Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Gets Dynamic Firewalls In Fedora 15

Posted by Soulskill on from the changing-on-the-fly dept.

darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"

10 of 176 comments (clear)

  1. No comment? by Anonymous Coward · · Score: 4, Funny

    No comments yet, everyone's being raptured.

    1. Re:No comment? by davester666 · · Score: 4, Funny

      Why not? We're all virgin's who were tricked into viewing the goatse image.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. First by Anonymous Coward · · Score: 5, Insightful

    Ehm, iptables doesnt need reloading. Add a rule and it works right away?

  3. reloading? by El_Muerte_TDS · · Score: 5, Insightful

    it's hard to modify on the fly without reloading the entire firewall

    It is? Then what have I been doing wrong for all these year?

  4. What's the point? by Anonymous Coward · · Score: 3, Insightful

    So an application can say hey I need a port open, please open a pinhole in the firewall.

    I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)

    I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.

  5. Ignorant and misleading article. by sydb · · Score: 5, Informative

    This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.

    The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall

    --
    Yours Sincerely, Michael.
  6. OpenBSD's PF has been adaptive for years by badger.foo · · Score: 4, Informative
    The concept isn't very new or radical, but it will be interesting to see how their implementation behaves in real life.

    Over in OpenBSD land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples). In addition, the OpenBSD versions of dhcpd and bgpd as well as other applications are routinely set up to interact with your filtering config via tables.

    Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy for example) or relayd (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.

    My BSDCan slides has more material, as of course does The Book of PF, and never forget The PF docs as the authoritative source.

    --
    -- That grumpy BSD guy - http://bsdly.blogspot.com/
  7. Re:WTF?? by miknix · · Score: 5, Interesting

    Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall

    Can please someone explain me what's wrong with appending and deleting a firewall rule:

    $ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
    $ iptables -D INPUT 2

    where on earth does this need iptables to be restarted?

    if we want to save the firewall state:

    $ iptables-save > /root/ipt.state

    where /root/ipt.state is just a human readable file

    and then load the firewall state:

    $ iptables-restre < /root/ipt.state

    AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
    Again, WTF?

  8. Re:OpenBSD by justsomebody · · Score: 4, Informative

    no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd

    here is how this works
    - service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
    - user gets prompted and needs to validate decision trough authentication.
    - port is open
    - when software stops, it sends another d-bus message "close pr0n port"
    - port is closed

    this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.

    --
    Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
  9. Re:Seriously? by AdamWill · · Score: 4, Informative

    Try reading the original feature page:

    http://fedoraproject.org/wiki/Features/DynamicFirewall

    the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.