firewalld Lockdown

Summary

This feature adds a simple configuration setting for firewalld to be able to lock down configuration changes from local applications.

Owner

• Name: Thomas Woerner
• Email: twoerner@redhat.com

Current status

• Targeted release: Fedora 19
• Last updated: 2013-01-28
• Percentage of completion: 0%

Detailed Description

Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt). With this feature the administator can lock the firewall configuration so that none or only restricted applications are able to request firewall changes.

The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default. Comprehensive user and application policies will be added later on.

Benefit to Fedora

An easy way to lock the firewall configuration for local applications.

Scope

Only needs changes in firewalld and it's components.

How To Test

Set the lock and use system-config-printer - it will try to open some ports.

User Experience

The lock down settings defaults to disabled. If enabling the user can be sure that there are no configuration changes for the firewalld from local applications.

Dependencies

None.

Contingency Plan

This is a simple firewalld setting, which can be enabled or dropped easily.

Documentation

TBD

Release Notes

Fedora 19 includes the latest firewalld version that supports the firewalld lockdown feature to be able to lock the firewall configuration for local applications.

Comments and Discussion

• See Talk:Features/FirewalldLockdown