firewalld - A firewall daemon with D-BUS interface providing a dynamic firewall (test version)

Thomas Woerner twoerner at redhat.com
Sun Jan 2 11:14:22 UTC 2011 

On 12/27/2010 08:06 PM, nodata wrote:
> On 23/12/10 17:03, Thomas Woerner wrote:
>> Hello,
>>
>> as discussed some time ago, I worked on the proof of concept
>> implementation of firewalld. FirewallD is a service daemon with a D-BUS
>> interface that provides a dynamic managed firewall.
>>
>> For more information on firewalld, please have a look at:
>> 	https://fedoraproject.org/wiki/FirewallD/
>>
>> About this version:
>>
>> This is mostly the proof of concept implementation with some changes and
>> is feature complete for F-15 as a firewalld preview version. It will not
>> be enabled per default and will also not get installed per default. The
>> system-config-firewall with static firewall model will still be the
>> default firewall solution for Fedora 15.
>>
>> What this firewalld version can do:
>>
>> - It supports most of the firewall features system-config-firewall had,
>>      but there are three limitations:
>>
>>      1) custom firewall rule files (iptables save format) are not
>>         supported and most likely will never be, but there is support for
>>         custom rules (limited functionality).
>>
>>      2) sysctl changes for ip_forward are not done, yet.
>>
>>      3) There are no permanent firewall settings, this means that all
>>         settings are lost after a service restart or reboot. Permanent
>>         firewall settings will be added later on.
>>
>> - The firewall daemon manages the firewall dynamically. This means that
>>      changes are done without recreating the whole firewall. Also there is
>>      no need to reload all firewall modules anymore. Firewall helpers are
>>      loaded and unloaded if needed.
>>
>> - A simple tray applet (firewall-applet) shows the status of the public
>>      firewall and is makes it simple to enable and disable firewall
>>      services. The applet does not show firewall configuration settings
>>      done with the libvirt interface.
>>
>> - firewall-cmd is the command line client that makes it possible to
>>      enable, disable, query and list firewall features. firewall-cmd is
>>      also not able to show firewall settings of the libvirt interface.
>>
>> - There is an rule and chain interface for libvirt, but the PolicyKit
>>      policy is not in place, yet.
>>
>> What this version can not do (future features):
>>
>> - firewall-config, the firewall configuration utility, is not functional
>> - System vs. User/Session configuration
>> - Zone support
>> - NetworkManager firewall rule support
>>
>>
>> firewalld made it into a fedorahosted repo at:
>>
>> 	git://git.fedorahosted.org/git/firewalld.git
>>
>> The fedoraproject wiki page at
>> 	https://fedoraproject.org/wiki/FirewallD/
>> exists and will get more updates soon. The feature request page for
>> Fedora 15 is also up to date:
>> 	https://fedoraproject.org/wiki/Features/DynamicFirewall#How_To_Test
>>
>> For test packages, please have a look at
>> 	http://twoerner.fedorapeople.org/firewalld/
>>
>> firewalld has a requirement for system-config-firewall-1.2.28. This
>> version has checks for an active firewalld in the tools.
>>
>> Please have a look at
>> 	http://koji.fedoraproject.org/koji/buildinfo?buildID=211013
>> for the Fedora 15 packages of this version. It is usable on fedora
>> versions<   15.
>>
>> How To Test
>> - Install firewalld and firewall-applet
>> - Start the firewalld service
>> - Start the tray applet firewall-applet
>> - Use firewall-cmd to enable for example ssh:
>> 	firewall-cmd --enable --service=ssh
>> - Enable samba for 10 seconds:
>> 	firewall-cmd --enable --service=samba --timeout=10
>> - Enable ipp-client:
>> 	firewall-cmd --enable --service=ipp-client
>> - Disable ipp-client:
>> 	firewall-cmd --disable --service=ipp-client
>> - To restore your static firewall with lokkit again simply use:
>> 	lokkit --enabled
>>
>> You can also use the D-BUS interface directly. This is required for
>> libvirt (and later on also NetworkManager). The D-BUS interface
>> documentation is work in progress and will be added later on.
>>
>>
>>
>> Comments and additional information is highly welcome.
>>
>> Thanks in advance,
>> Thomas
>>
>
> Hi,
>
> First of all thanks for making this work on the command line first and
> gui second.
>
> Can I ask a stupid question? Does dbus have the kind of performance
> necessary to support this type of application?
>
> Thanks.

I have done tests here and the performance of D-BUS is good. The biggest 
amount of time was used to add or remove rules or to load or unload 
netfilter kernel helpers.

D-BUS is used to submit requests to the firewalld. If there are too many 
requests that they can not be handled by D-BUS in a reasonable time, 
then this could be bad usage of firewalld. Firewall changes should not 
happen all day long.

Thanks,
Thomas

More information about the devel mailing list