system-config-firewall
What is system-config-firewall?
system-config-firewall is a graphical user interface for setting basic firewall rules.
Current firewall model
The current firewall model is static. The standard firewall configuration for IPv4 and IPv6 are created by lokkit. The initial firewall configuration is created at install time by anaconda and can be altered later on by the user with system-config-firewall, system-config-firewall-tui or the command line tool lokkit.
The configuration files are:
/etc/sysconfig/iptables /etc/sysconfig/iptables-config /etc/sysconfig/ip6tables /etc/sysconfig/ip6tables-config
/etc/sysconfig/iptables is the iptables configuration file and contains the rules in iptables-save format for IPv4. Analog for /etc/sysconfig/ip6tables and ip6tables for IPv6.
The -config files contain the service configuration for the services iptables and ip6tables.
system-config-firewall and lokkit are creating the /etc/sysconfig/ip*tables files. The files contain the full firewall configuration. These files are applied with the iptables and ip6tables services. system-config-firewall is handling these services to apply new firewalls or firewall changes.
Advantages / Disadvantages
+ One source for the rules.
+ A user can easily see which rules are applied and which rules should be applied by comparing /etc/sysconfig/ip*tables with the output of ip*tables-save.
- The model is static, the firewall has to be restarted to apply changes.
- The /etc/sysconfig/ip*tables files are recreated for all changes.
- Active connections could be terminated because of restarting the firewall even for small changes.
Planned features
- Dynamic firewall (F-12)
- Full DBus interface (F-12)
- User interaction mode (maybe F-12)
- Network class support (F-13+, requires to add the ability to classify network connections (network profiles) in NetworkManager)
- User policy support (F-13+)
The old firewall behaviour will still be usable if the firewall is set to static mode. This makes it backward compatible.
Dynamic firewall
The new firewall model will be dynamic. This means that /etc/sysconfig/ip*tables are not used for firewall configuration and will not be written for firewall changes. Also a lot of firewall changes are done without restarting the firewall. The firewall will be created and managed by lokkit. If /etc/sysconfig/ip*tables files are available, these will be used if the firewall is configured to be in static mode.
There will be new chains for services, ports, trusted interfaces, masquerading, port forwarding, icmp filtering and also services like libvirt. This will make custonmisation easier than before. Because of adding and removing rules to and from fixed chains in the firewall structure, these actions could not result in unexpected behaviour.
DBus interface
system-config-firewall will provide a dbus interface to easily configure the firewall. This will provide the ability to enable and disable services and to open or close ports, to mark and unmark interfaces as trusted or for masquerading, to add and remove port forwarding. Also adding or removing custom rules; but this will most likely require a firewall restart.
User interaction mode
This mode will make is possible for the user to allow connections to the machines for predefined services. These will be defined by the administrator. This feature
Network class support
To have network classes will make it possible for example to open services or to share printers or files only to a connection class or network area. A connection or network area can be classified by NetworkManager. A connection should default to untrusted or public and can be altered by the user to classes like home, work, trusted or also user-defined classes.
User policy support
The administrator will have the ability to define which users can use the user interaction mode.
Other firewall configuration options
Another way to configure the firewall it either by hand or with other firewall configuration tools in the repo. It is important to disable the firewall of system-config-firewall here.
Download
Grab the latest source from GIT
You can get the current source using the following commands:
$ git clone git://git.fedorahosted.org/git/system-config-firewall