F19 Firewall

Eric H. Christensen sparks at fedoraproject.org
Tue Sep 24 16:57:29 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Sep 24, 2013 at 11:53:29PM +0800, P J P wrote:
> A long thread about firewall & Firewalld application+daemon is running on fedora-devel list.
> 
>    About F19 Firewall -> https://lists.fedoraproject.org/pipermail/devel/2013-September/189272.html

Yeah, I've been reading that conversation but I never made any replies to it.  I haven't investigated firewalld that much but here's my shoot-from-the-hip thought on the subject:

I wrote a paper on using iptables at the end of one of my college courses on security.  iptables (and its varient ip6tables) is a very powerful tool that allows people to do all kinds of things to incoming and outgoing packets.  Here's the problem as I see it.  iptables *can* be confusing to implement and software that needs a port opened hasn't really been able to interface with iptables very well in the past.  Supposedly firewalld fixed the problem with iptables not being very dynamic.  This would mean that if you stopped your SSH daemon TCP port 22 should also close as well (I haven't tested this and I won't comment on whether this actually works).

firewalld also provides a nice GUI for people to use so they can setup complex rules based on what network they are connected to.  Creating zones in iptables was always possible but it just sucked when you tried to manage it.  This GUI, however, means that iptables rules now look horrible when you query them directly.  Does this mean it has been done incorrectly?  Nope.  It just means that when you decide to use complex rules you get complex rules.

System administrators should figure out if firewalld is a problem or an asset.  firewalld does things like make sure that rules are echoed across iptables and ip6tables which further reduces the complexity of setting up rules.

In my opinion, firewalld works very well when used on desktop (user) machines and not so much on servers and the like.  This would not be the first tool that falls into this category.  I suspect that when the F21 releases come out (different desktop and server images) we'll see a more specialized set of tools on each so that each group is happier (maybe).

Does firewalld make systems more vulnerable?  No, not any more than iptables did.  

Does it make the iptables ruleset look horrible?  Why are you configuring iptables using a GUI tool and then looking at the raw rules anyway?

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project

sparks at fedoraproject.org - sparks at redhat.com
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQGcBAEBCgAGBQJSQcR2AAoJEB/kgVGp2CYvxSEL/1Z8kwzGX7vpOIbWyFLVm1hT
UfgA4jUceYoJY0vt+MNcUBFo1tU28sh637Fnau69S2qev7oirCdz3oj5WtOBtyw9
d/H3ipywnZzBRnT3lu1BREjvSMDph3iHP3sksFrJP9w6jGXoquiBPxv1j9gC81+h
KtcOJwQ47X0m1d1wTZcxVBm1hNSqTvsShe3i9T4vRQa+fIdGAax2qYc3hrVVfiH/
5N/OCyxpo0sLQW2CBVvrp56hX2jL9tr8M/BTQHfz32EKSySt15PvVU9qOfUKtz3t
w/IeTT28Hzu7akpUZWhW4XsobqcWNuVtY0ArtmYoLbAFpIRDqm5Jv10YsDcHO7d0
RgbWYcr0aaRkAKJmTxZKsvJ5HXDsENGfuXKzuTbg3EwjpKaLaZb8Tx8UWb2nN+b7
tDrGoaBLlZq/Guo3wNkPunT+u7uThiaHqUwDZeEn7CHViD51XcrRJzSw26vm9S29
Tni2B98n9Df9O+n6/Rx97dtraaVnwHpP1BnV8i6yPQ==
=8wYN
-----END PGP SIGNATURE-----

More information about the security mailing list