From Fedora Project Wiki
No edit summary
m (trying to add other language)
 
(52 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{autolang|base=yes}}
= firewalld - default firewall solution =
= firewalld - default firewall solution =


== Summary ==
== Summary ==


With Fedora 15 the dynamic firewall with firewalld was introduced with the proof of concept implementation in Python as an optional component.
The purpose of this feature request is to make firewalld the default firewall solution for Fedora 18 and therefore enabled by default.


The purpose of this feature request is to make firewalld the default firewall solution for Fedora 16.
== Owner ==


Please also have a look at these additional features:
* Name: [[User:twoerner| Thomas Woerner]]
* email: twoerner@redhat.com


* [https://fedoraproject.org/wiki/Features/firewalld-rewrite https://fedoraproject.org/wiki/Features/firewalld-rewrite]
== Current status ==
* [https://fedoraproject.org/wiki/Features/network-zones https://fedoraproject.org/wiki/Features/network-zones]


* Targeted release: [[Releases/18|Fedora 18]]
* Last updated: 2012-10-16
* Percentage of completion: 100%


== Owner ==
State:


* Name: [[User:twoerner| Thomas Woerner]]
* iptables (DONE)
* email: twoerner@redhat.com
* libvirtd (DONE, part of libvirt-0.10.1-1.fc18)
* system-config-printer (patch available, not released), system-config-printer has been partly replaced by gnome printer setup
* gnome printer setup in gnome-control-center (DONE, part of Fedora 3.4.0-2+ package)
* wireshark (not DONE)
* NetworkManager (DONE)
* initscripts (ifup-post, ifdown-post) (DONE)
* firewall-applet (DONE)
* firewall-cmd (DONE)
* firewall-config (DONE)
* man-pages firewall-cmd(1), firewalld(1), firewalld.conf(5), firewalld.icmptype(5), firewalld.service(5), firewalld.zone(5): DONE
* firewalld config DBUS interface (DONE)
* network-manager-applet zone changes - patch available
* kde-plasma-networkmanagement zone changes (DONE, part of 0.9.0.4+)
* shields-up changes for applet (DONE)


== Current status ==
== FirewallD Features for F-18 ==


* Targeted release: [[Releases/16|Fedora 16]]
* migration of system-config-firewall settings into the default zone for an update (without custom rules) (DONE)
* Last updated: 2011-06-27
* firewalld config DBUS interface for persistent firewall configuration (DONE)
* Percentage of completion: 10%
* firewall-config application to configure firewall settings (DONE)
* shields-up/shields-down switch in the applet to change the default zone (DONE)
* firewall-cmd extension for persistent zone configuration (DONE)
* firewall-cmd option cleanup (DONE)
* OPTIONAL: direct interface enhancements for libvirt (ongoing)
* OPTIONAL: migrate custom rules into direct interface


== Detailed Description ==
== Detailed Description ==


Making firewalld the default firewall solution for Fedora 16. The services iptables, iptables-ipv6 and ebtables will be replaces by firewalld. system-config-firewall in it's current form will also be replaced.
Making firewalld the default firewall solution for Fedora 18. The services iptables, iptables-ipv6 and ebtables will be replaced by firewalld. system-config-firewall in it's current form will also be replaced.


=== Why A Firewall Daemon ===
=== Why A Firewall Daemon ===
Line 38: Line 60:
=== The Daemon ===
=== The Daemon ===


Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, trusted interfaces/hosts/network areas, port/packet forwarding, masquerading, icmp blocking or even a custom rule. The feature can be enabled for a certain amount of time or can be disabled by again.
Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, trusted interfaces/hosts/network areas, port/packet forwarding, masquerading and icmp blocking. The feature can be enabled for a certain amount of time or till it gets disabled again.


New chains for virtualization, network settings, services, ports, masquerading, port forwarding, icmp filtering and virtualization are added to make the firewall setup more flexible, safe and robust. Adding a rule with the firewall daemon to one of these chains will most likely not interefere with rules of other chains. The order of the chains and how they are used is fixed.
New chains for applications, zones a deny and allow model are added to make the firewall setup more flexible, safe and robust. The deny and allow model reduces the risk of intereference of rules. The order of the chains and how they are used is fixed.  


The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers onloading is only possible after all connections that are handled by the module are closed. Therefore connection tracking information is important here and needs to get into account.
The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers onloading is only possible after all connections that are handled by the module are closed. Connection tracking information is important here and needs to get into account for a future helper interface.  


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 50: Line 72:
This is for example very useful for services, that need to add additional firewall rules. libvirtd is one of them and also openvpn in the future. With the static firewall model these rules are lost if the firewall gets modified or restarted. The firewall daemon holds the current configuration internally and is able to modify the firewall without the need to recreate the complete firewall configuration; it is also able to restore the configuration in a service restart and reload case.
This is for example very useful for services, that need to add additional firewall rules. libvirtd is one of them and also openvpn in the future. With the static firewall model these rules are lost if the firewall gets modified or restarted. The firewall daemon holds the current configuration internally and is able to modify the firewall without the need to recreate the complete firewall configuration; it is also able to restore the configuration in a service restart and reload case.


Another use case for the dynamic firewall mode is printer discovery. For this the discovery program will be started locally that sends out a broadcast message. It will most likely get an answer from an unknown address (the new printer). This answer will be filtered by the firewall, because the answer is not related to the broadcast and the port of the program that was sending out the message is dynamic and therefore a fixed rule can not be created for this. With the dynamic firewall mode a time limited rule could be requested by the discovery program to allow the receival of the answer.
Another use case for the dynamic firewall mode is printer discovery. For this the discovery program will be started locally that sends out a broadcast message. It will most likely get an answer from an unknown address (the new printer). This answer will be filtered by the firewall, because the answer is not related to the broadcast and the port of the program that was sending out the message is dynamic and therefore a fixed rule can not be created for this. With the dynamic firewall mode a time limited rule could be requested by the discovery program to allow the receipt of the answer.


== Scope ==
== Scope ==
Line 58: Line 80:
system-config-firewall will not be installed by default anymore, but firewalld with the user land tools will be installed by default. The needed changes in comps are simple.
system-config-firewall will not be installed by default anymore, but firewalld with the user land tools will be installed by default. The needed changes in comps are simple.


Services which are adding firewall rules directly with iptables commands need to be changed. These are: libvirtd
Services which are adding firewall rules directly with iptables commands need to be changed to benefit from firewalld. These are: libvirtd, NetworkManager, system-config-printer, gnome printer settings
 
An explicit transition is planned after Fedora 19 with dropping support for the static firewall with system-config-firewal/lokkit. A migration from the static firewall model will be needed then.


== How To Test ==
== How To Test ==
Line 66: Line 90:
* Start the tray applet firewall-applet
* Start the tray applet firewall-applet
* Use firewall-cmd to enable for example ssh:
* Use firewall-cmd to enable for example ssh:
   firewall-cmd --enable --service=ssh
   firewall-cmd --add-service=ssh
* Enable samba for 10 seconds:  
* Enable samba for 10 seconds:  
   firewall-cmd --enable --service=samba --timeout=10
   firewall-cmd --add-service=samba --timeout=10
* Enable ipp-client:
* Enable ipp-client:
   firewall-cmd --enable --service=ipp-client
   firewall-cmd --add-service=ipp-client
* Disable ipp-client:
* Disable ipp-client:
   firewall-cmd --disable --service=ipp-client
   firewall-cmd --remove-service=ipp-client
* To restore your static firewall with lokkit again simply use:  
* To restore the static firewall with lokkit again simply use:  
   lokkit --enabled
   lokkit --enabled


You can also use the D-BUS interface directly. This is required for libvirt (and later on also NetworkManager).
The D-BUS interface can also be used directly.


== User Experience ==
== User Experience ==
Line 87: Line 111:
* iptables (simple changes needed)
* iptables (simple changes needed)
* libvirtd (some changes might be needed)
* libvirtd (some changes might be needed)
* system-config-printer
* gnome printer setup
* wireshark
maybe others
'''Migration plan for dependant packages:'''
Migration of most ip*tables and ebtables dependent packages in F-18 alpha state. Planned is to have a soft migration, that either original firewall code or firewalld can be used.


== Contingency Plan ==
== Contingency Plan ==
Line 94: Line 126:
== Documentation ==
== Documentation ==


See [https://fedoraproject.org/wiki/FirewallD/ https://fedoraproject.org/wiki/FirewallD/]
See [[FirewallD]]


The fedorahosted site is here: [https://fedorahosted.org/firewalld/ https://fedorahosted.org/firewalld/]
The fedorahosted site is here: [https://fedorahosted.org/firewalld/ https://fedorahosted.org/firewalld/]
Line 100: Line 132:
== Release Notes ==
== Release Notes ==


Fedora 16 adds support for firewalld daemon, that provides a dynamic firewall management with a D-Bus interface.
Fedora 18 adds support for firewalld daemon, that provides dynamic firewall management with a D-Bus interface.


[[Category:FeatureReadyForWrangler]]
[[Category:FeatureAcceptedF18]]

Latest revision as of 11:35, 23 August 2013

firewalld - default firewall solution

Summary

The purpose of this feature request is to make firewalld the default firewall solution for Fedora 18 and therefore enabled by default.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-10-16
  • Percentage of completion: 100%

State:

  • iptables (DONE)
  • libvirtd (DONE, part of libvirt-0.10.1-1.fc18)
  • system-config-printer (patch available, not released), system-config-printer has been partly replaced by gnome printer setup
  • gnome printer setup in gnome-control-center (DONE, part of Fedora 3.4.0-2+ package)
  • wireshark (not DONE)
  • NetworkManager (DONE)
  • initscripts (ifup-post, ifdown-post) (DONE)
  • firewall-applet (DONE)
  • firewall-cmd (DONE)
  • firewall-config (DONE)
  • man-pages firewall-cmd(1), firewalld(1), firewalld.conf(5), firewalld.icmptype(5), firewalld.service(5), firewalld.zone(5): DONE
  • firewalld config DBUS interface (DONE)
  • network-manager-applet zone changes - patch available
  • kde-plasma-networkmanagement zone changes (DONE, part of 0.9.0.4+)
  • shields-up changes for applet (DONE)

FirewallD Features for F-18

  • migration of system-config-firewall settings into the default zone for an update (without custom rules) (DONE)
  • firewalld config DBUS interface for persistent firewall configuration (DONE)
  • firewall-config application to configure firewall settings (DONE)
  • shields-up/shields-down switch in the applet to change the default zone (DONE)
  • firewall-cmd extension for persistent zone configuration (DONE)
  • firewall-cmd option cleanup (DONE)
  • OPTIONAL: direct interface enhancements for libvirt (ongoing)
  • OPTIONAL: migrate custom rules into direct interface

Detailed Description

Making firewalld the default firewall solution for Fedora 18. The services iptables, iptables-ipv6 and ebtables will be replaced by firewalld. system-config-firewall in it's current form will also be replaced.

Why A Firewall Daemon

The current firewall model is static and every change requires a complete firewall restart. This includes also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules is breaking stateful firewalling and established connections.

The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.

The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods. SELinux access restrictions are also planned.

The Daemon

Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, trusted interfaces/hosts/network areas, port/packet forwarding, masquerading and icmp blocking. The feature can be enabled for a certain amount of time or till it gets disabled again.

New chains for applications, zones a deny and allow model are added to make the firewall setup more flexible, safe and robust. The deny and allow model reduces the risk of intereference of rules. The order of the chains and how they are used is fixed.

The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers onloading is only possible after all connections that are handled by the module are closed. Connection tracking information is important here and needs to get into account for a future helper interface.

Benefit to Fedora

The dynamic firewall mode with firewalld will make it possible to change firewall settings without the need to restart the firewall and will make persistent connections possible.

This is for example very useful for services, that need to add additional firewall rules. libvirtd is one of them and also openvpn in the future. With the static firewall model these rules are lost if the firewall gets modified or restarted. The firewall daemon holds the current configuration internally and is able to modify the firewall without the need to recreate the complete firewall configuration; it is also able to restore the configuration in a service restart and reload case.

Another use case for the dynamic firewall mode is printer discovery. For this the discovery program will be started locally that sends out a broadcast message. It will most likely get an answer from an unknown address (the new printer). This answer will be filtered by the firewall, because the answer is not related to the broadcast and the port of the program that was sending out the message is dynamic and therefore a fixed rule can not be created for this. With the dynamic firewall mode a time limited rule could be requested by the discovery program to allow the receipt of the answer.

Scope

The iptables and ip6tables services will not be enabled by default anymore. The required changes in the init scripts are simple.

system-config-firewall will not be installed by default anymore, but firewalld with the user land tools will be installed by default. The needed changes in comps are simple.

Services which are adding firewall rules directly with iptables commands need to be changed to benefit from firewalld. These are: libvirtd, NetworkManager, system-config-printer, gnome printer settings

An explicit transition is planned after Fedora 19 with dropping support for the static firewall with system-config-firewal/lokkit. A migration from the static firewall model will be needed then.

How To Test

  • Install firewalld and firewall-applet
  • Start the firewalld service
  • Start the tray applet firewall-applet
  • Use firewall-cmd to enable for example ssh:
 firewall-cmd --add-service=ssh
  • Enable samba for 10 seconds:
 firewall-cmd --add-service=samba --timeout=10
  • Enable ipp-client:
 firewall-cmd --add-service=ipp-client
  • Disable ipp-client:
 firewall-cmd --remove-service=ipp-client
  • To restore the static firewall with lokkit again simply use:
 lokkit --enabled

The D-BUS interface can also be used directly.

User Experience

Connections will be persistent even after changing firewall settings using the firewall daemon.

Dependencies

  • system-config-firewall (no changes needed)
  • iptables (simple changes needed)
  • libvirtd (some changes might be needed)
  • system-config-printer
  • gnome printer setup
  • wireshark

maybe others

Migration plan for dependant packages:

Migration of most ip*tables and ebtables dependent packages in F-18 alpha state. Planned is to have a soft migration, that either original firewall code or firewalld can be used.

Contingency Plan

The current static firewall will still be available as a fallback firewall solution.

Documentation

See FirewallD

The fedorahosted site is here: https://fedorahosted.org/firewalld/

Release Notes

Fedora 18 adds support for firewalld daemon, that provides dynamic firewall management with a D-Bus interface.