Linux Gets Dynamic Firewalls In Fedora 15

darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"

No comment?

No comments yet, everyone's being raptured.

Re:No comment?

[drb226]

Slashdotters being raptured? I doubt it...

Re:No comment?

[davester666]

Why not? We're all virgin's who were tricked into viewing the goatse image.

First

Ehm, iptables doesnt need reloading. Add a rule and it works right away?

Re:First

[icebraining]

Linux still doesn't need reboots; that doesn't mean they don't happen. I don't see where's the contradiction.

Re:First

[WuphonsReach]

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

You can adjust the Fedora / RHEL / CentOS firewall on the fly with the iptables command. Yes you could just edit the save file and then reload the firewall, but it's always been possible to make firewall changes on-the-fly without doing a reload. It was just tedious, especially for long intricate chains. If you then want to make the changes permanent, you issue the save command.

$ sudo service iptables save

That saves the rules out to the /etc/sysconfig/iptables file (which is what gets loaded when you do "service iptables load").

Frankly, this sounds more like UI changes for interacting with IPTables, and not a core change to how IPTables works.

(Note: I'm speaking from experience with CentOS 5.x and RHEL 5.x, not Fedora.)

Re:First

[gweihir]

Yes, this is a system for those that do not get iptables. Seems, once again, network security is made ready to be given into the hands of the incompetent.

Re:First

[Malnar]

Not true, it takes less than a second to read in a rule file by iptables-restore with over 20k rules. (Generated by iptables-save, not a file of a 20k iptables -A commands). The TCP sessions are not even reset so flows do not get broken. Changing a rule (well, a rule can't be changed, but you can insert a new rule above the current one and delete the old which is what most firewalls do anyways), does not disrupt anything either. The only "issue" is that rule changes are not saved to disk automatically, however it is trivial to write a 3 line bash script that would change a rule and save the whole ruleset (Again a VERY quick, non-disruptive process). This applies to all Linux distro's.

Re:First

[X0563511]

It works even better if you use IP Sets with it. Check it out... it's been around for a while, but seems to be little known.

reloading?

[El_Muerte_TDS]

it's hard to modify on the fly without reloading the entire firewall

It is? Then what have I been doing wrong for all these year?

Re:reloading?

[LordHatrus]

I believe what they're trying to say is that it's more akin to the Windows world of things - "Hey, this apache-thing is trying to bind to port 80... do you want to let it through the firewall?"

Seriously?

[The+O+Rly+Factor]

/sbin/service iptables save
/sbin/service iptables restart

You really CAN'T take the time out of your day to type that?

Re:Seriously?

[fnj]

Oh, honest to God. Do we have to spell it out? So you make a bloody tinkertoy launcher on the desktop that says "restart firewall" and it runs the command line "sudo /sbin/service iptables restart." Takes about one minute to create. That is so simple even a monkey too stupid to learn anything can do it. Then you make more launchers to do other firewall tasks.

Re:Seriously?

[mcavic]

Restarting iptables doesn't even hurt anything. I've done it with VPN users connected and talking over VOIP.

Re:Seriously?

[Runaway1956]

Why should someone even have to know such commands in the first place?

How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive. If you can't change a flat tire, you shouldn't be licensed to drive. If you can't walk around your vehicle to see if all the parts in the correct places, (lights, tires, bumpers, windows - basic shit like that) then you should be charged with reckless driving when the cop pulls you over for driving on a flat tire, and a broken turn signal.

Just because you can have your car - or your computer - do things for you automagically shouldn't relieve you of the responsibility to UNDERSTAND THE SYSTEM!!

Re:Seriously?

[AdamWill]

Try reading the original feature page:

http://fedoraproject.org/wiki/Features/DynamicFirewall

the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.

Re:Seriously?

[Runaway1956]

Elitest nerd bullshit? No - that is real world, real life, pragmatism. Many of you city folk have never been 100 miles from the nearest town, or garage, or service station. But, I have. Not only can I change a tire - I can, and have, changed a tire on an 18-wheeler. Now - you can do the math, if you like. ASSuming that a cell phone would work, I could have called a mechanic, and waited 2 to 4 hours for him to get there. Then, waited for him to change the tire. Then followed him to his garage where I could telephone the boss so that he could pay for the new tire, plus the repair, plus the service call. OR, I could just change the damned tire, and at the end of half an hour, I could drag my hot sweaty arse behind the wheel, and enjoy the air conditioning as I drove on my way.

Oh - we were talking about computers. Same thing, really. I can pay someone hundreds of dollars (let's say Symantec) to keep my computer and/or network secure. And, I may just become the laughingstock of the world when I get hacked (like Sony, let's say). OR, I can make some attempt to understand how my computer and my network actually WORKS - then secure the damned thing.

Remember - security is NOT a product - it is a PROCESS!!! Not even the most naive and ignorant of the US Marines would draw up a security plan, then call it "good enough". Nor would they "outsource" the job. Instead - the Marines constantly evaluate and reconsider all aspects of their security environment. It's a PROCESS.

Oh - funny thing. I just watched the HNN broadcast. Some company logo in the background claims, "Security begins with trust". FFS - if I TRUST people, then there's no need for security, now is there? And, guess what - I don't trust that company, or any other, that much. I'll handle security for myself, thank you very much.

Re:Seriously?

[MightyMartian]

Save for the very simplest firewalls (like you'll find in your $29.99 Dlink) there are not a lot of ways to make things simpler. Advanced firewalls, whether iptables, Cisco IOS or whatever require knowledge of packets and protocols beyond just "redirect port 80 to my shiny new web server). Look at the Webmin for an example of a web-based config system that is actually more difficult than the command line, because the vast array of options has to be spelled out.

Powerful utilities are by their very nature complex.

Dbus

[vajorie]

The apps can tell the firewall to open up a port for a period of time and then shut it back down.

Woohoo!

Whoa, you can dynamically open ports!

[cras]

The apps can tell the firewall to open up a port for a period of time and then shut it back down.

I mean, it sounds almost like they could listen() a specific port, and once they're done with it, they could close() it! If all applications could always do this automatically, I think we could actually get rid of manual firewall configuration entirely!

Re:Whoa, you can dynamically open ports!

[MikeBabcock]

I filter ports below 1024 because I don't necessarily want them listening to connections from just anyone.

I have several machines with rules like "iptables -I INPUT -i eth0 -p tcp --dport 22 -s 10.14.3.0/24 -m state --state NEW --syn -j ACCEPT" so that SSH isn't even listening to everyone, just the subnet I want it to listen to.

PS for the people who may reply, that usually looks like:

iptables -I INPUT -i eth0 -j INPUT-LAN
iptables -A INPUT-LAN -s 10.14.0.0/16 -j MARK --set-mark 2
iptables -A INPUT-LAN -s 10.14.3.0/24 -j MARK --set-mark 3
iptables -A INPUT-LAN -p tcp -m state --state NEW --syn -j INPUT-LAN-NEW
iptables -A INPUT-LAN-NEW -p tcp --dport 22 -m mark --mark 3 -j ACCEPT
iptables -A INPUT-LAN-NEW -p tcp --dport 80 -m mark --mark 2 -j ACCEPT
iptables -A INPUT-LAN-NEW -p tcp --dport 3128 -m mark --mark 2 -j ACCEPT ... since doing the state check in each line gets unwieldy quickly. Also, MARK is a great way to not have to repeat subnets and other matches, assuming you're not using them differently in mangle for ipsec or something.

OpenBSD

[discore]

"'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"

What?

http://www.openbsd.org/faq/pf/

pf will always be better than iptables in every way.

Re:OpenBSD

[justsomebody]

no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd

here is how this works
- service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
- user gets prompted and needs to validate decision trough authentication.
- port is open
- when software stops, it sends another d-bus message "close pr0n port"
- port is closed

this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.

What's the point?

So an application can say hey I need a port open, please open a pinhole in the firewall.

I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)

I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.

Ignorant and misleading article.

[sydb]

This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.

The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall

OpenBSD's PF has been adaptive for years

[badger.foo]

The concept isn't very new or radical, but it will be interesting to see how their implementation behaves in real life.

Over in OpenBSD land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples). In addition, the OpenBSD versions of dhcpd and bgpd as well as other applications are routinely set up to interact with your filtering config via tables.

Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy for example) or relayd (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.

My BSDCan slides has more material, as of course does The Book of PF, and never forget The PF docs as the authoritative source.

Re:WTF??

[miknix]

Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall

Can please someone explain me what's wrong with appending and deleting a firewall rule:

$ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -D INPUT 2

where on earth does this need iptables to be restarted?

if we want to save the firewall state:

$ iptables-save > /root/ipt.state

where /root/ipt.state is just a human readable file

and then load the firewall state:

$ iptables-restre < /root/ipt.state

AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
Again, WTF?

Re:Playing with dbus

[Lennie]

no, it takes down dbus and it might make some thing on your _desktop_ not work anymore (because I think that is what this is for). iptables is in the kernel, it is not effected.

Ugh... bloatware

[ka9dgx]

I'm one of the token Windows system admins here... and even I know that this stuff is just bloatware.

• dynfw is just a script to do a few things with iptables, its not new functionality.
• OpenSCAP is just some tools to manage code signing, which is an attempt to enumerate goodness, and doesn't actually fix things by improving security.

I thought they were talking about something new and useful... not just some hype... oh well... looks like they care catching up with uSoft in that department.

Re:WinXP

[jd]

IPTables rules can not only be per-application, per-user and per-instance, or per any definable group thereof (intserv), the rules themselves can contain whatever conditions you like (including checks for packet labels, layer 7 checks, etc). The main question I have to ask is why Red Hat still uses IPTables rather than nf-HiPAC or nftables, the two competing replacement stacks. IPTables is long-in-the-tooth and can't compete on performance or flexibility with the alternatives, so extending IPTables' functionality (rather than switching to something that already provides the facility and spending those resources on development) seems pointless and a little naive.

If you're going to spend developer time and dollars on a capability, always always always look 2-5 years ahead rather than 2-5 years behind.

Re:Long in the tooth...

[gweihir]

Professionals do not care about "sexy", they care about "works efficiently and reliably". Amateurs care about "sexy". I guess there are now enough Windows admins administrating (or trying to) Linux systems, that "sexy" becomes a factor...

This is an iptables wrapper, not reimplementation.

[donscarletti]

Bad summery. This just provides a high-level interface for exactly this kind of operation that iptables provides. Problem was, while iptables was dynamic, the high-tools that controlled it were not and tended to just dumbly write to a file then flush iptables current state and reload from that file, wasting iptables abilities. So this is just a new daemon to expose all of iptables functionality to configuration tools and uses an unmodified version of iptables to do all of the heavy lifting. One suspects the author of the summary did not know what iptables was, and assumed it referred to the configuration files that iptables uses.

Security hole?

[dutchwhizzman]

So basically, every application, evil or not, can now request ports to open on the firewall? You may as well run everything as root and turn off SELinux as well. It will not only make it easier for the user to make changes, but also make the local firewall no longer a restriction for evildoers.
Yes, I know, "SELinux access restrictions are also planned." but that is security added as a feature later on, not designed into the main architecture of the daemon. Right now, it's a big leak and I'd disable it first thing after installation. Fedora/RedHat should do that as well, until it has proper security features.

So is this like

[AHuxley]

http://en.wikipedia.org/wiki/Little_Snitch software outgoing firewall for Mac OS X
"If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit"?

Re:Modern technology in Linux

[Yfrwlf]

Having drivers come with the kernel so that there is more "plug-n-play" out there is a wonderful feature, but no, these are problems that do affect everyone. There are lots of scenarios I can come up with where this feature would be great to have. One would be being able to use new hardware with an old stable kernel easily. Another would be for users to be able to share drivers easily with each other, instead of having to give noobs instructions on how to compile something. Yet another would be so that anyone could package a driver that works with a piece of hardware that works. Vendors would be able to do this for instance. Vendors could also give Linux support much more easily without having to go through an annoying compilation step.

No matter how you look at it, that *feature* in Linux would be exactly that, it would give you more flexibility, require less upkeep, and make support much easier. Oh, that driver that came in that older kernel is crap? Here's this newer one that works, Grandma, just click on it to install. *That* is a feature, and there's no god damn technical reason why a standardized interface allowing for a more modularized kernel like that cannot be implemented. I'm all for open source drivers, but this isn't an open vs. closed argument, having this feature would help *everyone*, regardless of the license of the driver. Just saving the work of having to recompile all the drivers every time there is a kernel revision would be a nice feature. Save some electricity. Geezus.