Linux Gets Dynamic Firewalls In Fedora 15 176
darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"
No comment? (Score:4, Funny)
Re: (Score:3)
Re:No comment? (Score:4, Funny)
Why not? We're all virgin's who were tricked into viewing the goatse image.
First (Score:5, Insightful)
Ehm, iptables doesnt need reloading. Add a rule and it works right away?
Re: (Score:2)
I haven't had to use iptables for quite some time now, but I think they are referring to making permanent changes. Sure, you can type in a new rule and it will take it, but it won't reload after a reboot.
Aside from testing/tweaking to find the right settings, it seems a bit dangerous to modify the firewall on the fly anyway, because months later when you reboot, you might be stuck wondering why your VPN (etc.) isn't working. And by stuck wondering, I mean you'll get a call from someone who can't access the
Re: (Score:2)
How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.
The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...
Re: (Score:3)
You can adjust the Fedora / RHEL / CentOS firewall on the fly with the iptables command. Yes you could just edit the save file and then reload the firewall, but it's always been possible to make
Re: (Score:2)
Re: (Score:2)
How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.
Irrelevant to the context of this thread. But if you want, this is what "reloading the whole firewall" refers to.
The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...
Exactly.
Re: (Score:2)
Typically in Linux you have a file under /etc with rules which get translated into iptables commands which you can run at any time. To many a change on line and permanent you need to change both but thats not really hard to do. Lots of people just change the file then reload but I suppose that could be a problem if you have 10000 rules.
Re: (Score:2)
Re: (Score:2)
Yeah but I think the problem here is that if your linux box is a gateway to a large network the process of rereading a large block of rules will involve locking the network down entirely while the rules are parsed. This could take quite a while.
Re: (Score:2)
Not true, it takes less than a second to read in a rule file by iptables-restore with over 20k rules. (Generated by iptables-save, not a file of a 20k iptables -A commands). The TCP sessions are not even reset so flows do not get broken. Changing a rule (well, a rule can't be changed, but you can insert a new rule above the current one and delete the old which is what most firewalls do anyways), does not disrupt anything either. The only "issue" is that rule changes are not saved to disk automatically, howe
Re: (Score:2)
No shit, the context was making changes on the fly. If you edit the conf file, then you are "reloading the whole firewall", which is what the OP was arguing about.
Re: (Score:2)
Re: (Score:2)
Ever heard of iptables-save ?
Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.
Re: (Score:2)
By default, I'm pretty sure they do not save the iptables chains on shutdown/restart. Not without edits to the iptables-config file.
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on res
Re: (Score:2)
Well, shit on me.
I haven't used RHEL/CentOS 5.4+, so maybe the default has changed. Good catch.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
Wow linux works when all power is cut-off to the computer? Brilliant!
Seriously this is an idiotic statement. Not needing to reboot a machine is all the more reason to test rebooting it and make sure all previous changes are persistent and the machine comes up correctly. If you don't you'll find that machine will go down for a reboot unexpectedly on the 24th December at 5pm and you're on the on-call list.
Re: (Score:3)
Linux still doesn't need reboots; that doesn't mean they don't happen. I don't see where's the contradiction.
Re: (Score:2)
There's no contradiction. I'm just pointing out the absurdity of saying you don't need to worry about making persistent changes because you don't need to reboot the computer. If that's the case why not remove your boot loader? You don't need it anyway right? IPTABLES changes aren't persistent between reboots which is the problem the parent was trying to explain in the first place.
Re: (Score:2)
Ahhh yes, the magical UPS. Let me tell you a story:
We have an emergency shutdown system at work. It is fed from 2 UPSes in parallel, with two independent battery banks, fed from two independent switchboards, one of the switchboards takes the town energy supply, and the other from both town supply and a diesel generator with an auto transfer switch. It is a bullet proof design.
Yet to follow the standards means to discharge test the batteries every 2 years. One day we performed this test in the usual way. Che
Re: (Score:2)
I think this is just a frontend to iptables
Re:WTF?? (Score:5, Interesting)
Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall
Can please someone explain me what's wrong with appending and deleting a firewall rule:
$ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -D INPUT 2
where on earth does this need iptables to be restarted?
if we want to save the firewall state:
/root/ipt.state
$ iptables-save >
where /root/ipt.state is just a human readable file
and then load the firewall state:
/root/ipt.state
$ iptables-restre <
AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
Again, WTF?
Re: (Score:2, Informative)
Can please someone explain me what's wrong with appending and deleting a firewall rule:
sorry, couldn't resist ;)
$ iptables-restre /root/ipt.state
should be
$ iptables-restore /root/ipt.state
Re: (Score:2)
there is still something missing, isn't there :<P
Re: (Score:2)
Re: (Score:2)
Actually, its possible that with an iptables-restore, the dynamic rules (iptables -m state --state RELATED ... ) might no longer function for existing connections. I'm not familiar enough with the internals to know for certain.
In my case though, its not relevant; I always dynamically adjust my settings on the fly and then save my changes with iptables-save. When I'm done a large set of changes, I reboot the machine to make sure my changes load properly and don't negatively affect startup apps.
Re: (Score:2)
That's a good point! The connection tracking for the state module is handled by the nf_conntrack iptables module, I'm not sure but I think the module will only flush its "cache" when the module is unloaded.. but don't get this for granted, I would need to recheck..
Also, it is easy to check your point in iptables but do *other* (as in proprietary) firewalls do it?
Re: (Score:2)
I'm sure an OpenBSD person could speak for pf on this issue, but all the Cisco PIX people I know insist on reboots when changes are made.
Re: (Score:2)
This "advancement" is for the incompetent. Instead of deleting rules, you can also make a new chain while the old one is in place, and then delete the old one and put the new one in its place (some detail missing ;-). I have done this just recently for a setup that does change between two different settings for one interface and cannot have anything open in between. A few hours of scripting at best.
Re: (Score:2)
where on earth does this need iptables to be restarted?
It is better PR to say that it is a new feature that "no other mainstream operating system" possesses rather than just saying, oh yeah, Linux and iptables could do this all along.
This announcement was a PR stunt, no more, no less.
And as a person who who likes to use Linux, I was disappointed to see this type of fluff from the people behind Linux.
This is an iptables wrapper, not reimplementation. (Score:3)
Re: (Score:2)
It isn't the first either, windows firewall GUI has done this since Vista.
Re: (Score:2)
Re: (Score:2)
I'm confused about the same thing. Must be an issue with GUI management of the firewall settings (via iptables-save; iptables-restore).
I've always done live management of my Linux firewalls, including on Linux 2.2 and earlier. Using iptables from the command-line is the only way to go.
Re: (Score:3)
Yes, this is a system for those that do not get iptables. Seems, once again, network security is made ready to be given into the hands of the incompetent.
Re: (Score:2)
Re: (Score:3)
It works even better if you use IP Sets [netfilter.org] with it. Check it out... it's been around for a while, but seems to be little known.
reloading? (Score:5, Insightful)
It is? Then what have I been doing wrong for all these year?
Re: (Score:2, Interesting)
Re: (Score:2)
For example, say I want to start allowing port 22:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
That is not restarting firewall while users were using the system. I may have to do some juggling if I want the rule in the middle.
On a related note, I've always detested redhat firewall configuration for making more chains than needed for their straightforward configuration, making the rules appear far more complicated than they are.
Re: (Score:2)
Yeah, you're right, if you're doing the iptables by hand you're good to go. Most Redhat sysadmins edit the sysconfig/iptables file and issue a restart, though. And, right, for more complex rules changes it's pretty tough to do without a reload (though it is possible with enough creativity).
Re: (Score:2)
No you aren't.
iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT
At no point is anything incorrectly dropped or accepted.
Re: (Score:3)
Professionals do not care about "sexy", they care about "works efficiently and reliably". Amateurs care about "sexy". I guess there are now enough Windows admins administrating (or trying to) Linux systems, that "sexy" becomes a factor...
Seriously? (Score:3, Interesting)
You really CAN'T take the time out of your day to type that?
Re:Seriously? (Score:5, Informative)
Try reading the original feature page:
http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]
the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.
Re: (Score:2)
If you're playing around with iptables you're probably not a 'masses' user. There are some nice frontends for end users, but this sort of thing is for the person owning a server or whatever.
Again, you use console because its faster.
Re: (Score:3)
Oh, honest to God. Do we have to spell it out? So you make a bloody tinkertoy launcher on the desktop that says "restart firewall" and it runs the command line "sudo /sbin/service iptables restart." Takes about one minute to create. That is so simple even a monkey too stupid to learn anything can do it. Then you make more launchers to do other firewall tasks.
Re: (Score:2)
Re: (Score:2)
Or you just fix the fucking firewall so you don't have to create a "bloody tinkertoy". Seriously, iptables is ok for a server or a nerd desktop machine, but even a "bloody tinkertoy" is too complex. The mere notion of a "restart firewall" icon is unnecessary, and completely indefensible compared to simply fixing the firewall system in the first place.
Re: (Score:2)
Except there is nothing wrong with iptables to fix.
Re: (Score:2)
If "the masses" want to continue to disregard RTFMing and want a hand-holding experience like everything else computing-based in their lives, then they can go play with Ubuntu, or Mac OS.
Now get off my lawn.
Re: (Score:3)
Why should someone even have to know such commands in the first place?
How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive. If you can't change a flat tire, you shouldn't be licensed to drive. If you can't walk around your vehicle to see if all the parts in the correct places, (lights, tires, bumpers, windows - basic shit like that) then you should be charged with reckless driving when the cop pulls you over for driving on a flat tire, and a broken turn signal.
Just because you can have your car - or your computer - do things for
Re: (Score:2)
I don't need to know how to disassemble and rebuild the engine in order to drive. I don't need to know how the transmission works, or the brakes, or the windshield wipers' intermittent timer. I just need to know that they will work as needed, when needed. When they don't work, I can get somebody else to fix them.
This applies to computers, as well. I don't really need to know how the ALU works, I don't need to know the Ethernet protocols, and I don't need to know the commands to directly manipulate a firewal
Re: (Score:2)
Where do you draw the line? See you disassemble and rebuild and engine analogy to my mind would be more comparable to knowing how to implement something like netfliter than to knowing how to use the iptables command to manipulate it.
If you and other people maintain this silly attitude that its unreasonable to have to *learn* something in order to operate complex tools there is no end in sight. Next you will be telling us you should not have to know where to click in all those menus and buttons.
Re: (Score:2)
I don't want a line, and I'm certainly not going to pick some arbitrary place to put it. Why must there be any particular set of arcane knowledge required to access a given technology? Shouldn't one of the goals of interface design be to make features accessible to the widest array of users possible?
Apparently, somebody involved in the Fedora project didn't like the necessity of the iptables commands, and preferred making a nice GUI. That's a great benefit to someone like me, who changes their firewall once
Re: (Score:2)
On the other hand, I detest the "Windows way" where every configuration setting is a GUI option, and the command-line tools are barely sufficient to get a GUI working after a failure.
I want the best of both. I want a powerful command line, and an easy-to-learn GUI.
That "Windows way" is all about GUI is merely a ./ misconception. Most hardcore Unix'ers don't realize that there is an alternative to text config files, or they refuse to accept so. Windows has a powerful built-in firewall which supports both incoming and outgoing rules, rules based on ports and/or applications. It is easily managed from the GUI and doesn't require reboot or even restart of any service after a rule has been changed/added/deleted.
But Windows has also for the longest time exposed all such fu
Re: (Score:2)
Other than that, Jared Smith if factually wrong. Windows has for years supported dynamic configuration of the firewall, and Windows is certainly a "mainstream" operating system, even if he wishes it wasn't so.
Yes, I WTF'd that too. As I sit here in my Firefox browser on my Gnome desktop I remember these silly dynamic firewall thingies called ZoneAlarm and Internet Connection Firewall (aka Windows Firewall) that have been kicking around since the years 2000 and 2001 respectively.
Re: (Score:2)
Why should someone even have to know such commands in the first place?
How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive.
Sure you can.
If you can't change a flat tire, you shouldn't be licensed to drive.
Says who? But sure, let's follow this automotive analogy. If you don't make it so that you can drive a car without being able to change a flat, then you have no business complaining when someone who does gets all the business.
Just because you can have your car - or your computer - do things for you automagically shouldn't relieve you of the responsibility to UNDERSTAND THE SYSTEM!!
That's, quite simply, nothing more than elitist nerd bullshit.
Re: (Score:3)
Elitest nerd bullshit? No - that is real world, real life, pragmatism. Many of you city folk have never been 100 miles from the nearest town, or garage, or service station. But, I have. Not only can I change a tire - I can, and have, changed a tire on an 18-wheeler. Now - you can do the math, if you like. ASSuming that a cell phone would work, I could have called a mechanic, and waited 2 to 4 hours for him to get there. Then, waited for him to change the tire. Then followed him to his garage where I
Re: (Score:2)
Re: (Score:3)
Save for the very simplest firewalls (like you'll find in your $29.99 Dlink) there are not a lot of ways to make things simpler. Advanced firewalls, whether iptables, Cisco IOS or whatever require knowledge of packets and protocols beyond just "redirect port 80 to my shiny new web server). Look at the Webmin for an example of a web-based config system that is actually more difficult than the command line, because the vast array of options has to be spelled out.
Powerful utilities are by their very nature co
Dbus (Score:2)
Woohoo!
Whoa, you can dynamically open ports! (Score:3)
The apps can tell the firewall to open up a port for a period of time and then shut it back down.
I mean, it sounds almost like they could listen() a specific port, and once they're done with it, they could close() it! If all applications could always do this automatically, I think we could actually get rid of manual firewall configuration entirely!
Re: (Score:2)
Generally, linux desktop INPUT firewalls strike me as superfluous. That said, there is one use case, filtering out ports higher than 1024 from listening. This would mean any socket acting server-like would have to be explicitly blessed by someone with admin rights, which could mitigate certain types of trojan attacks.
What cracks me up is all these firewalling rules being automatically removed and inserted by installing the relevant application. For example install openssh and the firewall magically gets
Re: (Score:3)
I filter ports below 1024 because I don't necessarily want them listening to connections from just anyone.
I have several machines with rules like "iptables -I INPUT -i eth0 -p tcp --dport 22 -s 10.14.3.0/24 -m state --state NEW --syn -j ACCEPT" so that SSH isn't even listening to everyone, just the subnet I want it to listen to.
PS for the people who may reply, that usually looks like:
iptables -I INPUT -i eth0 -j INPUT-LAN
iptables -A INPUT-LAN -s 10.14.0.0/16 -j MARK --set-mark 2
iptables -A INPUT-LAN -s 10.1
OpenBSD (Score:3, Informative)
"'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"
What?
http://www.openbsd.org/faq/pf/
pf will always be better than iptables in every way.
Re:OpenBSD (Score:5, Informative)
no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd
here is how this works
- service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
- user gets prompted and needs to validate decision trough authentication.
- port is open
- when software stops, it sends another d-bus message "close pr0n port"
- port is closed
this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.
Re: (Score:2)
Bonner? Wasn't he the lead singer for U2?
Re: (Score:3)
IPTables rules can not only be per-application, per-user and per-instance, or per any definable group thereof (intserv), the rules themselves can contain whatever conditions you like (including checks for packet labels, layer 7 checks, etc). The main question I have to ask is why Red Hat still uses IPTables rather than nf-HiPAC or nftables, the two competing replacement stacks. IPTables is long-in-the-tooth and can't compete on performance or flexibility with the alternatives, so extending IPTables' functio
Re: (Score:2)
the only way you could get same feature was using zonealarm (except zonealarm didn't close port after application stopped). and before answering, read right documentation, not the blurb this author wrote
Re: (Score:2)
and yes, you can from early iptables start, which predates any firewall presence in windows.
you can set rulesets in specific tables, you can add/remove them dynamically, save/restore from the very first time of iptables replacing ipchains, which already had that feature too.
Re: (Score:2)
As for calling XP's firewall a firewall..
based on lack of features and being inbound only, this car analogy kinda fits it
"BEST CAR IN UNIVERSE!!!!! only missing 3 tires and there is no engine, but do not fear... space where you can put your own engine is intact and perfectly cleaned. also, sits and wheel can be be included with additional purchase, as special feature mirrors were cleaned daily"
Re: (Score:2)
More like how lazy the "admins" are (to learn the simple syntax). Iptables may have its limitations but it's not like you're writing sendmail rulesets.
What's the point? (Score:3, Insightful)
So an application can say hey I need a port open, please open a pinhole in the firewall.
I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)
I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.
Re: (Score:2)
It's basically tcpwrappers implemented as an IPTables facility, only without quite as much control over what external sources can do the opening. It's interesting but as IPTables is due to be replaced anyway, it's a pointless enhancement that simply wastes developer time.
Ignorant and misleading article. (Score:5, Informative)
This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.
The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]
OpenBSD's PF has been adaptive for years (Score:5, Informative)
Over in OpenBSD [openbsd.org] land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples [home.nuug.no]. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples [home.nuug.no]). In addition, the OpenBSD versions of dhcpd [openbsd.org] and bgpd [openbsd.org] as well as other applications are routinely set up to interact with your filtering config via tables.
Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy [openbsd.org] for example) or relayd [openbsd.org] (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.
My BSDCan slides [home.nuug.no] has more material, as of course does The Book of PF [nostarch.com], and never forget The PF docs [openbsd.org] as the authoritative source.
Re: (Score:2)
I've grown fond of PF over time. It's amazing to me how much it can do with a little foresight. Unfortunately, it's still a bitch to work with FTP.
This is not revolutionary, but nice (Score:2)
Ugh... bloatware (Score:3)
I'm one of the token Windows system admins here... and even I know that this stuff is just bloatware.
I thought they were talking about something new and useful... not just some hype... oh well... looks like they care catching up with uSoft in that department.
lol (Score:2)
It's funny seeing newly converts feverishly pecking at GUI buttons in their favorite distro as if every piece of software on it was made at the same factory. You have to be gentle with them.
Temporary rules to keep the IP addr. table clean (Score:2)
So... the Firewall stores allowed IP addresses in a table structure, lets say an AVL/RedBlack tree or a hash table. You certainly don't want every outbound connection (hole you punch) in the firewall to be permanent. So, why not add a time stamp, and if it remains unused for a long enough period of time, you remove that IP rule?
You don't want to have to constantly run a background thread that scans the table for expired entries -- That would be needlessly wasteful! Instead, why don't we look at the no
Re: (Score:2)
Oh look, it's a troll!
There's a few problems with your post. First, the story is about a management application, which shouldn't know anything about how recently-useful a rule was. Also, self-expiring rules would be a maintenance nightmare for any resource that's accessed only occasionally.
"It's broken, okay?" is not a persuasive argument. Please do continue trolling. I find it entertaining. Next time, though, please be a bit more subtle.
Awesome! (Score:2)
Security hole? (Score:2)
Yes, I know, "SELinux access restrictions are also planned." but that is security added as a feature later on, not designed into the main architecture of the daemon. Right now, it's a big leak and I'd disable it first
So is this like (Score:3)
"If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit"?
um what? (Score:2)
FTFA "The dynamic firewall is something that individuals or programs can communicate with to handle dynamic changes to whatever networking conditions require," Smith said. "So an application can sa,y hey I need a port open, please open a pinhole in the firewall."
How awesome is that!?! Now applications in Linux can open holes in the network security of a user's machine. Who is the Microsoft employee implementing these stupid fucking changes? All holes start as "pinholes".
iptables -A INPUT -p 22 -j ACCEPT
A common iptables misconception. (Score:2)
Re: (Score:3)
no, it takes down dbus and it might make some thing on your _desktop_ not work anymore (because I think that is what this is for). iptables is in the kernel, it is not effected.
Re: (Score:2)
Linux, as always, proves that it is always up to date with modern technology.
So sayeth the shepherd, so sayeth the flock.
Re: (Score:2)
Re: (Score:2)
These are only problems for drivers outside the kernel. Fuck them.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
This is the spirit of firewalls on WINDOWS, but not on systems that are trying to be secure.
Re: (Score:2)
As an aside, am I the only one who thinks it's insane to allow applications to tell the firewall what to do? The firewall is a sanity check to keep applications in line.
I completely agree. One important task of firewalls is to serve as a second line of defense for application bugs. This a is a really terrible idea, one more from the convenience-over-security movement. I wonder why they do not just disable the firewall. Probably because they want "firewall" in the feature list.
Convenience, security, pick one.