About F19 Firewall

P J P pj.pandit at yahoo.co.in
Fri Sep 20 19:05:28 UTC 2013


----- Original Message -----
> From: Thomas Woerner <twoerner at redhat.com>
> Subject: Re: About F19 Firewall
> 1) Separate zones. 
> NM connections, interfaces and source addresses or ranges can be bound 
> to zones. The initial default zone is public and all connections will be 
> bound to this zone. The user or administrator can bind connections to 
> other zones by either doing this in the NM connection editor or within 
> the ifcfg file.

   Yeah, Mateusz explained that earlier.  I don't use NM either.

> 2) Make sure that a newly added rule will have the desired effect.
> If you are mixing deny and allow rules, you can not say which effect it 
> will have. Either there are unwanted accepts or rejects or drops. A 
> simple and straight forward solution is to have separate chains for deny 
> and allow rules. The same applies also for logging rules.

   iptables(8) takes action(jumps to target) at the first rule that matches or continues further till it finds a match and falls back to the chain policy if no rule is matched. From the manual:


       A  firewall  rule specifies criteria for a packet and a target.  If the
       packet does not match, the next rule in the chain is the  examined;  if
       it does match, then the next rule is specified by the value of the tar‐
       get, which can be the name of a user-defined chain or one of  the  spe‐
       cial values ACCEPT, DROP, QUEUE or RETURN.
       If the end of a built-in chain is reached or  a  rule
       in a built-in chain with target RETURN is matched, the target specified
       by the chain policy determines the fate of the packet.

> You do not need to change it, but you can if you want to. If for example 
> you are using wifi connections at home, work, .. you can bind these to 
> the (for you) appropriate zone. For example work for your work wifi 
> connection. It will be used only if you are connecting to your work wifi 
> connection (it is bound to the SSID).
> The default zone (initially public) is used for all connections and 
> interfaces where the zone has not been set to another value.
> You can customize the zones and services according to your needs.

   Yes, I understand the functionality, but I doubt if it'll be used at all. It's not desktop background that people would want to change everyday.


More information about the devel mailing list