firewalld - A firewall daemon with D-BUS interface providing a dynamic firewall (test version)

nodata lsof at nodata.co.uk
Mon Dec 27 19:06:05 UTC 2010 

On 23/12/10 17:03, Thomas Woerner wrote:
> Hello,
>
> as discussed some time ago, I worked on the proof of concept
> implementation of firewalld. FirewallD is a service daemon with a D-BUS
> interface that provides a dynamic managed firewall.
>
> For more information on firewalld, please have a look at:
> 	https://fedoraproject.org/wiki/FirewallD/
>
> About this version:
>
> This is mostly the proof of concept implementation with some changes and
> is feature complete for F-15 as a firewalld preview version. It will not
> be enabled per default and will also not get installed per default. The
> system-config-firewall with static firewall model will still be the
> default firewall solution for Fedora 15.
>
> What this firewalld version can do:
>
> - It supports most of the firewall features system-config-firewall had,
>     but there are three limitations:
>
>     1) custom firewall rule files (iptables save format) are not
>        supported and most likely will never be, but there is support for
>        custom rules (limited functionality).
>
>     2) sysctl changes for ip_forward are not done, yet.
>
>     3) There are no permanent firewall settings, this means that all
>        settings are lost after a service restart or reboot. Permanent
>        firewall settings will be added later on.
>
> - The firewall daemon manages the firewall dynamically. This means that
>     changes are done without recreating the whole firewall. Also there is
>     no need to reload all firewall modules anymore. Firewall helpers are
>     loaded and unloaded if needed.
>
> - A simple tray applet (firewall-applet) shows the status of the public
>     firewall and is makes it simple to enable and disable firewall
>     services. The applet does not show firewall configuration settings
>     done with the libvirt interface.
>
> - firewall-cmd is the command line client that makes it possible to
>     enable, disable, query and list firewall features. firewall-cmd is
>     also not able to show firewall settings of the libvirt interface.
>
> - There is an rule and chain interface for libvirt, but the PolicyKit
>     policy is not in place, yet.
>
> What this version can not do (future features):
>
> - firewall-config, the firewall configuration utility, is not functional
> - System vs. User/Session configuration
> - Zone support
> - NetworkManager firewall rule support
>
>
> firewalld made it into a fedorahosted repo at:
>
> 	git://git.fedorahosted.org/git/firewalld.git
>
> The fedoraproject wiki page at
> 	https://fedoraproject.org/wiki/FirewallD/
> exists and will get more updates soon. The feature request page for
> Fedora 15 is also up to date:
> 	https://fedoraproject.org/wiki/Features/DynamicFirewall#How_To_Test
>
> For test packages, please have a look at
> 	http://twoerner.fedorapeople.org/firewalld/
>
> firewalld has a requirement for system-config-firewall-1.2.28. This
> version has checks for an active firewalld in the tools.
>
> Please have a look at
> 	http://koji.fedoraproject.org/koji/buildinfo?buildID=211013
> for the Fedora 15 packages of this version. It is usable on fedora
> versions<  15.
>
> How To Test
> - Install firewalld and firewall-applet
> - Start the firewalld service
> - Start the tray applet firewall-applet
> - Use firewall-cmd to enable for example ssh:
> 	firewall-cmd --enable --service=ssh
> - Enable samba for 10 seconds:
> 	firewall-cmd --enable --service=samba --timeout=10
> - Enable ipp-client:
> 	firewall-cmd --enable --service=ipp-client
> - Disable ipp-client:
> 	firewall-cmd --disable --service=ipp-client
> - To restore your static firewall with lokkit again simply use:
> 	lokkit --enabled
>
> You can also use the D-BUS interface directly. This is required for
> libvirt (and later on also NetworkManager). The D-BUS interface
> documentation is work in progress and will be added later on.
>
>
>
> Comments and additional information is highly welcome.
>
> Thanks in advance,
> Thomas
>

Hi,

First of all thanks for making this work on the command line first and 
gui second.

Can I ask a stupid question? Does dbus have the kind of performance 
necessary to support this type of application?

Thanks.

More information about the devel mailing list