Linux Gets Dynamic Firewalls In Fedora 15

darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"

No comment?

No comments yet, everyone's being raptured.

Re:No comment?

[drb226]

Slashdotters being raptured? I doubt it...

Re:No comment?

[davester666]

Why not? We're all virgin's who were tricked into viewing the goatse image.

First

Ehm, iptables doesnt need reloading. Add a rule and it works right away?

Re:First

[node+3]

I haven't had to use iptables for quite some time now, but I think they are referring to making permanent changes. Sure, you can type in a new rule and it will take it, but it won't reload after a reboot.

Aside from testing/tweaking to find the right settings, it seems a bit dangerous to modify the firewall on the fly anyway, because months later when you reboot, you might be stuck wondering why your VPN (etc.) isn't working. And by stuck wondering, I mean you'll get a call from someone who can't access the VPN (or whatever), after you rebooted the computer, and you'll end up having to figure out why, and then redo all the work you did months ago to get it working in the first place.

Also, you can have programs interact with the firewall directly, opening and closing ports as needed. The Slashdot summary is just a snippet, and doesn't do a very good job of communicating the contents of the actual article.

Re:First

[Lennie]

I think this is just a frontend to iptables

Re:First

[binarylarry]

That's completely incorrect, rules are effectively immediately after you add them.

Linux doesn't require reboots for anything, even kernel upgrades with things like ksplice.

Re:First

[ksandom]

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...

Re:First

[ksandom]

I think you've misread something or replied to the wrong person...?

Re:First

[thegarbz]

Wow linux works when all power is cut-off to the computer? Brilliant!

Seriously this is an idiotic statement. Not needing to reboot a machine is all the more reason to test rebooting it and make sure all previous changes are persistent and the machine comes up correctly. If you don't you'll find that machine will go down for a reboot unexpectedly on the 24th December at 5pm and you're on the on-call list.

Re:First

[MichaelSmith]

Typically in Linux you have a file under /etc with rules which get translated into iptables commands which you can run at any time. To many a change on line and permanent you need to change both but thats not really hard to do. Lots of people just change the file then reload but I suppose that could be a problem if you have 10000 rules.

Re:First

[Bill_the_Engineer]

/sbin/service iptables save

Re:First

[icebraining]

Linux still doesn't need reboots; that doesn't mean they don't happen. I don't see where's the contradiction.

Re:First

[billcopc]

Ever heard of iptables-save ?

Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.

Re:First

[EyelessFade]

or just, edit /etc/ file and then make iptables reread it. Simple :)

Re:First

[MikeBabcock]

I'm confused about the same thing. Must be an issue with GUI management of the firewall settings (via iptables-save; iptables-restore).

I've always done live management of my Linux firewalls, including on Linux 2.2 and earlier. Using iptables from the command-line is the only way to go.

Re:First

[MichaelSmith]

Yeah but I think the problem here is that if your linux box is a gateway to a large network the process of rereading a large block of rules will involve locking the network down entirely while the rules are parsed. This could take quite a while.

Re:First

[WuphonsReach]

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

You can adjust the Fedora / RHEL / CentOS firewall on the fly with the iptables command. Yes you could just edit the save file and then reload the firewall, but it's always been possible to make firewall changes on-the-fly without doing a reload. It was just tedious, especially for long intricate chains. If you then want to make the changes permanent, you issue the save command.

$ sudo service iptables save

That saves the rules out to the /etc/sysconfig/iptables file (which is what gets loaded when you do "service iptables load").

Frankly, this sounds more like UI changes for interacting with IPTables, and not a core change to how IPTables works.

(Note: I'm speaking from experience with CentOS 5.x and RHEL 5.x, not Fedora.)

Re:First

[WuphonsReach]

Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.

By default, I'm pretty sure they do not save the iptables chains on shutdown/restart. Not without edits to the iptables-config file.

/etc/sysconfig/iptables-config

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

(Taken from a RHEL 5.6 server.)

Re:First

[node+3]

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

Irrelevant to the context of this thread. But if you want, this is what "reloading the whole firewall" refers to.

The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...

Exactly.

Re:First

[node+3]

No shit, the context was making changes on the fly. If you edit the conf file, then you are "reloading the whole firewall", which is what the OP was arguing about.

Re:First

[gweihir]

Yes, this is a system for those that do not get iptables. Seems, once again, network security is made ready to be given into the hands of the incompetent.

Re:First

[dbIII]

Also remove a rule and that happens right away as well.

Re:First

[thegarbz]

There's no contradiction. I'm just pointing out the absurdity of saying you don't need to worry about making persistent changes because you don't need to reboot the computer. If that's the case why not remove your boot loader? You don't need it anyway right? IPTABLES changes aren't persistent between reboots which is the problem the parent was trying to explain in the first place.

Re:First

[Malnar]

Not true, it takes less than a second to read in a rule file by iptables-restore with over 20k rules. (Generated by iptables-save, not a file of a 20k iptables -A commands). The TCP sessions are not even reset so flows do not get broken. Changing a rule (well, a rule can't be changed, but you can insert a new rule above the current one and delete the old which is what most firewalls do anyways), does not disrupt anything either. The only "issue" is that rule changes are not saved to disk automatically, however it is trivial to write a 3 line bash script that would change a rule and save the whole ruleset (Again a VERY quick, non-disruptive process). This applies to all Linux distro's.

Re:First

[X0563511]

It works even better if you use IP Sets with it. Check it out... it's been around for a while, but seems to be little known.

Re:First

[DaveHowe]

This is largely an issue with the "front end" - dynamic changes to iptables don't auto-write themselves, but that is true also for (for example) Cisco IOS. it used to be that you couldn't even insert a rule in an ios access list (you had to append, or failing that, blank out the whole list and start over) but like IPTables, you can now insert and delete from the list on-the-fly.

A competent front end should write "hot" to the loaded list, but also update a static file so that they can be re-loaded on reboot. iptables has a built in "save" method that can generate such a file, but you don't always want to commit every change to the startup config.- but blaming the engine for the poor quality of coding involved in what is only a pretty front end onto a very competent packet filter is a bit unfair.

Re:First

[Sene]

Any machine doing any important routing should have a UPS anyway.

Re:First

[jsvendsen]

Yah. I thought the summary might be bunk so i tried to RTFA, but I still didn't see anything that wouldn't have been possible under ipchains 10 years ago, or any evidence that this "Dynamic Firewall" is anything other than a convenient userspace layer over iptables.

Re:First

[josepha48]

iptables-save does not require a reload. So after you make your change you save, next reboot your change will be there saved. Not sure what they are talking about here.

Re:First

[jetole]

I'm still scratching my head over all of this but it seems to be like this is something specific to the way people who use fedora are trained or accustomed to using iptables. Is that right?

I use Ubuntu and Debian but the distro is irrelevant. I wrote a custom init.d script to start/stop/save iptables commands years ago. When I make changes to the firewall rules, I do it on the fly using the iptables command and then when I am done I run /etc/init.d/iptables save which just saves it to a file in etc using the iptables-save command. Fedora introducing some new way to make changes on the fly seems like something I have done since I have used ipchains predating iptables. Doesn't sound particularly new or interesting. It really doesn't sound new at all. It sounds like how system engineers and administrators have been doing iptables since before it was even iptables.

The only thing I am a little shocked about here and maybe this has to do with the fedora culture but people are saying they edit a file and then reload the file? That is without a doubt the wrong way to make any changes to your firewall. It's error prone based on the person making the changes. You may be the best and you may have never made a mistake but seriously, if you make one typo then iptables isn't going to read all your rules. Any experienced systems engineer or systems administrator would tell you to make the changes using the iptables command and then save it to a file with iptables-save. The only time that file should really ever need to be read/parsed is when the system boots and you know the file will work (assuming you have loaded any requisite modules first) because iptables created that file for you and not vice versa.

Re:First

[laurelraven]

IPTABLES changes aren't persistent between reboots

Easily fixed: "service iptables save" once everything is working the way you want (though you might want to make a backup of the old rules before you do that, just in case...)

Re:First

[laurelraven]

Easily fixed: "service iptables save" once everything is working the way you want (though you might want to make a backup of the old rules before you do that, just in case...)

Just a side note: this is how RedHat/CentOS does it. I'm not sure about other distros, because I've not used iptables in any other distro yet.

Re:First

[laurelraven]

CentOS/RedHad does iptables exactly that way: you make the changes using iptables directly, then service iptables save, and it is done. Not sure, but I'm betting Fedora does the same thing.

I think the real problem here is that RedHat has a (very limited, sort of crappy) tui/gui interface to make changes to the firewall. I ignore it and strip out the RH chain when I set anything up...it's just easier to work with that way, and much more powerful. Heck, the RH tools don't even have a way to manually add a custom port (that I was able to find...I'll admit, I gave up on it very quickly and just started learning iptables commands)

Re:First

[thegarbz]

Ahhh yes, the magical UPS. Let me tell you a story:

We have an emergency shutdown system at work. It is fed from 2 UPSes in parallel, with two independent battery banks, fed from two independent switchboards, one of the switchboards takes the town energy supply, and the other from both town supply and a diesel generator with an auto transfer switch. It is a bullet proof design.

Yet to follow the standards means to discharge test the batteries every 2 years. One day we performed this test in the usual way. Check every single load with a multimeter to ensure they were receiving voltage. Check all gauges that everything is happy, check the system is functional, then disconnect the batteries for a load test. In the process of disconnecting one of the batteries a small spike tripped the master circuit breaker on the output of the UPS they were working on. Turns out that one of the circuit breakers on the other UPS has failed in a way that it appears ON due to a mechanical fault. It didn't show up when we tested it with the loadtester because leakage current through the system backfed enough power to light up the LEDs on it. 1/3rd of the plant ended up coming down and it took 3 days to start again.

A UPS is NOT a substitute for ensuring your system can survive a power outage. EVER! This is just my analogy, yet there are countless others of how datacentres or critical machinery that is UPS backed has come down. Plan for your emergencies.

Re:First

[billcopc]

Well, shit on me.

I haven't used RHEL/CentOS 5.4+, so maybe the default has changed. Good catch.

Re:First

[ksandom]

Agreed. It's the same in Centos/Fedora. I was simply coming from the angle of what the distro makes easy for you. As far as I'm aware, the iptables command is the same (or close enough to it) from distro to distro.

Re:First

[ksandom]

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

Irrelevant to the context of this thread. But if you want, this is what "reloading the whole firewall" refers to.

I guess you replied before you got to the third sentence?

Modern technology in Linux

Linux, as always, proves that it is always up to date with modern technology. Next you'll have kernel-level drivers that don't break on recompilation of the kernel!11

Re:Modern technology in Linux

[MobileTatsu-NJG]

Linux, as always, proves that it is always up to date with modern technology.

So sayeth the shepherd, so sayeth the flock.

Re:Modern technology in Linux

[Yfrwlf]

A driver should never need to be recompiled by anyone but someone who needs to see the code for some reason. There is no reason you can't have a common language between the drivers and the rest of the kernel. Finding a security vulnerability in the *common language* (ABI) itself should be extremely rare, and basically unheard of if the language was designed properly (that's the point of a common language, to not change), but even if you did it'd simply be a matter of depreciating or removing the old language in the new kernel with the replacement language, and requiring modified drivers for those that are affected.

If someone says that driver ABI is too low-level to create a standardized interface for it, I call BS. There's no reason one couldn't be created. Programs use standards and get along with other programs all the time, and there's no reason drivers have to be any different. I believe there isn't a bigger push for this because distro companies want programs to be locked into their distos and distro versions to encourage reliance on them. Sure, it is possible to compile, but I believe they enjoy having that artificial barrier there because it makes it MORE difficult for end-users to rely on anyone else but them.

For a community that strongly cares about standards and interoperability, this area, and the area of making cross-distro packaging solutions in general, are totally contrary to those beliefs.

Re:Modern technology in Linux

[Sir_Lewk]

These are only problems for drivers outside the kernel. Fuck them.

Re:Modern technology in Linux

[Yfrwlf]

Having drivers come with the kernel so that there is more "plug-n-play" out there is a wonderful feature, but no, these are problems that do affect everyone. There are lots of scenarios I can come up with where this feature would be great to have. One would be being able to use new hardware with an old stable kernel easily. Another would be for users to be able to share drivers easily with each other, instead of having to give noobs instructions on how to compile something. Yet another would be so that anyone could package a driver that works with a piece of hardware that works. Vendors would be able to do this for instance. Vendors could also give Linux support much more easily without having to go through an annoying compilation step.

No matter how you look at it, that *feature* in Linux would be exactly that, it would give you more flexibility, require less upkeep, and make support much easier. Oh, that driver that came in that older kernel is crap? Here's this newer one that works, Grandma, just click on it to install. *That* is a feature, and there's no god damn technical reason why a standardized interface allowing for a more modularized kernel like that cannot be implemented. I'm all for open source drivers, but this isn't an open vs. closed argument, having this feature would help *everyone*, regardless of the license of the driver. Just saving the work of having to recompile all the drivers every time there is a kernel revision would be a nice feature. Save some electricity. Geezus.

Re:Modern technology in Linux

[Yfrwlf]

It's called not having to do anything at all, if the Linux kernel had an intelligent standardized driver interface. scp driver.ko stupid@box:., ssh stupid@box modprobe driver.ko, hard I know.

My new favorite phrase...

[Deathnerd]

"making changing". God bless the Internet.

reloading?

[El_Muerte_TDS]

it's hard to modify on the fly without reloading the entire firewall

It is? Then what have I been doing wrong for all these year?

Re:reloading?

[LordHatrus]

I believe what they're trying to say is that it's more akin to the Windows world of things - "Hey, this apache-thing is trying to bind to port 80... do you want to let it through the firewall?"

Re:reloading?

[Junta]

For example, say I want to start allowing port 22:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

That is not restarting firewall while users were using the system. I may have to do some juggling if I want the rule in the middle.

On a related note, I've always detested redhat firewall configuration for making more chains than needed for their straightforward configuration, making the rules appear far more complicated than they are.

Re:reloading?

[asdfghjklqwertyuiop]

No you aren't.

iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT

At no point is anything incorrectly dropped or accepted.

Re:reloading?

[bill_mcgonigle]

Yeah, you're right, if you're doing the iptables by hand you're good to go. Most Redhat sysadmins edit the sysconfig/iptables file and issue a restart, though. And, right, for more complex rules changes it's pretty tough to do without a reload (though it is possible with enough creativity).

Seriously?

[The+O+Rly+Factor]

/sbin/service iptables save
/sbin/service iptables restart

You really CAN'T take the time out of your day to type that?

Re:Seriously?

[node+3]

If you ever want the masses to take up Linux, then yes, this is exactly the sort of thing you have to fix. Why should someone even have to know such commands in the first place?

And I don't understand your reasoning anyway. Just because something isn't terribly difficult (once you know what to type), that doesn't mean it's not good to make things even easier. But somehow, whenever anyone tries (GNOME, Ubuntu), they get pilloried.

Re:Seriously?

[Haedrian]

If you're playing around with iptables you're probably not a 'masses' user. There are some nice frontends for end users, but this sort of thing is for the person owning a server or whatever.

Again, you use console because its faster.

Re:Seriously?

[fnj]

Oh, honest to God. Do we have to spell it out? So you make a bloody tinkertoy launcher on the desktop that says "restart firewall" and it runs the command line "sudo /sbin/service iptables restart." Takes about one minute to create. That is so simple even a monkey too stupid to learn anything can do it. Then you make more launchers to do other firewall tasks.

Re:Seriously?

[mcavic]

Restarting iptables doesn't even hurt anything. I've done it with VPN users connected and talking over VOIP.

Re:Seriously?

[The+O+Rly+Factor]

This is Fedora we're talking about. The only thing I'm running Fedora, RHEL, CentOS, et. al. on are high performance workstations and production servers, where I need a good, solid, time tested static firewall that I know is going to work, every time.

If "the masses" want to continue to disregard RTFMing and want a hand-holding experience like everything else computing-based in their lives, then they can go play with Ubuntu, or Mac OS.

Now get off my lawn.

Re:Seriously?

[Runaway1956]

Why should someone even have to know such commands in the first place?

How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive. If you can't change a flat tire, you shouldn't be licensed to drive. If you can't walk around your vehicle to see if all the parts in the correct places, (lights, tires, bumpers, windows - basic shit like that) then you should be charged with reckless driving when the cop pulls you over for driving on a flat tire, and a broken turn signal.

Just because you can have your car - or your computer - do things for you automagically shouldn't relieve you of the responsibility to UNDERSTAND THE SYSTEM!!

Re:Seriously?

[Sarten-X]

I don't need to know how to disassemble and rebuild the engine in order to drive. I don't need to know how the transmission works, or the brakes, or the windshield wipers' intermittent timer. I just need to know that they will work as needed, when needed. When they don't work, I can get somebody else to fix them.

This applies to computers, as well. I don't really need to know how the ALU works, I don't need to know the Ethernet protocols, and I don't need to know the commands to directly manipulate a firewall. Does that somehow make me ineligible to use a computer?

Re:Seriously?

[DarkOx]

Where do you draw the line? See you disassemble and rebuild and engine analogy to my mind would be more comparable to knowing how to implement something like netfliter than to knowing how to use the iptables command to manipulate it.

If you and other people maintain this silly attitude that its unreasonable to have to *learn* something in order to operate complex tools there is no end in sight. Next you will be telling us you should not have to know where to click in all those menus and buttons.

Re:Seriously?

[AdamWill]

Try reading the original feature page:

http://fedoraproject.org/wiki/Features/DynamicFirewall

the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.

Re:Seriously?

[node+3]

Why should someone even have to know such commands in the first place?

How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive.

Sure you can.

If you can't change a flat tire, you shouldn't be licensed to drive.

Says who? But sure, let's follow this automotive analogy. If you don't make it so that you can drive a car without being able to change a flat, then you have no business complaining when someone who does gets all the business.

Just because you can have your car - or your computer - do things for you automagically shouldn't relieve you of the responsibility to UNDERSTAND THE SYSTEM!!

That's, quite simply, nothing more than elitist nerd bullshit.

Re:Seriously?

[node+3]

Or you just fix the fucking firewall so you don't have to create a "bloody tinkertoy". Seriously, iptables is ok for a server or a nerd desktop machine, but even a "bloody tinkertoy" is too complex. The mere notion of a "restart firewall" icon is unnecessary, and completely indefensible compared to simply fixing the firewall system in the first place.

Re:Seriously?

[Runaway1956]

Elitest nerd bullshit? No - that is real world, real life, pragmatism. Many of you city folk have never been 100 miles from the nearest town, or garage, or service station. But, I have. Not only can I change a tire - I can, and have, changed a tire on an 18-wheeler. Now - you can do the math, if you like. ASSuming that a cell phone would work, I could have called a mechanic, and waited 2 to 4 hours for him to get there. Then, waited for him to change the tire. Then followed him to his garage where I could telephone the boss so that he could pay for the new tire, plus the repair, plus the service call. OR, I could just change the damned tire, and at the end of half an hour, I could drag my hot sweaty arse behind the wheel, and enjoy the air conditioning as I drove on my way.

Oh - we were talking about computers. Same thing, really. I can pay someone hundreds of dollars (let's say Symantec) to keep my computer and/or network secure. And, I may just become the laughingstock of the world when I get hacked (like Sony, let's say). OR, I can make some attempt to understand how my computer and my network actually WORKS - then secure the damned thing.

Remember - security is NOT a product - it is a PROCESS!!! Not even the most naive and ignorant of the US Marines would draw up a security plan, then call it "good enough". Nor would they "outsource" the job. Instead - the Marines constantly evaluate and reconsider all aspects of their security environment. It's a PROCESS.

Oh - funny thing. I just watched the HNN broadcast. Some company logo in the background claims, "Security begins with trust". FFS - if I TRUST people, then there's no need for security, now is there? And, guess what - I don't trust that company, or any other, that much. I'll handle security for myself, thank you very much.

Re:Seriously?

[MightyMartian]

Save for the very simplest firewalls (like you'll find in your $29.99 Dlink) there are not a lot of ways to make things simpler. Advanced firewalls, whether iptables, Cisco IOS or whatever require knowledge of packets and protocols beyond just "redirect port 80 to my shiny new web server). Look at the Webmin for an example of a web-based config system that is actually more difficult than the command line, because the vast array of options has to be spelled out.

Powerful utilities are by their very nature complex.

Re:Seriously?

The original feature page only just claims that Fedora's old firewalling service required reloading to effect firewall rule changes. It makes no such claim that this new daemon is any more "dynamic" than the underlying iptables, it just exposes a higher level D-Bus API that allows applications to do this.

It seems like Slashdot decided to link to an ad-ridden factually inaccurate article that obfuscated the true details. How strange and unheard of!

Re:Seriously?

[Sarten-X]

I don't want a line, and I'm certainly not going to pick some arbitrary place to put it. Why must there be any particular set of arcane knowledge required to access a given technology? Shouldn't one of the goals of interface design be to make features accessible to the widest array of users possible?

Apparently, somebody involved in the Fedora project didn't like the necessity of the iptables commands, and preferred making a nice GUI. That's a great benefit to someone like me, who changes their firewall once every six months or so. On the other hand, I detest the "Windows way" where every configuration setting is a GUI option, and the command-line tools are barely sufficient to get a GUI working after a failure.

I want the best of both. I want a powerful command line, and an easy-to-learn GUI. I don't want to spend three hours reading a manual just to run a basic function. I don't want to trim functionality down to what the dumbest user can handle. I want options, and I want them to be available to everybody. No, you won't get the same exclusivity and elitism from having more UI options, but it'll help make Linux a viable option for more people. Why draw a line to cut out anybody?

If you and other people maintain this silly attitude that users should learn everything before using a basic tools, there is no end in sight. Next you will be telling us you should have to memorize a thousand-page manual and take a certification exam to operate a text editor.

Re:Seriously?

[benjymouse]

On the other hand, I detest the "Windows way" where every configuration setting is a GUI option, and the command-line tools are barely sufficient to get a GUI working after a failure.

I want the best of both. I want a powerful command line, and an easy-to-learn GUI.

That "Windows way" is all about GUI is merely a ./ misconception. Most hardcore Unix'ers don't realize that there is an alternative to text config files, or they refuse to accept so. Windows has a powerful built-in firewall which supports both incoming and outgoing rules, rules based on ports and/or applications. It is easily managed from the GUI and doesn't require reboot or even restart of any service after a rule has been changed/added/deleted.

But Windows has also for the longest time exposed all such functionality through COM APIs, and the firewall service is no exception. To list the rules from the CLI, drop to PowerShell and type:

$fw = new-object -com HNetCfg.FwPolicy2
$fw.rules

Each rule listed is actually an active object with settable properties. To see exactly what can be set for each rule (or entered as new rules) type

$fw.rules | gm

This will pipe the rules through the Get-Member cmdlet which will reflect exactly which properties, methods and events are available. These are the available properties: Action, ApplicationName, Description, Direction, EdgeTraversal, EdgeTraversalOptions, Enabled, Grouping, IcmpTypesAndCodes, Interfaces, InterfaceTypes, LocalAddresses, LocalPorts, Name, Profiles, Protocol, RemoteAddresses, RemotePorts, serviceName.

Having to use a COM object to configure a firewall from the CLI may at first seem more cumbersome than using a text file. But then you realize that there is also a number of advantages:

• The changes can take effect immediately as you are really talking to the service/daemon and not changing its configuration beneath it. There is no need to force it to re-read the configuration by restarting the service/daemon.
• The configuration format can be allowed to change without breaking existing scripts. Multiple interfaces may exist at the same time, the current one and a number of "legacy" interface. Changing a configuration file schema while scripts may rely on specific constructs through their use of text processing tools is error prone.
• The interfaces provides implementation abstraction. Other providers which implement the same interface can be plugged in and work with the scripts.
• The config changes can be more readily automated in a safe manner. Each interaction with the service is validated. With text files you can break the schema and prevent the service/daemon from restarting (think Apache, X etc.).

Other than that, Jared Smith if factually wrong. Windows has for years supported dynamic configuration of the firewall, and Windows is certainly a "mainstream" operating system, even if he wishes it wasn't so.

Re:Seriously?

[scdeimos]

Other than that, Jared Smith if factually wrong. Windows has for years supported dynamic configuration of the firewall, and Windows is certainly a "mainstream" operating system, even if he wishes it wasn't so.

Yes, I WTF'd that too. As I sit here in my Firefox browser on my Gnome desktop I remember these silly dynamic firewall thingies called ZoneAlarm and Internet Connection Firewall (aka Windows Firewall) that have been kicking around since the years 2000 and 2001 respectively.

Re:Seriously?

[History's+Coming+To]

I agree, and posted much the same on a thread a few days ago. We've got a thing here called the "European Computer Driving Licence" (yes, an official car analogy!) which is a basic qualification people can sit, it's usually used for office workers and the like to show basic competence. The sad thing is, the modules are basically "How to use MS Word", "How To Use MS Excel", "How To Use MS PowerPoint" and the like.

Re:Seriously?

[fnj]

Except there is nothing wrong with iptables to fix.

Dbus

[vajorie]

The apps can tell the firewall to open up a port for a period of time and then shut it back down.

Woohoo!

Playing with dbus

[vajorie]

Does this mean that if I can crash dbus, I can take down my (your server's) firewall?

Re:Playing with dbus

[Lennie]

no, it takes down dbus and it might make some thing on your _desktop_ not work anymore (because I think that is what this is for). iptables is in the kernel, it is not effected.

On-demand holes

"So an application can say, hey I need a port open, please open a pinhole in the firewall."

This is exactly the spirit of firewalls.

Re:On-demand holes

[gweihir]

This is the spirit of firewalls on WINDOWS, but not on systems that are trying to be secure.

Whoa, you can dynamically open ports!

[cras]

The apps can tell the firewall to open up a port for a period of time and then shut it back down.

I mean, it sounds almost like they could listen() a specific port, and once they're done with it, they could close() it! If all applications could always do this automatically, I think we could actually get rid of manual firewall configuration entirely!

Re:Whoa, you can dynamically open ports!

[Junta]

Generally, linux desktop INPUT firewalls strike me as superfluous. That said, there is one use case, filtering out ports higher than 1024 from listening. This would mean any socket acting server-like would have to be explicitly blessed by someone with admin rights, which could mitigate certain types of trojan attacks.

What cracks me up is all these firewalling rules being automatically removed and inserted by installing the relevant application. For example install openssh and the firewall magically gets a rule to allow port 22. *This* is particularly asinine and is the sort of thing worthy of ridicule. If they can listen on a privileged port, they could change firewall rules, so filtering INPUT below 1024 for fear of malware is stupid (though it is a useful workaround for crappy apps without sufficient configurability to bind to specific interfaces).

Re:Whoa, you can dynamically open ports!

[MikeBabcock]

I filter ports below 1024 because I don't necessarily want them listening to connections from just anyone.

I have several machines with rules like "iptables -I INPUT -i eth0 -p tcp --dport 22 -s 10.14.3.0/24 -m state --state NEW --syn -j ACCEPT" so that SSH isn't even listening to everyone, just the subnet I want it to listen to.

PS for the people who may reply, that usually looks like:

iptables -I INPUT -i eth0 -j INPUT-LAN
iptables -A INPUT-LAN -s 10.14.0.0/16 -j MARK --set-mark 2
iptables -A INPUT-LAN -s 10.14.3.0/24 -j MARK --set-mark 3
iptables -A INPUT-LAN -p tcp -m state --state NEW --syn -j INPUT-LAN-NEW
iptables -A INPUT-LAN-NEW -p tcp --dport 22 -m mark --mark 3 -j ACCEPT
iptables -A INPUT-LAN-NEW -p tcp --dport 80 -m mark --mark 2 -j ACCEPT
iptables -A INPUT-LAN-NEW -p tcp --dport 3128 -m mark --mark 2 -j ACCEPT ... since doing the state check in each line gets unwieldy quickly. Also, MARK is a great way to not have to repeat subnets and other matches, assuming you're not using them differently in mangle for ipsec or something.

OpenBSD

[discore]

"'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"

What?

http://www.openbsd.org/faq/pf/

pf will always be better than iptables in every way.

Re:OpenBSD

[justsomebody]

no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd

here is how this works
- service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
- user gets prompted and needs to validate decision trough authentication.
- port is open
- when software stops, it sends another d-bus message "close pr0n port"
- port is closed

this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.

Re:OpenBSD

[hedwards]

Bonner? Wasn't he the lead singer for U2?

Re:OpenBSD

[inflex]

More like how lazy the "admins" are (to learn the simple syntax). Iptables may have its limitations but it's not like you're writing sendmail rulesets.

Long in the tooth...

[Frosty+Piss]

Well, you know, it's been around a long time - it's just not sexy . If it is to compete with current "mind-share", it has to be tied into "The Cloud"...

Re:Long in the tooth...

[gweihir]

Professionals do not care about "sexy", they care about "works efficiently and reliably". Amateurs care about "sexy". I guess there are now enough Windows admins administrating (or trying to) Linux systems, that "sexy" becomes a factor...

What's the point?

So an application can say hey I need a port open, please open a pinhole in the firewall.

I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)

I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.

Re:What's the point?

[jd]

It's basically tcpwrappers implemented as an IPTables facility, only without quite as much control over what external sources can do the opening. It's interesting but as IPTables is due to be replaced anyway, it's a pointless enhancement that simply wastes developer time.

Ignorant and misleading article.

[sydb]

This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.

The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall

OpenBSD's PF has been adaptive for years

[badger.foo]

The concept isn't very new or radical, but it will be interesting to see how their implementation behaves in real life.

Over in OpenBSD land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples). In addition, the OpenBSD versions of dhcpd and bgpd as well as other applications are routinely set up to interact with your filtering config via tables.

Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy for example) or relayd (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.

My BSDCan slides has more material, as of course does The Book of PF, and never forget The PF docs as the authoritative source.

Re:OpenBSD's PF has been adaptive for years

The article is misleading. IPtables isn't as bad as it suggests and has had dynamic rules since always.

You linked to the old version of the book of PF'. It's an excellent book.

Anyone who uses iptables a lot really should try pf. They will love it.

Re:OpenBSD's PF has been adaptive for years

[hedwards]

I've grown fond of PF over time. It's amazing to me how much it can do with a little foresight. Unfortunately, it's still a bitch to work with FTP.

Re:WTF??

[miknix]

Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall

Can please someone explain me what's wrong with appending and deleting a firewall rule:

$ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -D INPUT 2

where on earth does this need iptables to be restarted?

if we want to save the firewall state:

$ iptables-save > /root/ipt.state

where /root/ipt.state is just a human readable file

and then load the firewall state:

$ iptables-restre < /root/ipt.state

AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
Again, WTF?

This is not revolutionary, but nice

[straponego]

Right now I have scripts to list the current ruleset, figure out the deltas between the new ruleset and old, add or remove rules as appropriate, and save that config to disk for reboots. It works well enough, better than restarting iptables, but it should be more efficient with these changes. I wondered why there wasn't a method (that I found; correct me if I'm wrong) for running batch changes without invoking the iptables command for each change.

Ugh... bloatware

[ka9dgx]

I'm one of the token Windows system admins here... and even I know that this stuff is just bloatware.

• dynfw is just a script to do a few things with iptables, its not new functionality.
• OpenSCAP is just some tools to manage code signing, which is an attempt to enumerate goodness, and doesn't actually fix things by improving security.

I thought they were talking about something new and useful... not just some hype... oh well... looks like they care catching up with uSoft in that department.

lol

[GMC-jimmy]

It's funny seeing newly converts feverishly pecking at GUI buttons in their favorite distro as if every piece of software on it was made at the same factory. You have to be gentle with them.

Temporary rules to keep the IP addr. table clean

[VortexCortex]

So... the Firewall stores allowed IP addresses in a table structure, lets say an AVL/RedBlack tree or a hash table. You certainly don't want every outbound connection (hole you punch) in the firewall to be permanent. So, why not add a time stamp, and if it remains unused for a long enough period of time, you remove that IP rule?

You don't want to have to constantly run a background thread that scans the table for expired entries -- That would be needlessly wasteful! Instead, why don't we look at the nodes while we're traversing the tree or hash looking for a match to determine if a packet should be blocked or allowed, and then just remove any expired rules we come across!

In a hash table, collisions (two different addresses mapping to the same bucket) are frequently resolved by storing a pointer to a linked list in the bucket instead of just one address. Since you'll occasionally be iterating across more than one IP rule, you can remove expired rules as you do so -- similar to the way you would for tree traversal.

Obvious, right? I mean... I don't see why no one figured this out a long time ago!

Wait... wait... You're probably thinking of responding with something along the lines of: "No shit, you dumbass, that's how it's done already." I know; I know... that's my point -- That's the way my game servers have been doing things since the early 90s.

Well, there's just one catch -- That's illegal; It can be patent infringing. Remember that patent suit brought against Google by Bedrock claiming that their use of Linux infringes a patent, and that all of Linux may be infringing?

Patent 5,893,120 -- "methods and apparatus for information storage and retrieval using a hashing technique with external chaining and on-the-fly removal of expired data."

The court found Google to be in violation. Of course the patent should never have been granted... Any professional skilled in the art of hash tables, and familiar with the concept of a stateful firewall will arrive at this solution... (please dissolve the PTO, it's broken, okay?)

So -- I hope Red Hat/Fedora is using a Red-Black tree or AVL tree -- instead of a Hash... I would check, but honestly, I'm a lazy Debian kind of guy.

Re:WTF??

[justsomebody]

Can please someone explain me what's wrong with appending and deleting a firewall rule:

sorry, couldn't resist ;)

$ iptables-restre /root/ipt.state

should be

$ iptables-restore /root/ipt.state

Re:ACL

[inode_buddha]

Linux ACL not enough?

CSF Anyone?

[Taigitsune]

Looks like Fedora will be adding some features that CSF (ConfigServer Firewall) has provided for years. Huzzah! As an aside, am I the only one who thinks it's insane to allow applications to tell the firewall what to do? The firewall is a sanity check to keep applications in line.

Re:CSF Anyone?

[gweihir]

As an aside, am I the only one who thinks it's insane to allow applications to tell the firewall what to do? The firewall is a sanity check to keep applications in line.

I completely agree. One important task of firewalls is to serve as a second line of defense for application bugs. This a is a really terrible idea, one more from the convenience-over-security movement. I wonder why they do not just disable the firewall. Probably because they want "firewall" in the feature list.

Convenience, security, pick one.

Re:WTF??

[miknix]

there is still something missing, isn't there :<P

Re:Temporary rules to keep the IP addr. table clea

[ziesemer]

http://ipset.netfilter.org/

Re:WinXP

[jd]

IPTables rules can not only be per-application, per-user and per-instance, or per any definable group thereof (intserv), the rules themselves can contain whatever conditions you like (including checks for packet labels, layer 7 checks, etc). The main question I have to ask is why Red Hat still uses IPTables rather than nf-HiPAC or nftables, the two competing replacement stacks. IPTables is long-in-the-tooth and can't compete on performance or flexibility with the alternatives, so extending IPTables' functionality (rather than switching to something that already provides the facility and spending those resources on development) seems pointless and a little naive.

If you're going to spend developer time and dollars on a capability, always always always look 2-5 years ahead rather than 2-5 years behind.

Re:WinXP

[justsomebody]

the only way you could get same feature was using zonealarm (except zonealarm didn't close port after application stopped). and before answering, read right documentation, not the blurb this author wrote

Re:Temporary rules to keep the IP addr. table clea

[Sarten-X]

Oh look, it's a troll!

There's a few problems with your post. First, the story is about a management application, which shouldn't know anything about how recently-useful a rule was. Also, self-expiring rules would be a maintenance nightmare for any resource that's accessed only occasionally.

"It's broken, okay?" is not a persuasive argument. Please do continue trolling. I find it entertaining. Next time, though, please be a bit more subtle.

Re:WinXP

[justsomebody]

and yes, you can from early iptables start, which predates any firewall presence in windows.

you can set rulesets in specific tables, you can add/remove them dynamically, save/restore from the very first time of iptables replacing ipchains, which already had that feature too.

Re:WTF??

[MikeBabcock]

Actually, its possible that with an iptables-restore, the dynamic rules (iptables -m state --state RELATED ... ) might no longer function for existing connections. I'm not familiar enough with the internals to know for certain.

In my case though, its not relevant; I always dynamically adjust my settings on the fly and then save my changes with iptables-save. When I'm done a large set of changes, I reboot the machine to make sure my changes load properly and don't negatively affect startup apps.

Re:WTF??

[suutar]

Perhaps "replacing the entire ruleset" is what he meant by "reloading the entire firewall".

Re:WTF??

[miknix]

That's a good point! The connection tracking for the state module is handled by the nf_conntrack iptables module, I'm not sure but I think the module will only flush its "cache" when the module is unloaded.. but don't get this for granted, I would need to recheck..
Also, it is easy to check your point in iptables but do *other* (as in proprietary) firewalls do it?

Re:WTF??

[MikeBabcock]

I'm sure an OpenBSD person could speak for pf on this issue, but all the Cisco PIX people I know insist on reboots when changes are made.

Re:WTF??

[gweihir]

This "advancement" is for the incompetent. Instead of deleting rules, you can also make a new chain while the old one is in place, and then delete the old one and put the new one in its place (some detail missing ;-). I have done this just recently for a setup that does change between two different settings for one interface and cannot have anything open in between. A few hours of scripting at best.

Awesome!

[motang]

This is very cool, don't know why it hasn't been thought of before.

Re:WTF??

[QuietLagoon]

where on earth does this need iptables to be restarted?

It is better PR to say that it is a new feature that "no other mainstream operating system" possesses rather than just saying, oh yeah, Linux and iptables could do this all along.

This announcement was a PR stunt, no more, no less.

And as a person who who likes to use Linux, I was disappointed to see this type of fluff from the people behind Linux.

This is an iptables wrapper, not reimplementation.

[donscarletti]

Bad summery. This just provides a high-level interface for exactly this kind of operation that iptables provides. Problem was, while iptables was dynamic, the high-tools that controlled it were not and tended to just dumbly write to a file then flush iptables current state and reload from that file, wasting iptables abilities. So this is just a new daemon to expose all of iptables functionality to configuration tools and uses an unmodified version of iptables to do all of the heavy lifting. One suspects the author of the summary did not know what iptables was, and assumed it referred to the configuration files that iptables uses.

Re:WinXP

[justsomebody]

As for calling XP's firewall a firewall..

based on lack of features and being inbound only, this car analogy kinda fits it

"BEST CAR IN UNIVERSE!!!!! only missing 3 tires and there is no engine, but do not fear... space where you can put your own engine is intact and perfectly cleaned. also, sits and wheel can be be included with additional purchase, as special feature mirrors were cleaned daily"

Security hole?

[dutchwhizzman]

So basically, every application, evil or not, can now request ports to open on the firewall? You may as well run everything as root and turn off SELinux as well. It will not only make it easier for the user to make changes, but also make the local firewall no longer a restriction for evildoers.
Yes, I know, "SELinux access restrictions are also planned." but that is security added as a feature later on, not designed into the main architecture of the daemon. Right now, it's a big leak and I'd disable it first thing after installation. Fedora/RedHat should do that as well, until it has proper security features.

Bold claims...

[Shaiku]

The first OS to allow dynamic firewall rule changes? I don't think so.

They're still playing catch-up to *BSD's pf and npf.

So is this like

[AHuxley]

http://en.wikipedia.org/wiki/Little_Snitch software outgoing firewall for Mac OS X
"If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit"?

Re:WTF??

[Malnar]

Or, just specify via copy/paste the rule you want to delete. Safer and easier if you are not at the console.

Re:WTF??

[Malnar]

Reboot a Cisco on a firewall change? Using firmware v -1? Access list changes are instant.

Re:WTF??

[Issarlk]

The parent probably reffers to the unlikely situation where another admin inserts a rule after your iptables -L command. I think the thing described in the article is a solution looking for a problem.

Re:WTF??

[JAlexoi]

Well... You know.... Slashdot still uses intentionally encrypted source code for their CMS - it's called Perl.

Re:This is an iptables wrapper, not reimplementati

[AmiMoJo]

It isn't the first either, windows firewall GUI has done this since Vista.

um what?

[sgt+scrub]

FTFA "The dynamic firewall is something that individuals or programs can communicate with to handle dynamic changes to whatever networking conditions require," Smith said. "So an application can sa,y hey I need a port open, please open a pinhole in the firewall."

How awesome is that!?! Now applications in Linux can open holes in the network security of a user's machine. Who is the Microsoft employee implementing these stupid fucking changes? All holes start as "pinholes".

iptables -A INPUT -p 22 -j ACCEPT && iptables -A INPUT -p 22 -j ACCEPT && echo "sudo password is 'imyurbitch' enjoy!" > /var/www/index.html

A common iptables misconception.

[jafo]

Many people do not understand that "iptables-restore" is an atomic operation. In fact, the head of the Fedora Infrastructure team didn't realize this until just within the last year (we were having lunch when it came up). I always edit the "iptables-save" output, adding new rules as I need them, and then "iptables-restore" them. Usually this is via editing /etc/sysconfig/iptables and running "service iptables start" on Fedora/CentOS). However, you definitely can add and delete specific rules to running firewalls.