About F19 Firewall

Thomas Woerner twoerner at redhat.com
Tue Sep 24 12:54:03 UTC 2013


On 09/20/2013 09:05 PM, P J P wrote:
>     Hi,
>
> ----- Original Message -----
>> From: Thomas Woerner <twoerner at redhat.com>
>> Subject: Re: About F19 Firewall
>> 1) Separate zones.
>> NM connections, interfaces and source addresses or ranges can be bound
>> to zones. The initial default zone is public and all connections will be
>> bound to this zone. The user or administrator can bind connections to
>> other zones by either doing this in the NM connection editor or within
>> the ifcfg file.
>
>
>     Yeah, Mateusz explained that earlier.  I don't use NM either.
>
You can use ZONE=<zone> in the ifcfg file of the interface to set the 
zone also if they are not managed by NM.
If it is missing or unset, the default zone will be used.

>
>> 2) Make sure that a newly added rule will have the desired effect.
>>
>> If you are mixing deny and allow rules, you can not say which effect it
>> will have. Either there are unwanted accepts or rejects or drops. A
>> simple and straight forward solution is to have separate chains for deny
>> and allow rules. The same applies also for logging rules.
>
>
>     iptables(8) takes action(jumps to target) at the first rule that matches or continues further till it finds a match and falls back to the chain policy if no rule is matched. From the manual:
>
> ---TARGETS
>
>         A  firewall  rule specifies criteria for a packet and a target.  If the
>         packet does not match, the next rule in the chain is the  examined;  if
>         it does match, then the next rule is specified by the value of the tar‐
>         get, which can be the name of a user-defined chain or one of  the  spe‐
>         cial values ACCEPT, DROP, QUEUE or RETURN.
>         ...
>         If the end of a built-in chain is reached or  a  rule
>         in a built-in chain with target RETURN is matched, the target specified
>         by the chain policy determines the fate of the packet.
> ---
>
You have to make sure where you are adding new rules. Here is a simple 
example where you want to drop everything from 192.168.1.18:

If you do it wrong if could end up like this (output of iptables -S):

-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.18 -j DROP
-A INPUT -j REJECT

All from 192.168.1.0/24 is accepted, the following rule does not have 
any effect. It is not used at all. But it you add the rule to be the 
first, you will drop packets from 192.168.1.18 and will accept all the 
others from 192.168.1.0/24.

>
>> You do not need to change it, but you can if you want to. If for example
>> you are using wifi connections at home, work, .. you can bind these to
>> the (for you) appropriate zone. For example work for your work wifi
>> connection. It will be used only if you are connecting to your work wifi
>> connection (it is bound to the SSID).
>>
>> The default zone (initially public) is used for all connections and
>> interfaces where the zone has not been set to another value.
>>
>> You can customize the zones and services according to your needs.
>
>
>     Yes, I understand the functionality, but I doubt if it'll be used at all. It's not desktop background that people would want to change everyday.
>
firewalld is not a desktop firewall in the first place.

>
> ---
> Regards
>     -Prasad
> http://feedmug.com
>

Regards,
Thomas


More information about the devel mailing list