # iptables -D INPUT 3
> # echo "yup it does"
> yup it does
> 
> Seems pretty much dynamic to me :)

With any of the above wrappers, you'll always be able to add and remove
rules directly using iptables commands.

Andy