From Fedora Project Wiki
No edit summary
No edit summary
Line 40: Line 40:
* Network class support (F-13+, requires to add the ability to classify network connections (network profiles) in NetworkManager)
* Network class support (F-13+, requires to add the ability to classify network connections (network profiles) in NetworkManager)
* User policy support (F-13+)
* User policy support (F-13+)
The old firewall behaviour will still be usable if the firewall is set to static mode. This makes it backward compatible.


=== Dynamic firewall ===
=== Dynamic firewall ===

Revision as of 17:06, 22 December 2009

system-config-firewall

What is system-config-firewall?

system-config-firewall is a graphical user interface for setting basic firewall rules.

Current firewall model

The current firewall model is static. The standard firewall configuration for IPv4 and IPv6 are created by lokkit. The initial firewall configuration is created at install time by anaconda and can be altered later on by the user with system-config-firewall, system-config-firewall-tui or the command line tool lokkit.

The configuration files are:

   /etc/sysconfig/iptables
   /etc/sysconfig/iptables-config
   /etc/sysconfig/ip6tables
   /etc/sysconfig/ip6tables-config

/etc/sysconfig/iptables is the iptables configuration file and contains the rules in iptables-save format for IPv4. Analog for /etc/sysconfig/ip6tables and ip6tables for IPv6.

The -config files contain the service configuration for the services iptables and ip6tables.

system-config-firewall and lokkit are creating the /etc/sysconfig/ip*tables files. The files contain the full firewall configuration. These files are applied with the iptables and ip6tables services. system-config-firewall is handling these services to apply new firewalls or firewall changes.

Advantages / Disadvantages

+ One source for the rules.

+ A user can easily see which rules are applied and which rules should be applied by comparing /etc/sysconfig/ip*tables with the output of ip*tables-save.

- The model is static, the firewall has to be restarted to apply changes.

- The /etc/sysconfig/ip*tables files are recreated for all changes.

- Active connections could be terminated because of restarting the firewall even for small changes.

Planned features

  • Dynamic firewall (F-12)
  • Full DBus interface (F-12)
  • User interaction mode (maybe F-12)
  • Network class support (F-13+, requires to add the ability to classify network connections (network profiles) in NetworkManager)
  • User policy support (F-13+)

The old firewall behaviour will still be usable if the firewall is set to static mode. This makes it backward compatible.

Dynamic firewall

The new firewall model will be dynamic. This means that /etc/sysconfig/ip*tables are not used for firewall configuration and will not be written for firewall changes. Also a lot of firewall changes are done without restarting the firewall. The firewall will be created and managed by lokkit. If /etc/sysconfig/ip*tables files are available, these will be used if the firewall is configured to be in static mode.

There will be new chains for services, ports, trusted interfaces, masquerading, port forwarding, icmp filtering and also services like libvirt. This will make custonmisation easier than before. Because of adding and removing rules to and from fixed chains in the firewall structure, these actions could not result in unexpected behaviour.

DBus interface

system-config-firewall will provide a dbus interface to easily configure the firewall. This will provide the ability to enable and disable services and to open or close ports, to mark and unmark interfaces as trusted or for masquerading, to add and remove port forwarding. Also adding or removing custom rules; but this will most likely require a firewall restart.

User intercation mode

This mode will make is possible for the user to allow connections to the machines for predefined services. These will be defined by the administrator. This feature

Network class support

To have network classes will make it possible for example to open services or to share printers or files only to a connection class or network area. A connection or network area can be classified by NetworkManager. A connection should default to untrusted or public and can be altered by the user to classes like home, work, trusted or also user-defined classes.

User policy support

The administrator will have the ability to define which users can use the user interaction mode.

Other firewall configuration options

Another way to configure the firewall it either by hand or with other firewall configuration tools in the repo. It is important to disable the firewall of system-config-firewall here.

Download

Grab the latest source from GIT

You can get the current source using the following commands:

$ git clone git://git.fedorahosted.org/git/system-config-firewall