π Dynamic Firewall with firewalld
π Summary
Support for dynamic firewall management with DBus interface. The current firewall model with system-config-firewall is static and requires a full firewall restart for all changes, even simple ones.
π Owner
- Name: Thomas Woerner
- email: twoerner@redhat.com
π Current status
- Targeted release: Fedora 15
- Last updated: 2010-12-23
- Percentage of completion: 100%
π Detailed Description
The firewalld package contains the proof of concept implementation of firewalld as a preview.
π Why A Firewall Daemon
The current firewall model is static and every change requires a complete firewall restart. This includes also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules is breaking stateful firewalling and established connections.
The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.
The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods. SELinux access restrictions are also planned.
π The Daemon
Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, trusted interfaces/hosts/network areas, port/packet forwarding, masquerading, icmp blocking or even a custom rule. The feature can be enabled for a certain amount of time or can be disabled by again.
New chains for virtualization, network settings, services, ports, masquerading, port forwarding, icmp filtering and virtualization are added to make the firewall setup more flexible, safe and robust. Adding a rule with the firewall daemon to one of these chains will most likely not interefere with rules of other chains. The order of the chains and how they are used is fixed.
The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers onloading is only possible after all connections that are handled by the module are closed. Therefore connection tracking information is important here and needs to get into account.
π Static Firewall (system-config-firewall)
The actual static firewall model with system-config-firewall will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used.
At install time, firstboot or first network usage, there will be a selector for the firewall solution to use. If the firewall daemon will be used, it will disable the ip*tables services and also add the disabled option for system-config-firewall. The configuration will stay intact and s-c-fw can be enabled simply with "lokkit --enabled" again.
The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
For more information, please have a look at: the FirewallD wiki page on fedoraproject.org
π Benefit to Fedora
The dynamic firewall mode will make it possible to change firewall settings without the need to restart the firewall and will make persistent connections possible.
This is for example very useful for services, that need to add additional firewall rules. libvirtd is one of them and also openvpn in the future. With the static firewall model these rules are lost if the firewall gets modified or restarted. The firewall daemon holds the current configuration internally and is able to modify the firewall without the need to recreate the complete firewall configuration; it is also able to restore the configuration in a service restart and reload case.
π Scope
The required change in system-config-firewall is a simple check for an active firewalld. This has already been added to system-config-firewall-1.2.28 in rawhide.
π How To Test
- Install firewalld and firewall-applet
- Start the firewalld service
- Start the tray applet firewall-applet
- Use firewall-cmd to enable for example ssh:
firewall-cmd --enable --service=ssh
- Enable samba for 10 seconds:
firewall-cmd --enable --service=samba --timeout=10
- Enable ipp-client:
firewall-cmd --enable --service=ipp-client
- Disable ipp-client:
firewall-cmd --disable --service=ipp-client
- To restore your static firewall with lokkit again simply use:
lokkit --enabled
You can also use the D-BUS interface directly. This is required for libvirt (and later on also NetworkManager).
π User Experience
Connections will be persistent even after changing firewall settings using the firewall daemon.
π Dependencies
- system-config-firewall (changes already in place)
- iptables (no changes needed)
π Contingency Plan
The current static firewall will still be used as the default firewall solution. The firewall daemon service will be optional and not installed and not activated by default. Therefore there should be no problem by adding this feature.
π Documentation
See https://fedoraproject.org/wiki/FirewallD/
The fedorahosted site is here: https://fedorahosted.org/firewalld/
π Release Notes
Fedora 15 adds support for the optional firewall daemon, that provides a dynamic firewall management with a D-Bus interface.