firewall configuring

lee lee at yun.yagibdah.de
Wed Nov 14 11:24:10 UTC 2012 

Tim <ignored_mailbox at yahoo.com.au> writes:

> Allegedly, on or about 13 November 2012, lee sent:
>> Great, that is going to conflict with my shorewall configuration when I
>> update.  And running another daemon process all the time for something
>> that rarely ever changes once it's set up?  Adding even more
>> dependencies with networkmanager?  Involving d-bus which is something
>> nobody understands?  That just sucks.
>
> I tend to agree.
>
> However, I can see one need for a daemon, though wonder whether it does
> anything about it:  Things that actually require dynamic firewall
> configuration, such as the random port used by FTP, UPnP thingoes, et
> cetera.  If it doesn't actually provide a solution to problems like
> them, then what's the point?

They are saying on the web page that it has the advantages of not
unloading the modules and being able to change FW configuration without
interrupting connections and while keeping the firewall up.  I've never
had problems with that on Debian --- they are right though in that
restarting shorewall would take the firewall down during the restart.
I've never had issues with interrupted connections because of that.

These are particularities of the implementation, though.  There's no
need to unload the modules, so something on Fedora must be intentionally
unloading them.  That the firewall is taken down rather than acutally
modified when shorewall is stopped is shorewalls implementation.

A constantly running daemon that can quietly modify firewall rules looks
like a nice tool for creating security problems.

I'd vote for making shorewall the default firewall in Fedora instead.
Where can we make suggestions like that?


FTP isn't using random ports.  It's using two ports, and firewalls need
to be set up correctly to deal with that.  There's a kernel module for
this very purpose.

When starting shorewall, I'm getting messages like 'xt_CT: No such
helper "ftp-0"' in /var/log/messages.  I haven't looked into that yet
--- any idea what they are supposed to tell me and what to do about it?


-- 
Fedora 17

More information about the users mailing list