Slashdot Mirror
Linux Gets Dynamic Firewalls In Fedora 15
darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"
No comments yet, everyone's being raptured.
Ehm, iptables doesnt need reloading. Add a rule and it works right away?
Linux, as always, proves that it is always up to date with modern technology. Next you'll have kernel-level drivers that don't break on recompilation of the kernel!11
"making changing". God bless the Internet.
It is? Then what have I been doing wrong for all these year?
/sbin/service iptables save
/sbin/service iptables restart
You really CAN'T take the time out of your day to type that?
Woohoo!
Does this mean that if I can crash dbus, I can take down my (your server's) firewall?
I wish we had Cisco-style Access Lists on linux
"So an application can say, hey I need a port open, please open a pinhole in the firewall."
This is exactly the spirit of firewalls.
The apps can tell the firewall to open up a port for a period of time and then shut it back down.
I mean, it sounds almost like they could listen() a specific port, and once they're done with it, they could close() it! If all applications could always do this automatically, I think we could actually get rid of manual firewall configuration entirely!
"'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"
What?
http://www.openbsd.org/faq/pf/
pf will always be better than iptables in every way.
Well, you know, it's been around a long time - it's just not sexy . If it is to compete with current "mind-share", it has to be tied into "The Cloud"...
If you want news from today, you have to come back tomorrow.
So an application can say hey I need a port open, please open a pinhole in the firewall.
I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)
I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.
This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.
The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall
Yours Sincerely, Michael.
Over in OpenBSD land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples). In addition, the OpenBSD versions of dhcpd and bgpd as well as other applications are routinely set up to interact with your filtering config via tables.
Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy for example) or relayd (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.
My BSDCan slides has more material, as of course does The Book of PF, and never forget The PF docs as the authoritative source.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall
Can please someone explain me what's wrong with appending and deleting a firewall rule:
$ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -D INPUT 2
where on earth does this need iptables to be restarted?
if we want to save the firewall state:
/root/ipt.state
$ iptables-save >
where /root/ipt.state is just a human readable file
and then load the firewall state:
/root/ipt.state
$ iptables-restre <
AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
Again, WTF?
Right now I have scripts to list the current ruleset, figure out the deltas between the new ruleset and old, add or remove rules as appropriate, and save that config to disk for reboots. It works well enough, better than restarting iptables, but it should be more efficient with these changes. I wondered why there wasn't a method (that I found; correct me if I'm wrong) for running batch changes without invoking the iptables command for each change.
I'm one of the token Windows system admins here... and even I know that this stuff is just bloatware.
I thought they were talking about something new and useful... not just some hype... oh well... looks like they care catching up with uSoft in that department.
It's funny seeing newly converts feverishly pecking at GUI buttons in their favorite distro as if every piece of software on it was made at the same factory. You have to be gentle with them.
__________________________________
Free your mind - Flush your toilet
So... the Firewall stores allowed IP addresses in a table structure, lets say an AVL/RedBlack tree or a hash table. You certainly don't want every outbound connection (hole you punch) in the firewall to be permanent. So, why not add a time stamp, and if it remains unused for a long enough period of time, you remove that IP rule?
You don't want to have to constantly run a background thread that scans the table for expired entries -- That would be needlessly wasteful! Instead, why don't we look at the nodes while we're traversing the tree or hash looking for a match to determine if a packet should be blocked or allowed, and then just remove any expired rules we come across!
In a hash table, collisions (two different addresses mapping to the same bucket) are frequently resolved by storing a pointer to a linked list in the bucket instead of just one address. Since you'll occasionally be iterating across more than one IP rule, you can remove expired rules as you do so -- similar to the way you would for tree traversal.
Obvious, right? I mean... I don't see why no one figured this out a long time ago!
Wait... wait... You're probably thinking of responding with something along the lines of: "No shit, you dumbass, that's how it's done already." I know; I know... that's my point -- That's the way my game servers have been doing things since the early 90s.
Well, there's just one catch -- That's illegal; It can be patent infringing. Remember that patent suit brought against Google by Bedrock claiming that their use of Linux infringes a patent, and that all of Linux may be infringing?
Patent 5,893,120 -- "methods and apparatus for information storage and retrieval using a hashing technique with external chaining and on-the-fly removal of expired data."
The court found Google to be in violation. Of course the patent should never have been granted... Any professional skilled in the art of hash tables, and familiar with the concept of a stateful firewall will arrive at this solution... (please dissolve the PTO, it's broken, okay?)
So -- I hope Red Hat/Fedora is using a Red-Black tree or AVL tree -- instead of a Hash... I would check, but honestly, I'm a lazy Debian kind of guy.
Windows XP's firewall is dynamic, too. Add and remove rules without rebooting. Rules can even be per-application.. is this even possible with iptables?
This feature has been mainstream for more than a decade in the market-leading OS.
But no, I guess Fedora got it first. Yet another Linux innovation! When will Microsoft catch up!??!?!
Can please someone explain me what's wrong with appending and deleting a firewall rule:
sorry, couldn't resist ;)
$ iptables-restre /root/ipt.state
should be
$ iptables-restore /root/ipt.state
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Looks like Fedora will be adding some features that CSF (ConfigServer Firewall) has provided for years. Huzzah! As an aside, am I the only one who thinks it's insane to allow applications to tell the firewall what to do? The firewall is a sanity check to keep applications in line.
there is still something missing, isn't there :<P
http://ipset.netfilter.org/
"iptables -D INPUT 2"
That "2" is what's wrong -- you can't assume no one has inserted other rules, and that the 2 still refers to the rule you think it refers to. The latest kernel adds ipsets, which are simple lists of IPs, for instance. Presumably with these you can simply remove the entry by value, or replace the set, while guaranteeing that the IPTables are still refering to the set in a general way.
Oh look, it's a troll!
There's a few problems with your post. First, the story is about a management application, which shouldn't know anything about how recently-useful a rule was. Also, self-expiring rules would be a maintenance nightmare for any resource that's accessed only occasionally.
"It's broken, okay?" is not a persuasive argument. Please do continue trolling. I find it entertaining. Next time, though, please be a bit more subtle.
You do not have a moral or legal right to do absolutely anything you want.
Actually, its possible that with an iptables-restore, the dynamic rules (iptables -m state --state RELATED ... ) might no longer function for existing connections. I'm not familiar enough with the internals to know for certain.
In my case though, its not relevant; I always dynamically adjust my settings on the fly and then save my changes with iptables-save. When I'm done a large set of changes, I reboot the machine to make sure my changes load properly and don't negatively affect startup apps.
- Michael T. Babcock (Yes, I blog)
Perhaps "replacing the entire ruleset" is what he meant by "reloading the entire firewall".
That's a good point! The connection tracking for the state module is handled by the nf_conntrack iptables module, I'm not sure but I think the module will only flush its "cache" when the module is unloaded.. but don't get this for granted, I would need to recheck..
Also, it is easy to check your point in iptables but do *other* (as in proprietary) firewalls do it?
Of course you can you blithering idiot: iptables -L. Combine with w if you're ultra paranoid.
I'm sure an OpenBSD person could speak for pf on this issue, but all the Cisco PIX people I know insist on reboots when changes are made.
- Michael T. Babcock (Yes, I blog)
Know how long it takes to "reload" my iptables firewall? About 1 second. However, a dedicated Linux firewall on better hardware might have tens of thousands of rules, so it might take 30 seconds or so to reload.
Kinda interested to see what they do with dbus though; this could make it more efficient for external programs to modify the firewall without parsing complex iptables output. For example, I can open and close ports when I start/end specific programs through scripts, but if some dbus-based framework existed to do that more elegantly I think that would be cool.
Fedora's reliability is also dynamic.
This "advancement" is for the incompetent. Instead of deleting rules, you can also make a new chain while the old one is in place, and then delete the old one and put the new one in its place (some detail missing ;-). I have done this just recently for a setup that does change between two different settings for one interface and cannot have anything open in between. A few hours of scripting at best.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is very cool, don't know why it hasn't been thought of before.
You can reload pf rules while pf is running. Seriously, reboot a firewall? Why? pfctl -f /etc/pf.conf
You've been able to do this in OpenBSD (and FreeBSD) for ages now.
where on earth does this need iptables to be restarted?
It is better PR to say that it is a new feature that "no other mainstream operating system" possesses rather than just saying, oh yeah, Linux and iptables could do this all along.
This announcement was a PR stunt, no more, no less.
And as a person who who likes to use Linux, I was disappointed to see this type of fluff from the people behind Linux.
Bad summery. This just provides a high-level interface for exactly this kind of operation that iptables provides. Problem was, while iptables was dynamic, the high-tools that controlled it were not and tended to just dumbly write to a file then flush iptables current state and reload from that file, wasting iptables abilities. So this is just a new daemon to expose all of iptables functionality to configuration tools and uses an unmodified version of iptables to do all of the heavy lifting. One suspects the author of the summary did not know what iptables was, and assumed it referred to the configuration files that iptables uses.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Indeed. And he is not a lazy Debian kind of guy, either. Debian doesn't acknowledge idiots of his caliber, and we always do check the !@#$@#$ source before complaining about it. Slashdotters are the ones who never read the f***ing article.
And wasting time doing hash-table maintenance on an EXTREMELY HOT PATH? Is this guy for real? RCU is used for this kind of crap for a reason!
IPsets used to have self-expiring objects, you could tag an element of the set with a TTL. I am not sure it still has that, as it was greatly reduced so as to get merged.
So basically, every application, evil or not, can now request ports to open on the firewall? You may as well run everything as root and turn off SELinux as well. It will not only make it easier for the user to make changes, but also make the local firewall no longer a restriction for evildoers.
Yes, I know, "SELinux access restrictions are also planned." but that is security added as a feature later on, not designed into the main architecture of the daemon. Right now, it's a big leak and I'd disable it first thing after installation. Fedora/RedHat should do that as well, until it has proper security features.
I was promised a flying car. Where is my flying car?
So I'm assuming there are selinux rules to prevent unauthorised apps opening ports? Otherwise what's to stop untrusted software/users from doing anything they like!!! Better brush up on selinux rules, because they are soooo much easier than iptables. Aren't they?
The first OS to allow dynamic firewall rule changes? I don't think so.
They're still playing catch-up to *BSD's pf and npf.
http://en.wikipedia.org/wiki/Little_Snitch software outgoing firewall for Mac OS X
"If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit"?
Domestic spying is now "Benign Information Gathering"
Or, just specify via copy/paste the rule you want to delete. Safer and easier if you are not at the console.
Reboot a Cisco on a firewall change? Using firmware v -1? Access list changes are instant.
Dynamic firewall, nice concept. Anyway, most of us (linux users) tend to manage our system using the console. I sure hope this will be possible in FC 15 or this whole new "direction" will be a total disaster.
The parent probably reffers to the unlikely situation where another admin inserts a rule after your iptables -L command. I think the thing described in the article is a solution looking for a problem.
Well... You know.... Slashdot still uses intentionally encrypted source code for their CMS - it's called Perl.
And as a person who who likes to use Linux, I was disappointed to see this type of fluff from the people behind Redhat.
Fixed that for you
It isn't the first either, windows firewall GUI has done this since Vista.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
"the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,"
False. It is not too hard. It is not hard at all. In fact it is trivial to change a firewall rule. It takes almost no effort at all, and anyone with cursory knowledge of iptables can do this quite easily.
'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes"
Again, blatantly false. There eleventy billion other Linux distros that have "on the fly" iptables rule modification that do not require clearing all the rules before implementing the changes.
RedHat really has turned into a company of morons. "Hey look everybody, we did something that has been done for decades, but we're going to call it 'new' and take credit for it!"
FTFA "The dynamic firewall is something that individuals or programs can communicate with to handle dynamic changes to whatever networking conditions require," Smith said. "So an application can sa,y hey I need a port open, please open a pinhole in the firewall."
How awesome is that!?! Now applications in Linux can open holes in the network security of a user's machine. Who is the Microsoft employee implementing these stupid fucking changes? All holes start as "pinholes".
iptables -A INPUT -p 22 -j ACCEPT && iptables -A INPUT -p 22 -j ACCEPT && echo "sudo password is 'imyurbitch' enjoy!" > /var/www/index.html
Having to work for a living is the root of all evil.
Many people do not understand that "iptables-restore" is an atomic operation. In fact, the head of the Fedora Infrastructure team didn't realize this until just within the last year (we were having lunch when it came up). I always edit the "iptables-save" output, adding new rules as I need them, and then "iptables-restore" them. Usually this is via editing /etc/sysconfig/iptables and running "service iptables start" on Fedora/CentOS). However, you definitely can add and delete specific rules to running firewalls.
ever heard of the firestarter firewall? way to claim that fedora 15 is the holy friggin grail, btw redhat sucks
Of course you can you blithering idiot
I'm sorry, but I lost you there, you blithering idiot.