[release-notes] Add firewalld to security section.

FORLOT Romain rforlot at fedoraproject.org
Wed Mar 21 19:11:40 UTC 2012 

commit 32f5ebf65adfd2163fa40d734c493ddcf41958fe
Author: Forlot Romain <rforlot at yahoo.com>
Date:   Wed Mar 21 20:11:23 2012 +0100

    Add firewalld to security section.

 en-US/Security.xml |   84 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 84 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Security.xml b/en-US/Security.xml
index e2efb24..4357010 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -30,6 +30,90 @@
 	provided.</para>
       </section>
       <section>
+
+      <title>Firewalld : default firewalld solution</title>
+      <para>
+          With Fedora 15 the dynamic firewall with 
+          <application>firewalld</application> was introduced with the 
+          proof of concept implementation in Python as an optional 
+          component. The purpose of this feature request is to make 
+          <application>firewalld</application> the default firewall 
+          solution for Fedora 17.
+      </para>
+      <para>
+          The dynamic firewall mode with 
+          <application>firewalld</application> will make it possible to
+           change firewall settings without the need to restart the
+           firewall and will make persistent connections possible. This 
+           is for example very useful for services, that need to add 
+           additional firewall rules. <application>libvirtd</application> 
+           is one of them and also <application>openvpn</application> in 
+           the future. With the static firewall model these rules are lost 
+           if the firewall gets modified or restarted. The firewall daemon 
+           holds the current configuration internally and is able to 
+           modify the firewall without the need to recreate the complete 
+           firewall configuration; it is also able to restore the 
+           configuration in a service restart and reload case. Another use
+           case for the dynamic firewall mode is printer discovery. For this 
+           the discovery program will be started locally that sends out a 
+           broadcast message. It will most likely get an answer from an 
+           unknown address (the new printer). This answer will be filtered 
+           by the firewall, because the answer is not related to the 
+           broadcast and the port of the program that was sending out the 
+           message is dynamic and therefore a fixed rule can not be created 
+           for this. With the dynamic firewall mode a time limited rule 
+           could be requested by the discovery program to allow the receival
+           of the answer. 
+     </para>
+     <para>
+         The <application>iptables</application> and 
+         <application>ip6tables</application> services will not be enabled 
+         by default anymore. The required changes in the init scripts are 
+         simple. system-config-firewall will not be installed by default 
+         anymore, but <application>firewalld</application> with the user land tools will be installed 
+         by default. The needed changes in comps are simple. 
+     </para>
+     <para>
+         Services which are adding firewall rules directly with iptables 
+         commands need to be changed to benefit from <application>firewalld</application>. 
+         These are: libvirtd, <application>NetworkManager</application>, 
+         <application>system-config-printer</application>, 
+         <application>gnome printer settings</application>. 
+     </para>
+     <para>
+         An explicit transition is planned after Fedora 18 with dropping
+         support for the static firewall with system-config-firewal/lokkit.
+         A migration from the static firewall model will be needed then.
+     </para>
+    <para>
+        Install <application>firewalld</application> and firewall-applet 
+        Start the <application>firewalld</application> service 
+        Start the tray applet <application>firewall-applet</application>
+        Use firewall-cmd to enable for example ssh: 
+        <screen>
+            firewall-cmd --add --service=ssh
+        </screen>
+        Enable <application>samba</application> for 10 seconds: 
+        <screen>
+            firewall-cmd --add --service=samba --timeout=10
+        </screen>
+        Enable <application>ipp-client</application>: 
+        <screen>
+            firewall-cmd --add --service=ipp-client
+        </screen>
+        Disable <application>ipp-client</application>: 
+        <screen>
+            firewall-cmd --remove --service=ipp-client
+        </screen>
+        To restore the static firewall with <application>lokkit</application> again simply use: 
+        <screen>
+            lokkit --enabled
+        </screen>
+
+        The D-BUS interface can also be used directly.
+        </para>
+      </section>
+      <section>
 	
 	<title>SELinux Deny Ptrace</title>

More information about the docs-commits mailing list