firewalld Rich Language

Summary

This feature adds a rich (high level) language to firewalld, that allows to easily create complex firewall rules without the knowledge of iptables syntax.

Owner

• Name: Thomas Woerner
• Email: twoerner@redhat.com

Current status

• Targeted release: Fedora 19
• Last updated: 2013-03-20
• Percentage of completion: 80%
• The feature is limited to milestone 1 (base): configuration with files, no cli and no D-Bus interface
• Firewalld milestones for rich language and lockdown features, the milestones 1 and 2 (base and cli) a planned for F-19. Milestone 3 (gui) is planned for F-20.
  • Milestone 1: Rich config language via config files; minimal lockdown ~ end of March
  • Milestone 2: New config language via D-BUS interfaces with command line client ~ end of May
  • Milestone 3: GUI early to mid July

Detailed Description

Currently, complex firewall rules can only be added using the direct interface of firewalld. But this requires to know the syntax of iptables and the rules are not permanent.

With the rich language more complex firewall rules can be created in an easy to understand way. The language will use keywords with (sometimes multiple) values and will be an abstract representation of ip*tables and ebtables rules. Services and zones can be configured using this language, the current configuration will still be supported.

A mixture of the old and new configuration of services and zones might be possible, but this needs to be verified. With the possibility to use the rich language in services and zones, the configuration will also be permanent.

The configuration with files will be available for Fedora 19. The D-BUS interface with the command line client should be finished, but this depends on Fedora 19 schedule. UI work will most likely be available later (depends on Fedora 19 schedule also).

Benefit to Fedora

More powerful and easier firewall configuration.

Scope

Only needs changes in firewalld and it's components.

How To Test

Create firewall rules using the rich language in services and zones. More to come.

User Experience

Users will be able to easily create more powerful and also permanent firewall configurations.

Dependencies

None.

Contingency Plan

Disabling or reverting of the feature should be easy as it will be created as an addition to the current configuration. Only users of the new language will be affected.

Documentation

The rich language extends the currect zone elements (service, port, icmp-block, masquerade and forward-port) with additional source and destination addresses, logging, actions and limits for logs and actions.

The use of destination addresses is not possible with all elements. This depends on the use of destination addresses for example in services.

Logging can be done with with the LOG and also with the AUDIT target. A new chain is added to all zones: <zone>_log. This will be jumped into before the deny chain to be able to have a proper ordering.

The rules or part of the are placed in separate chains according to the action of the rule:

 <zone>_log
 <zone>_deny
 <zone>_allow

The all logging rules will be placed in the <zone>_log chain, which will be walked first. All reject and drop rules will be placed in the <zone>_deny chain, which will be walked after the log chain. All accept rules ill be placed in the <zone>_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.

There are elements that can be used in a rule, that do not allow to have a separate action like accept, reject or drop. These are: icmp-block, forward-port and masquerade.

Example 1: Enable new IPv4 and IPv6 connections for protocol 'ah'

<rule>
  <protocol value="ah"/>
  <accept/>
</rule>

Example 2: Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using audit

<rule>
  <service name="ftp"/>
  <audit type="ACCEPT">
    <limit value="1/m"/>
  </audit>
  <accept/>
</rule>

Example 3: Allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog

<rule family="ipv4">
  <source address="192.168.0.0/24"/>
  <service name="tftp"/>
  <log prefix="tftp" level="info">
    <limit value="1/m"/>
  </log>
  <accept/>
</rule>

Example 4: New IPv6 connections from 1:2:3:4:6:: to service radius are all rejected and logged at a rate of 3 per minute. New IPv6 connections from other sources are accepted.

<rule family="ipv6">
  <source address="1:2:3:4:6::"/>
  <service name="radius"/>
  <log prefix="dns" level="info">
    <limit value="3/m"/>
  </log>
  <reject/>
</rule>
<rule family="ipv6">
  <service name="radius"/>
  <accept/>
</rule>

Example 5: Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012

<rule family="ipv6">
  <source address="1:2:3:4:6::"/>
  <forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"/>
</rule>

Release Notes

Fedora 19 includes the latest firewalld version that supports a rich language to be able to create more complex firewalls in a easy way.

Comments and Discussion

• See Talk:Features/FirewalldRichLanguage