Linux Gets Dynamic Firewalls In Fedora 15 176
darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"
OpenBSD (Score:3, Informative)
"'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"
What?
http://www.openbsd.org/faq/pf/
pf will always be better than iptables in every way.
Ignorant and misleading article. (Score:5, Informative)
This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.
The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]
OpenBSD's PF has been adaptive for years (Score:5, Informative)
Over in OpenBSD [openbsd.org] land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples [home.nuug.no]. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples [home.nuug.no]). In addition, the OpenBSD versions of dhcpd [openbsd.org] and bgpd [openbsd.org] as well as other applications are routinely set up to interact with your filtering config via tables.
Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy [openbsd.org] for example) or relayd [openbsd.org] (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.
My BSDCan slides [home.nuug.no] has more material, as of course does The Book of PF [nostarch.com], and never forget The PF docs [openbsd.org] as the authoritative source.
Re:WTF?? (Score:2, Informative)
Can please someone explain me what's wrong with appending and deleting a firewall rule:
sorry, couldn't resist ;)
$ iptables-restre /root/ipt.state
should be
$ iptables-restore /root/ipt.state
Re:OpenBSD (Score:5, Informative)
no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd
here is how this works
- service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
- user gets prompted and needs to validate decision trough authentication.
- port is open
- when software stops, it sends another d-bus message "close pr0n port"
- port is closed
this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.
Re:Seriously? (Score:5, Informative)
Try reading the original feature page:
http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]
the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.