About F19 Firewall
twoerner at redhat.com
Fri Sep 20 14:41:16 UTC 2013
On 09/18/2013 08:16 AM, P J P wrote:
> ----- Original Message -----
>> From: Mateusz Marzantowicz <mmarzantowicz at osdf.com.pl>
>> Subject: Re: About F19 Firewall
>> Maybe, true but I doubt that simpler set of rules, that never get
>> audited, written by inexperienced users are more secure than "complex"
>> rules in FirewallD which at last had chance to be checked.
> It's not that simpler rules are more secure, but they come handy if one is to audit them or modify them for his/her set-up. Such modifications could be merged back as user contributions, which only helps to strengthen the tool or set of rules. The thing with complexity is, it keeps, even the able people, away from fiddling with things which I feel sort of beats the whole purpose. As in, if amongst all the available zones, a user is always going to use just one everywhere, it beats the purpose of other zones and the promise of security too, no? Worse is, people would just turn it(Firewalld) off because they can not understand it or make it work for them.
The zones are all created to be able to change into another zone easily
and also without the need to created the new zone at that moment.
>> BTW, there is not that much magic in rules applied by FirewallD and
>> other firewall solutions for Linux have similar level of rule complexity
>> (ufw, shorewall, etc.)
> True. We can not avoid complexity. There are complex set-ups & networks, which need complex rules. Firewalld as a tool would be right having features to enable a user who wish to create such complexity and define rules for the same. But providing it by default for individual Fedora users, who don't need it, doesn't feel right.
The complexity is needed to make sure that it behaves correctly. I think
you already had fun with iptables rule ordering if you have been working
with firewall configurations. It is very easy to add a rule at the wrong
position to get unexpected behaviour.
More information about the devel