Forgot your password?
typodupeerror
Red Hat Software Security Linux

Linux Gets Dynamic Firewalls In Fedora 15 176

Posted by Soulskill
from the changing-on-the-fly dept.
darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"
This discussion has been archived. No new comments can be posted.

Linux Gets Dynamic Firewalls In Fedora 15

Comments Filter:
  • No comment? (Score:4, Funny)

    by Anonymous Coward on Saturday May 21, 2011 @05:59PM (#36204532)
    No comments yet, everyone's being raptured.
  • First (Score:5, Insightful)

    by Anonymous Coward on Saturday May 21, 2011 @05:59PM (#36204534)

    Ehm, iptables doesnt need reloading. Add a rule and it works right away?

    • by node 3 (115640)

      I haven't had to use iptables for quite some time now, but I think they are referring to making permanent changes. Sure, you can type in a new rule and it will take it, but it won't reload after a reboot.

      Aside from testing/tweaking to find the right settings, it seems a bit dangerous to modify the firewall on the fly anyway, because months later when you reboot, you might be stuck wondering why your VPN (etc.) isn't working. And by stuck wondering, I mean you'll get a call from someone who can't access the

      • by ksandom (718283)

        How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

        The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...

        • How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

          You can adjust the Fedora / RHEL / CentOS firewall on the fly with the iptables command. Yes you could just edit the save file and then reload the firewall, but it's always been possible to make
          • by ksandom (718283)
            Agreed. It's the same in Centos/Fedora. I was simply coming from the angle of what the distro makes easy for you. As far as I'm aware, the iptables command is the same (or close enough to it) from distro to distro.
        • by node 3 (115640)

          How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

          Irrelevant to the context of this thread. But if you want, this is what "reloading the whole firewall" refers to.

          The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...

          Exactly.

      • Typically in Linux you have a file under /etc with rules which get translated into iptables commands which you can run at any time. To many a change on line and permanent you need to change both but thats not really hard to do. Lots of people just change the file then reload but I suppose that could be a problem if you have 10000 rules.

        • or just, edit /etc/ file and then make iptables reread it. Simple :)
          • Yeah but I think the problem here is that if your linux box is a gateway to a large network the process of rereading a large block of rules will involve locking the network down entirely while the rules are parsed. This could take quite a while.

            • by Malnar (1810062)

              Not true, it takes less than a second to read in a rule file by iptables-restore with over 20k rules. (Generated by iptables-save, not a file of a 20k iptables -A commands). The TCP sessions are not even reset so flows do not get broken. Changing a rule (well, a rule can't be changed, but you can insert a new rule above the current one and delete the old which is what most firewalls do anyways), does not disrupt anything either. The only "issue" is that rule changes are not saved to disk automatically, howe

        • by node 3 (115640)

          No shit, the context was making changes on the fly. If you edit the conf file, then you are "reloading the whole firewall", which is what the OP was arguing about.

      • /sbin/service iptables save
      • by billcopc (196330)

        Ever heard of iptables-save ?

        Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.

        • Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.

          By default, I'm pretty sure they do not save the iptables chains on shutdown/restart. Not without edits to the iptables-config file.

          /etc/sysconfig/iptables-config

          # Save current firewall rules on stop.
          # Value: yes|no, default: no
          # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
          # (e.g. on system shutdown).
          IPTABLES_SAVE_ON_STOP="no"

          # Save current firewall rules on res
          • by billcopc (196330)

            Well, shit on me.

            I haven't used RHEL/CentOS 5.4+, so maybe the default has changed. Good catch.

      • by josepha48 (13953)
        iptables-save does not require a reload. So after you make your change you save, next reboot your change will be there saved. Not sure what they are talking about here.
    • by Lennie (16154)

      I think this is just a frontend to iptables

    • Re:WTF?? (Score:5, Interesting)

      by miknix (1047580) on Saturday May 21, 2011 @06:32PM (#36204746) Homepage

      Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall

      Can please someone explain me what's wrong with appending and deleting a firewall rule:

      $ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
      $ iptables -D INPUT 2

      where on earth does this need iptables to be restarted?

      if we want to save the firewall state:

      $ iptables-save > /root/ipt.state

      where /root/ipt.state is just a human readable file

      and then load the firewall state:

      $ iptables-restre < /root/ipt.state

      AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
      Again, WTF?

      • Re: (Score:2, Informative)

        by justsomebody (525308)

        Can please someone explain me what's wrong with appending and deleting a firewall rule:

        sorry, couldn't resist ;)

        $ iptables-restre /root/ipt.state

        should be

        $ iptables-restore /root/ipt.state

      • Actually, its possible that with an iptables-restore, the dynamic rules (iptables -m state --state RELATED ... ) might no longer function for existing connections. I'm not familiar enough with the internals to know for certain.

        In my case though, its not relevant; I always dynamically adjust my settings on the fly and then save my changes with iptables-save. When I'm done a large set of changes, I reboot the machine to make sure my changes load properly and don't negatively affect startup apps.

        • by miknix (1047580)

          That's a good point! The connection tracking for the state module is handled by the nf_conntrack iptables module, I'm not sure but I think the module will only flush its "cache" when the module is unloaded.. but don't get this for granted, I would need to recheck..
          Also, it is easy to check your point in iptables but do *other* (as in proprietary) firewalls do it?

          • I'm sure an OpenBSD person could speak for pf on this issue, but all the Cisco PIX people I know insist on reboots when changes are made.

      • by gweihir (88907)

        This "advancement" is for the incompetent. Instead of deleting rules, you can also make a new chain while the old one is in place, and then delete the old one and put the new one in its place (some detail missing ;-). I have done this just recently for a setup that does change between two different settings for one interface and cannot have anything open in between. A few hours of scripting at best.

      • where on earth does this need iptables to be restarted?

        It is better PR to say that it is a new feature that "no other mainstream operating system" possesses rather than just saying, oh yeah, Linux and iptables could do this all along.

        This announcement was a PR stunt, no more, no less.

        And as a person who who likes to use Linux, I was disappointed to see this type of fluff from the people behind Linux.

      • Bad summery. This just provides a high-level interface for exactly this kind of operation that iptables provides. Problem was, while iptables was dynamic, the high-tools that controlled it were not and tended to just dumbly write to a file then flush iptables current state and reload from that file, wasting iptables abilities. So this is just a new daemon to expose all of iptables functionality to configuration tools and uses an unmodified version of iptables to do all of the heavy lifting. One suspects the
    • I'm confused about the same thing. Must be an issue with GUI management of the firewall settings (via iptables-save; iptables-restore).

      I've always done live management of my Linux firewalls, including on Linux 2.2 and earlier. Using iptables from the command-line is the only way to go.

    • by gweihir (88907)

      Yes, this is a system for those that do not get iptables. Seems, once again, network security is made ready to be given into the hands of the incompetent.

    • by dbIII (701233)
      Also remove a rule and that happens right away as well.
    • by X0563511 (793323)

      It works even better if you use IP Sets [netfilter.org] with it. Check it out... it's been around for a while, but seems to be little known.

  • reloading? (Score:5, Insightful)

    by El_Muerte_TDS (592157) <.elmuerte. .at. .drunksnipers.com.> on Saturday May 21, 2011 @06:03PM (#36204560) Homepage

    it's hard to modify on the fly without reloading the entire firewall

    It is? Then what have I been doing wrong for all these year?

    • Re: (Score:2, Interesting)

      by LordHatrus (763508)
      I believe what they're trying to say is that it's more akin to the Windows world of things - "Hey, this apache-thing is trying to bind to port 80... do you want to let it through the firewall?"
  • Seriously? (Score:3, Interesting)

    by The O Rly Factor (1977536) on Saturday May 21, 2011 @06:10PM (#36204606)
    /sbin/service iptables save
    /sbin/service iptables restart

    You really CAN'T take the time out of your day to type that?
    • Re:Seriously? (Score:5, Informative)

      by AdamWill (604569) on Saturday May 21, 2011 @08:47PM (#36205534) Homepage

      Try reading the original feature page:

      http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]

      the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.

  • by vajorie (1307049)

    The apps can tell the firewall to open up a port for a period of time and then shut it back down.

    Woohoo!

  • by cras (91254) on Saturday May 21, 2011 @06:22PM (#36204690) Homepage

    The apps can tell the firewall to open up a port for a period of time and then shut it back down.

    I mean, it sounds almost like they could listen() a specific port, and once they're done with it, they could close() it! If all applications could always do this automatically, I think we could actually get rid of manual firewall configuration entirely!

    • by Junta (36770)

      Generally, linux desktop INPUT firewalls strike me as superfluous. That said, there is one use case, filtering out ports higher than 1024 from listening. This would mean any socket acting server-like would have to be explicitly blessed by someone with admin rights, which could mitigate certain types of trojan attacks.

      What cracks me up is all these firewalling rules being automatically removed and inserted by installing the relevant application. For example install openssh and the firewall magically gets

      • I filter ports below 1024 because I don't necessarily want them listening to connections from just anyone.

        I have several machines with rules like "iptables -I INPUT -i eth0 -p tcp --dport 22 -s 10.14.3.0/24 -m state --state NEW --syn -j ACCEPT" so that SSH isn't even listening to everyone, just the subnet I want it to listen to.

        PS for the people who may reply, that usually looks like:

        iptables -I INPUT -i eth0 -j INPUT-LAN
        iptables -A INPUT-LAN -s 10.14.0.0/16 -j MARK --set-mark 2
        iptables -A INPUT-LAN -s 10.1

  • OpenBSD (Score:3, Informative)

    by discore (80674) on Saturday May 21, 2011 @06:25PM (#36204704) Homepage

    "'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"

    What?

    http://www.openbsd.org/faq/pf/

    pf will always be better than iptables in every way.

    • Re:OpenBSD (Score:5, Informative)

      by justsomebody (525308) on Saturday May 21, 2011 @07:55PM (#36205206) Journal

      no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd

      here is how this works
      - service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
      - user gets prompted and needs to validate decision trough authentication.
      - port is open
      - when software stops, it sends another d-bus message "close pr0n port"
      - port is closed

      this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.

  • What's the point? (Score:3, Insightful)

    by Anonymous Coward on Saturday May 21, 2011 @06:28PM (#36204720)

    So an application can say hey I need a port open, please open a pinhole in the firewall.

    I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)

    I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.

    • by jd (1658)

      It's basically tcpwrappers implemented as an IPTables facility, only without quite as much control over what external sources can do the opening. It's interesting but as IPTables is due to be replaced anyway, it's a pointless enhancement that simply wastes developer time.

  • by sydb (176695) <michaelNO@SPAMwd21.co.uk> on Saturday May 21, 2011 @06:29PM (#36204724)

    This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.

    The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]

  • by badger.foo (447981) <peter@bsdly.net> on Saturday May 21, 2011 @06:29PM (#36204728) Homepage
    The concept isn't very new or radical, but it will be interesting to see how their implementation behaves in real life.

    Over in OpenBSD [openbsd.org] land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples [home.nuug.no]. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples [home.nuug.no]). In addition, the OpenBSD versions of dhcpd [openbsd.org] and bgpd [openbsd.org] as well as other applications are routinely set up to interact with your filtering config via tables.

    Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy [openbsd.org] for example) or relayd [openbsd.org] (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.

    My BSDCan slides [home.nuug.no] has more material, as of course does The Book of PF [nostarch.com], and never forget The PF docs [openbsd.org] as the authoritative source.

    • by hedwards (940851)

      I've grown fond of PF over time. It's amazing to me how much it can do with a little foresight. Unfortunately, it's still a bitch to work with FTP.

  • Right now I have scripts to list the current ruleset, figure out the deltas between the new ruleset and old, add or remove rules as appropriate, and save that config to disk for reboots. It works well enough, better than restarting iptables, but it should be more efficient with these changes. I wondered why there wasn't a method (that I found; correct me if I'm wrong) for running batch changes without invoking the iptables command for each change.
  • by ka9dgx (72702) on Saturday May 21, 2011 @06:47PM (#36204826) Homepage Journal

    I'm one of the token Windows system admins here... and even I know that this stuff is just bloatware.

    • dynfw [gentoo.org] is just a script to do a few things with iptables, its not new functionality.
    • OpenSCAP [open-scap.org] is just some tools to manage code signing, which is an attempt to enumerate goodness, and doesn't actually fix things by improving security.

    I thought they were talking about something new and useful... not just some hype... oh well... looks like they care catching up with uSoft in that department.

  • by GMC-jimmy (243376)

    It's funny seeing newly converts feverishly pecking at GUI buttons in their favorite distro as if every piece of software on it was made at the same factory. You have to be gentle with them.

  • So... the Firewall stores allowed IP addresses in a table structure, lets say an AVL/RedBlack tree or a hash table. You certainly don't want every outbound connection (hole you punch) in the firewall to be permanent. So, why not add a time stamp, and if it remains unused for a long enough period of time, you remove that IP rule?

    You don't want to have to constantly run a background thread that scans the table for expired entries -- That would be needlessly wasteful! Instead, why don't we look at the no

    • by Sarten-X (1102295)

      Oh look, it's a troll!

      There's a few problems with your post. First, the story is about a management application, which shouldn't know anything about how recently-useful a rule was. Also, self-expiring rules would be a maintenance nightmare for any resource that's accessed only occasionally.

      "It's broken, okay?" is not a persuasive argument. Please do continue trolling. I find it entertaining. Next time, though, please be a bit more subtle.

  • This is very cool, don't know why it hasn't been thought of before.
  • So basically, every application, evil or not, can now request ports to open on the firewall? You may as well run everything as root and turn off SELinux as well. It will not only make it easier for the user to make changes, but also make the local firewall no longer a restriction for evildoers.
    Yes, I know, "SELinux access restrictions are also planned." but that is security added as a feature later on, not designed into the main architecture of the daemon. Right now, it's a big leak and I'd disable it first
  • by AHuxley (892839) on Sunday May 22, 2011 @02:06AM (#36206600) Homepage Journal
    http://en.wikipedia.org/wiki/Little_Snitch [wikipedia.org] software outgoing firewall for Mac OS X
    "If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit"?
  • FTFA "The dynamic firewall is something that individuals or programs can communicate with to handle dynamic changes to whatever networking conditions require," Smith said. "So an application can sa,y hey I need a port open, please open a pinhole in the firewall."

    How awesome is that!?! Now applications in Linux can open holes in the network security of a user's machine. Who is the Microsoft employee implementing these stupid fucking changes? All holes start as "pinholes".

    iptables -A INPUT -p 22 -j ACCEPT

  • Many people do not understand that "iptables-restore" is an atomic operation. In fact, the head of the Fedora Infrastructure team didn't realize this until just within the last year (we were having lunch when it came up). I always edit the "iptables-save" output, adding new rules as I need them, and then "iptables-restore" them. Usually this is via editing /etc/sysconfig/iptables and running "service iptables start" on Fedora/CentOS). However, you definitely can add and delete specific rules to running

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...