From Fedora Project Wiki

Cortafuegos Dinamico con FirewallD

firewalld provee un cortafuegos dinámico administrable con soporte para zonas de redes/cortafuego para definir el nivel de confianza de las redes conectadas o las interfaces. Tiene soporte para configuraciones de cortafuego para IPv4, IPv6 y para puentes de ethernet, posee una separacion de las configuraciones que están en ejecución y las configuraciones permanentes. También posee suporte una interface para servicios o aplicaciones para adicionar reglas directamente.

El modelo del sistema cortafuego anterior con system-config-firewall/lokkit era estatico y cada cambio requería un reinicio completo del cortafuego. Esto incluye descargar los modules de cortafuego del núcleo como netfilter y cargarlos nuevamente para cada nueva configuración. La descarga de los módulos estaba rompiendo el estado del cortafuego y estableciendo las conexiones nuevamente.

Por otro lado el demonio del cortafuego dinámico aplica los cambios sin reiniciar todo el cortafuego. Por ello no es necesario descargar y cargar todos los módulos de cortafuego del núcleo. Pero al usar el demonio del cortafuego requiere que todas las modificaciones del cortafuego se realicen por medio del demonio para asegurarse que el estado del demonio del cortafuego el cortafuego del núcleo estén en sincronía. El demonio del cortafuego no puede interpretar las reglas de cortafuego agregadas por los comandos de ip*tables y ebtables.

El demonio provee información acerca de la configuración actual del cortafuegos via D-BUS de igual forma acepta cambios por medio del D-BUS usando los métodos de autentifica del PolicyKit

El Demonio

Las aplicaciones, demonios y el usuario pueden solicitar establecer funciones del cortafuego por medio de D-BUS. Una función puede ser una de las características predefinidas del cortafuego como servicios, puertos y combinación de protocolos, re envíos de puertos/paquetes, enmascarado o bloqueo de icmp. Las características pueden ser habilitadas por cierta cantidad de tiempo o pueden deshabilitarse nuevamente.

Con la llamada interfaces directa otros servicios (como por ejemplo libvirt) pueden adicionar sus propias reglas usando argumentos y parámetros de iptables.

La ayuda del cortafuego netfilter, que son por ejemplo usadas en los servicios como amanda, ftp, samba y tftp, tambien son manegadas por el demonio siempre y cuando ellas sean parte de un servicio predefinido. Cargar ayudantes adicionales no es parte de la interfaces actual. Para algunos ayudantes la descarga es solo posible luego que todas las conexiones administradas por el modulo han sido cerradas. Por ello el registro de la información de la conexión es importante y se tiene que tomar en confederación.

Cortafuego Estatico (system-config-firewall/lokkit)

El modelo de cortafuego estático actual con system-config-firewall y lokkit se mantendrá disponible y configurable, pero no al mismo tiempo que el demonio. El usuario o el administrador puede decidir cual de las dos soluciones de cortafuego puede usar y habilitara los servicios correspondientes.

Se a planeado agregar una configuración de cortafuego para ser utilizada al momento de la instalación o en el primer inicio. La configuración de la otra solución permanecerá intacta y disponible para ser habilitada al cambiar al otro modelo.

El demonio del cortafuego es independiente de system-config-firewal, pero no debe ser usado al mismo tiempo.

Usando las reglas del cortafuego estático con los servicios de iptables y ip6tables

If you want to use your own static firewall rules with the iptables and ip6tables services, install iptables-services and disable firewalld and enable iptables and ip6tables:

yum install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service

Use /etc/sysconfig/iptables y /etc/sysconfig/ip6tables para las reglas estáticas del cortafuego.

Nota: El paquete iptables y iptables-services no proveen reglas para el uso de los servicios en el cortafuego. Los servicios estab disponibles por compatibilidad y para las personas que desean utilizar sus propias reglas de cortafuego. Usted puede instalar y usar system-config-firewal para crear reglas con los servicios. Para poder usar system-config-firewall usted tiene que detener firewalld.

Luego de crear las reglas para usarlas con los servicios detenga firewalld e inicie los servicios de iptables y ip6tables:

systemctl stop firewalld.service
systemctl start iptables.service
systemctl start ip6tables.service

¿Que es una zona?

Una zona de red define el nivel de confianza de la conexión de red. Esto es una relación de uno a muchos, que significa que la conexión puede ser parte de una zona, pero una zona puede ser usada por muchas conexiones de red.

Servicios Predefinidos

Un servicio es una combinación de una entrada de protocolo y puerto. Opcionalmente el modulo de ayuda netfilter puede ser adicionado y también direcciones de destino IPv4 y IPv6

Puertos y Protocolos

Define los puertos tcp y upp, donde los puertos pueden ser únicos o un rango de puertos.

Bloques de ICMP

Mensajes seleccionados del Internet Control Message Protocol (ICMP). Estos mensajes son solicitudes de información o creados para responder a las solicitudes o condiciones de error.

Enmascarado

Las direciones de una red privada son asignadas y escondidas detrás de una dirección de IP publica. Esta es una forma de traducción de direcciones.

Reenvió de puertos

Un puerto puede ser asignado a otro puerto o a otro huésped.

¿Que zonas están disponibles?

Estas zonas son proveídas por firewalld y arregladas de acuerdo al nivel de confianza predefinido de las zonas de no es de confianza a es de confiaza:

drop

Cualquier paquete de entrada es abandonada, no hay respuesta. Solo conexiones de salida son posibles.

block

Cualquier conexión de entrada es rechazada con un mensaje icmp-host-prohibited para IPv4 y icmp6-adm-prohibited para IPv6. Solo conexiones iniciadas dentro de este sistema son posibles.

public

Para uso en areas publicas. Usted no confía de las otras computadoras en la red que quieran hacer daño a su computador. Solo conexiones seleccionadas son aceptadas.

external

Para el uso de redes externas con el enmascarado habilitado por los ruteadores. Usted no confia en las computadoras en la red pueden hacer daño a su computador. Solo conexiones de entrada seleccionadas son aceptadas.

dmz

Para computadores en una zona des militarizada que son de acceso publico con acceso limitado a su red interna. Solo conexiones seleccionadas son aceptadas.

work

Para el uso en áreas de trabajo. Usted confiá mayormente en que las computadores de la red no hagan daño a su computador. Solo coneciones de entrada seleccionadas son aceptadas.

home

Para uso en el área del hogar. Usted confiá en que las computadores de la red no representan peligro para su computador. Solo conexiones de entrada seleccionadas son aceptadas

internal

Para el uso de redes internas. Usted confiá que las computadores de la red no representa peligro para su computador. Solo conexiones de entrada seleccionadas son aceptadas.

trusted

Todas las conexiones son aceptas.

¿Que zona debo usar?

En una red inalambrica publica por ejemplo usted debe utilizar sin confianza, una red cacera alambrada puede ser de confianza. Seleccione la zona que se ajuste mayormente a la red que esta usando.

¿Como configurar o agregar zonas?

Para configurar o agregar zonas usted puede utilizar alguna de las interfaces de firewalld. Estas son la interfaces de configuración gráfica firewall-config, la herramienta de comandos firewall-cmd or la interface D-BUS. O usted puede crear o copiar el archivo de zona en el directorio de configuraciones. @PREFIX@/lib/firewalld/zones es usado como configuración por defecto y en caso de fallo y /etc/firewalld/zones es usado para las configuraciones creadas por el usuario y los archivos de configuración personalizados.


Como establecer o cambiar a una zona

La zona es almacenada en el ifcfg de la conexion con la opción ZONE=. Si la opción no existe o esta vacia, la zona por defecto es usada en firewalld.

Si la conexión es controlada por NetworkManager, usted tamnien puede utilizar nm-connection-editor para cambiar la zona.

Conexiones administradas por NetworkManager

El cortafuego no puede manejar los nombres de las redes mostraos en el NetworkManager, solo puede manejar las interfaces de red. Por lo tanto NetworkManager le indica a firewalld poner las interfaces de red relacionadas a esas conexiones en las zonas definidas dentro del archivo de configuración (ifcfg) antes que la conexión inicie. Si la zona no es enviada en el archivo de configuración, la interface sera puesta en la zona predeterminada por firewalld. Si la conexión tiene mas de una interface, las ambas sera entregadas al firewalld. También cambia los nombres de las interfaces que serán manejadas por NetworkManager y entregadas a Firewalld.

Para simplificar estas conexiones seran usadas como zonas relacionadas de ahora en adelante.


NetworkManager también le dice a firewalld que remueva las conexiones de las zonas si la conexión se interrumpe.

Si firewalld es iniciado o reiniciado por systemd o un script de init, firewalld notifica al NetworkManager y las conexiones que serán adicionadas en las zonas

Conexiones de red administradas por scripts de red

Para las conexiones de red administradas por scripts de red hay limitaciones: No existe demonio que le pueda indicar a firewalld que agregue conexiones a la zona. Esto solo es realizado por el script ifcfg-post. Por lo tanto los cambios de nombre después de este no pueden ser entregados por firewalld. También iniciar o reiniciar firealld si las conexiones estan activas resulta en perdida de la relación. Hay ideas de como solucionar esto. La mas sencilla es empujar todas las conexiones a la zona por defecto que no sean establecidas de otra manera.

La zona que define las características del cortafuego que están definidas para esta zona son:

Working with firewalld

To enable or disable firewall features for example in zones, you can either use the graphical configuration tool firewall-config or the command line client firewall-cmd

Using firewall-cmd

The command line client firewall-cmd supports all firewall features. For status and query modes, there is no output, but the command returns the state.

Generic use

  • Get the status of firewalld
 firewall-cmd --state

This returns the status of firewalld, there is no output. To get a visual state use:

 firewall-cmd --state && echo "Running" || echo "Not running"

As of Fedora 19, the status seems printed just fine:

 # rpm -qf $( which firewall-cmd )
 firewalld-0.3.3-2.fc19.noarch
 # firewall-cmd --state
 not running
  • Reload the firewall without loosing state information:
 firewall-cmd --reload

If you are using --complete-reload instead, the state information will be lost. This option should only be used in case of severe firewall problems for example if there are state information problems that no connection can be established but the firewall rules are correct.

  • Get a list of all supported zones
 firewall-cmd --get-zones

This command prints a space separated list.

  • Get a list of all supported services
 firewall-cmd --get-services

This command prints a space separated list.

  • Get a list of all supported icmptypes
 firewall-cmd --get-icmptypes

This command prints a space separated list.

  • List all zones with the enabled features.
 firewall-cmd --list-all-zones

The output format is:

 <zone>
   interfaces: <interface1> ..
   services: <service1> ..
   ports: <port1> ..
   forward-ports: <forward port1> ..
   icmp-blocks: <icmp type1> ..
   
   ..
  • Print zone <zone> with the enabled features. If zone is omitted, the default zone will be used.
 firewall-cmd [--zone=<zone>] --list-all
  • Get the default zone set for network connections
 firewall-cmd --get-default-zone
  • Set the default zone
 firewall-cmd --set-default-zone=<zone>

All interfaces that are located in the default zone will be pushed in the new default zone, that defines the limitations for new external initiated connection attempts. Active connections are not affected.

  • Get active zones
 firewall-cmd --get-active-zones

The command prints the interfaces that are set to be part of a zone in this form:

 <zone1>: <interface1> <interface2> ..
 <zone2>: <interface3> ..
  • Get zone related to an interface
 firewall-cmd --get-zone-of-interface=<interface>

This prints the zone name, if the interface is part of a zone

  • Add an interface to a zone
 firewall-cmd [--zone=<zone>] --add-interface=<interface>

Add an interface to a zone, if it was not in a zone before. If the zone options is omitted, the default zone will be used. The interfaces are reapplied after reloads.

  • Change the zone an interface belongs to
 firewall-cmd [--zone=<zone>] --change-interface=<interface>

This is similar to the --add-interface options, but pushes the interface in the new zone even if it was in another zone before.

  • Remove an interface from a zone
 firewall-cmd [--zone=<zone>] --remove-interface=<interface>
  • Query if an interface is in a zone
 firewall-cmd [--zone=<zone>] --query-interface=<interface>

Returns if the interface is in the zone. There is no output.

  • List the enabled services in a zone
 firewall-cmd [ --zone=<zone> ] --list-services
  • Enable panic mode to block all network traffic in case of emergency
 firewall-cmd --panic-on
  • Disable panic mode
 firewall-cmd --panic-off
Panic options changed in 0.3.0
In firewalld versions prior to 0.3.0, the panic options are --enable-panic and --disable-panic.
  • Query panic mode
 firewall-cmd --query-panic

This returns the state of the panic mode, there is no output. To get a visual state use

 firewall-cmd --query-panic && echo "On" || echo "Off"

Runtime zone handling

In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.

  • Enable a service in a zone
 firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>]

This enables a service in a zone. If zone is not set, the default zone will be used. If timeout is set, the service will only be enabled for the amount of seconds in the zone. If the service is already active, there will be no warning message.

  • Example: Enable ipp-client service for 60 seconds in the home zone:
 firewall-cmd --zone=home --add-service=ipp-client --timeout=60
  • Example: Enable the http service in the default zone:
 firewall-cmd --add-service=http
  • Disable a service in a zone
 firewall-cmd [--zone=<zone>] --remove-service=<service>

This disables a service in a zone. If zone is not set, the default zone will be used.

  • Example: Disable http service in the home zone:
 firewall-cmd --zone=home --remove-service=http

The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.

  • Query if a service is enabled in a zone
 firewall-cmd [--zone=<zone>] --query-service=<service>

This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.

  • Enable a port and protocol combination in a zone
 firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>]

This enables a port and protocol combination. The port can be a single port <port> or a port range <port>-<port>. The protocol can be either tcp or udp.

  • Disable a port and protocol combination in a zone
 firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
  • Query if a port and protocol combination in enabled in a zone
 firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>

This command returns if it is enabled, there is no output.

  • Enable masquerading in a zone
 firewall-cmd [--zone=<zone>] --add-masquerade

This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.

  • Disable masquerading in a zone
 firewall-cmd [--zone=<zone>] --remove-masquerade
  • Query masquerading in a zone
 firewall-cmd [--zone=<zone>] --query-masquerade

This command returns if it is enabled, there is no output.

  • Enable ICMP blocks in a zone
 firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype>

This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.

  • Disable ICMP blocks in a zone
 firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype>
  • Query ICMP blocks in a zone
 firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype>

This command returns if it is enabled, there is no output.

  • Example: Block echo-reply messages in the public zone:
 firewall-cmd --zone=public --add-icmp-block=echo-reply
  • Enable port forwarding or port mapping in a zone
 firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either tcp or udp. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.

  • Disable port forwarding or port mapping in a zone
 firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
  • Query port forwarding or port mapping in a zone
 firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

This command returns if it is enabled, there is no output.

  • Example: Forward ssh to host 127.0.0.2 in the home zone
 firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Permanent zone handling

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The --permanent option needs to be the first option for all permanent calls.

  • Get a list of supported permanent services
 firewall-cmd --permanent --get-services
  • Get a list of supported permanent icmptypes
 firewall-cmd --permanent --get-icmptypes
  • Get a list of supported permanent zones
 firewall-cmd --permanent --get-zones
  • Enable a service in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-service=<service>

This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.

  • Disable a service in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-service=<service>
  • Query if a service is enabled in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-service=<service>

This command returns if it is enabled, there is no output.

  • Example: Enable service ipp-client permanently in the home zone
 firewall-cmd --permanent --zone=home --add-service=ipp-client
  • Enable a port and protocol combination permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-port=<port>[-<port>]/<protocol>
  • Disable a port and protocol combination permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
  • Query if a port and protocol combination is enabled permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>

This command returns if it is enabled, there is no output.

  • Example: Enable port 443/tcp for https permanently in the home zone
 firewall-cmd --permanent --zone=home --add-port=443/tcp
  • Enable masquerading permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-masquerade

This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.

  • Disable masquerading permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-masquerade
  • Query masquerading permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-masquerade

This command returns if it is enabled, there is no output.

  • Enable ICMP blocks permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-icmp-block=<icmptype>

This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.

  • Disable ICMP blocks permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-icmp-block=<icmptype>
  • Query ICMP blocks permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-icmp-block=<icmptype>

This command returns if it is enabled, there is no output.

  • Example: Block echo-reply messages in the public zone:
 firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply
  • Enable port forwarding or port mapping permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either tcp or udp. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.

  • Disable port forwarding or port mapping permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
  • Query port forwarding or port mapping permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

This command returns if it is enabled, there is no output.

  • Example: Forward ssh to host 127.0.0.2 in the home zone
 firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Direct options

The direct options are mostly for services and applications to be able to add custom rules. The rules are not saved and have to get resubmitted after reload or restart. The arguments <args> of the passthrough option are the same as the corresponding iptables, ip6tables and ebtables arguments.

The --direct option needs to be the first option for all direct options.

  • Pass a command through to the firewall. <args> can be all iptables, ip6tables and ebtables command line arguments
 firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args>
  • Add a new chain <chain> to a table <table>.
 firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain>
  • Remove a chain with name <chain> from table <table>.
 firewall-cmd --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain>
  • Query if a chain with name <chain> exists in table <table>. Returns 0 if true, 1 otherwise.
 firewall-cmd --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain>

This command returns if it is enabled, there is no output.

  • Get all chains added to table <table> as a space separated list.
 firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb } <table>
  • Add a rule with the arguments <args> to chain <chain> in table <table> with priority <priority>.
 firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
  • Remove a rule with the arguments <args> from chain <chain> in table <table>.
 firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args>
  • Query if a rule with the arguments <args> exists in chain <chain> in table <table>. Returns 0 if true, 1 otherwise.
 firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args>

This command returns if it is enabled, there is no output.

  • Get all rules added to chain <chain> in table <table> as a newline separated list of arguments.
 firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain>

The current firewalld features

D-BUS Interface

The D-BUS interface gives information about the firewall state and makes it possible to enable, disable and query firewall settings.

Zones

A network or firewall zone defines the trust level of the interface used for a connection. There are several pre-defined zones provided by firewalld. Zone configuration options and generic file information are described in the firewalld.zone(5) man page.

Services

A service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Service configuration options and generic file information are described in the firewalld.service(5) man page.

ICMP types

The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages. ICMP type configuration options and generic file information are described in the firewalld.icmptype(5) man page.

Direct interface

The direct interface is mainly used by services or applications to add specific firewall rules. The rules are not permanent and need to get applied after receiving the start, restart or reload message from firewalld using D-BUS.

Runtime configuration

The runtime configuration is not permanent and will only be restored for a reload. After restart or stop of the service or a system reboot, these options will be gone.

Permanent configuration

The permanent configuration is stored in config files and will be restored with every machine boot or service reload or restart.

Tray Applet

The tray applet firewall-applet visualizes the firewall state and also problems with the firewall for the user. It can also be used to configure settings by calling firewall-config.

Graphical Configuration Tool

The configuration tool firewall-config is the main configuration tool for the firewall daemon. It supports all features of the firewall besides the direct interface, this is handled by the service/application that added the rules.

Command Line client

firewall-cmd provides (most of) the configuration features of the graphical tool for the command line.

Support for ebtables

ebtables support is needed to fulfill all needs of the libvirt daemon and to prevent access problems between ip*tables and ebtables on kernel netfilter level. All these commands are accessing the same structures and therefore they should not be used at the same time.

Default/Fallback configuration in /usr/lib/firewalld

This directory contains the default and fallback configuration provided by firewalld for icmptypes, services and zones. The files provided with the firewalld package should not get changed and the changes are gone with an update of the firewalld package. Additional icmptypes, services and zones can be provided with packages or by creating files.

System configuration settings in /etc/firewalld

The system or user configuration stored here is either created by the system administrator or by customization with the configuration interface of firewalld or by hand. The files will overload the default configuration files.

To manually change settings of pre-defined icmptypes, zones or services, copy the file from the default configuration directory to the corresponding directory in the system configuration directory and change it accordingly.

If you are loading the defaults for a zone that has a default or fallback file, the file in /etc/firewalld will be renamed to <file>.old and the fallback will be used again.

Work in Progress Features

Rich Language

The rich language provides a high level language to be able to have more complex firewall rules for IPv4 and IPv6 without the knowledge of iptables syntax.

Fedora 19 provides milestone 2 of the rich language with D-Bus and command line client support. The milestone 3 will also provide support within firewall-config, the graphical configuration program.

For more information on this, please have a look at: firewalld Rich Language

Lockdown

Lockdown adds a simple configuration setting for firewalld to be able to lock down configuration changes from local applications or services. It is a very light version of application policies.

Fedora 19 provides milestone 2 of the lockdown feature with D-Bus and command line client support. The milestone 3 will also provide support within firewall-config, the graphical configuration program.

For more information on this, please have a look at: firewalld Lockdown

Permanent Direct Rules

This feature is in early state. It provides the ability to permanently save direct rules and chains. Passthorough rules are not part of this. See Direct options for more information on direct rules.

Migration from ip*tables and ebtables services

This feature is in an very early state. It will provide a conversion script that creates direct permanent rules from the iptables, ip6tables and ebtables service configurations as far as possible. A limitation here might be the integration into the direct chains firewalld provides.

This needs lots of tests at best also from more complex firewall configurations.

Planned and Proposed Features

Firewall Abstraction Model

Adding an abstraction layer on top of ip*tables and ebtables firewall rules makes adding rules simple and more intuitive. The abstraction layer needs to be powerful, but also simple, which makes this not an easy task. A firewall language has to gen invented for this. Firewall rules have a fixed position and querying generic information about access state, access policies for ports and other firewall features is possible.

Support for conntrack

Conntrack is needed to be able to terminate established connections for features that get disabled. For some use cases it might not be good to terminate the connection: Enabling of a firewall service for a limited time to establish a persistent external connection.

User interaction mode

This is a special mode of in the firewall the user or admin can enable. All requests of applications to alter the firewall are directed to the user to get notified and granted or denied. It is possible to set a time limit for the acceptance of a connection and to limit it to hosts, networks or connections. It can be saved to behave the same in the future without notification.

An additional feature of this mode is direct external connection attempts on preselected services or ports to the user with the same features as the application initiated requests. The limitation on services and ports will also limit the amount of requests sent to the user.

User policy support

The administrator can define which users are able to use the User Interaction Mode and can also limit the firewall features, that can be used with it.

Port metadata information (proposed by Lennart Poettering)

To have a port independent metadata information would be good to have. The current model with a static assignment of ports and protocols from /etc/services is not a good solution and is not reflecting current use cases. Ports in applications or services are dynamic and therefore the port itself does not describe the use case.

This metadata information could be used to form simple rules for the firewall. Here are some examples:

 allow external access to file sharing applications or services
 allow external access to music sharing applications or services
 allow external access to all sharing applications or services
 allow external access to torrent file sharing applications or services
 allow external access to http web services

The metadata information here could not only be application specific, but also a group of use cases. For example the "all sharing" group or the "file sharing" group could match all sharing or file sharing applications, for example torrent file sharing. These are examples, therefore it might be that they are not useful.

There are two possible solutions to get metadata information in the firewall:

The first is to add it to netfilter (kernel space). This has the advantage, that it can be used by everyone, but also limits the use. To get user or system specific information into account, all these need to be implemented in kernel space also.

The other one would be to add this to a firewall daemon. These abstract rules could be used together with information like the trust level of the network connections, the user decision to share with as specific person/host or the hard rule of the administrator to forbid sharing completely.

The second solution would have the advantage that new metadata groups or changes in incorporation of trust levels, user preferences or administrator rules would not require to push a new kernel. Adding these kind of abstract rules to a firewall daemon would make it much more flexible. Even new security levels would be easy to add without kernel updates.

sysctld

At the moment there are sysctl settings that are not properly applied. This happens if the module providing the setting is not loaded at boot time when rc.sysinit runs or it the module gets reloaded at runtime. Another example is net.ipv4.ip_forward, which is needed for example for specific firewall settings, libvirt and also user/admin changes. If there are two apps or daemons enabling ip_forwarding only if needed, then it could happen that one of them is turning it off again without knowing that there is another one, that still needs it turned on.

The sysctl daemon could solve this by having an internal use count for settings, that will make it possible to turn it off or go to the previous setting again if the requester reverted the request to change it.

Firewall Rules

Netfilter firewalls are always susceptible to rule ordering issues, because a rule does not have a fixed position in a chain. The position can change if other rules are added or removed in a position before that rule.

In the static firewall model a firewall change is recreating a clean and sane firewall setup limited to the features directly supported by system-config-firewall / lokkit. Firewall rules created by other applications are not integrated and s-c-fw / lokkit does not know about them if the customs rules file feature is not in use. Default chains are used and there is no safe way to add and remove rules without interfering with others.

The dynamic model has additional chains for the firewall features. These specific chains are called in a defined ordering and rules added to a chain could not interfere with reject or drop rules in chains that were called before. This makes it possible to have a more sane firewall configuration.

Here are example rules created by the daemon in the filter table with ssh, ipp-client and mdns enabled in the public zone, all other zones have been removed to simplify and shorten the output:

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :FORWARD_ZONES - [0:0]
 :FORWARD_direct - [0:0]
 :INPUT_ZONES - [0:0]
 :INPUT_direct - [0:0]
 :IN_ZONE_public - [0:0]
 :IN_ZONE_public_allow - [0:0]
 :IN_ZONE_public_deny - [0:0]
 :OUTPUT_direct - [0:0]
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j INPUT_direct
 -A INPUT -j INPUT_ZONES
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i lo -j ACCEPT
 -A FORWARD -j FORWARD_direct
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD -p icmp -j ACCEPT
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -j OUTPUT_direct
 -A IN_ZONE_public -j IN_ZONE_public_deny
 -A IN_ZONE_public -j IN_ZONE_public_allow
 -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT

Used is a deny/allow model to have a clear behaviour and at best no rule interferences. Icmp blocks for example will go to the IN_ZONE_public_deny chain if set for the public zone and will be handled before the rules in the IN_ZONE_public_allow chain.

This model makes it more easy to add or remove rules from a specific block without interfering with accept or drop rules from another block.