Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Gets Dynamic Firewalls In Fedora 15

Soulskill posted more than 3 years ago | from the changing-on-the-fly dept.

Red Hat Software 176

darthcamaro writes "Linux users have long relied on iptables for in-distro firewall setup. The upcoming Fedora 15 release changes that and introduces us to new dynamic firewall technology. 'Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall,' Fedora Project Leader Jared Smith said. 'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changes.'"

cancel ×

176 comments

Sorry! There are no comments related to the filter you selected.

No comment? (4, Funny)

Anonymous Coward | more than 3 years ago | (#36204532)

No comments yet, everyone's being raptured.

Re:No comment? (0)

Anonymous Coward | more than 3 years ago | (#36204698)

No wifi.
No whisky.

I'd rather stay!

Re:No comment? (-1)

Anonymous Coward | more than 3 years ago | (#36204912)

Earlier my balls were tingling and I assumed it was jesus H christ rapturing my balls, but it wasn't. It was the wine I drank earlier.

Re:No comment? (2)

drb226 (1938360) | more than 3 years ago | (#36205276)

Slashdotters being raptured? I doubt it...

Re:No comment? (4, Funny)

davester666 (731373) | more than 3 years ago | (#36205474)

Why not? We're all virgin's who were tricked into viewing the goatse image.

Re:No comment? (0)

Anonymous Coward | more than 3 years ago | (#36205676)

Revelation 14:4 These are they which were not defiled with women; for they are virgins. These are they which follow the Lamb whithersoever he goeth. These were redeemed from among men, being the firstfruits unto God and to the Lamb.

First (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36204534)

Ehm, iptables doesnt need reloading. Add a rule and it works right away?

Re:First (0)

Anonymous Coward | more than 3 years ago | (#36204554)

I'm scratching my head on that too. If anything, perhaps iptables needs a 'commit/rollback' type deal? "load this ruleset, then commit, and the new rules start working instantly"

This looks more like another system service piled onto dbus. Mebby this should even be in systemd, if it's not already ..?

Re:First (1)

node 3 (115640) | more than 3 years ago | (#36204700)

I haven't had to use iptables for quite some time now, but I think they are referring to making permanent changes. Sure, you can type in a new rule and it will take it, but it won't reload after a reboot.

Aside from testing/tweaking to find the right settings, it seems a bit dangerous to modify the firewall on the fly anyway, because months later when you reboot, you might be stuck wondering why your VPN (etc.) isn't working. And by stuck wondering, I mean you'll get a call from someone who can't access the VPN (or whatever), after you rebooted the computer, and you'll end up having to figure out why, and then redo all the work you did months ago to get it working in the first place.

Also, you can have programs interact with the firewall directly, opening and closing ports as needed. The Slashdot summary is just a snippet, and doesn't do a very good job of communicating the contents of the actual article.

Re:First (1)

binarylarry (1338699) | more than 3 years ago | (#36204792)

That's completely incorrect, rules are effectively immediately after you add them.

Linux doesn't require reboots for anything, even kernel upgrades with things like ksplice.

Re:First (1)

ksandom (718283) | more than 3 years ago | (#36204854)

I think you've misread something or replied to the wrong person...?

Re:First (1, Insightful)

thegarbz (1787294) | more than 3 years ago | (#36204964)

Wow linux works when all power is cut-off to the computer? Brilliant!

Seriously this is an idiotic statement. Not needing to reboot a machine is all the more reason to test rebooting it and make sure all previous changes are persistent and the machine comes up correctly. If you don't you'll find that machine will go down for a reboot unexpectedly on the 24th December at 5pm and you're on the on-call list.

Re:First (2)

icebraining (1313345) | more than 3 years ago | (#36205108)

Linux still doesn't need reboots; that doesn't mean they don't happen. I don't see where's the contradiction.

Re:First (1)

ksandom (718283) | more than 3 years ago | (#36204842)

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

The DBUS stuff to have apps make requests is potentially very cool, I really hope it's well thought out though...

Re:First (2)

WuphonsReach (684551) | more than 3 years ago | (#36205626)

How they are saved depends on the distro. If you use something like Fedora before this, then whether using a gui or command line, you are effectively editing a file and then reload that file by restarting a sudo service. If you use something like gentoo, then it saves your firewall on shutdown or at your request.

You can adjust the Fedora / RHEL / CentOS firewall on the fly with the iptables command. Yes you could just edit the save file and then reload the firewall, but it's always been possible to make firewall changes on-the-fly without doing a reload. It was just tedious, especially for long intricate chains. If you then want to make the changes permanent, you issue the save command.

$ sudo service iptables save

That saves the rules out to the /etc/sysconfig/iptables file (which is what gets loaded when you do "service iptables load").

Frankly, this sounds more like UI changes for interacting with IPTables, and not a core change to how IPTables works.

(Note: I'm speaking from experience with CentOS 5.x and RHEL 5.x, not Fedora.)

Re:First (1)

MichaelSmith (789609) | more than 3 years ago | (#36204972)

Typically in Linux you have a file under /etc with rules which get translated into iptables commands which you can run at any time. To many a change on line and permanent you need to change both but thats not really hard to do. Lots of people just change the file then reload but I suppose that could be a problem if you have 10000 rules.

Re:First (1)

EyelessFade (618151) | more than 3 years ago | (#36205358)

or just, edit /etc/ file and then make iptables reread it. Simple :)

Re:First (1)

MichaelSmith (789609) | more than 3 years ago | (#36205614)

Yeah but I think the problem here is that if your linux box is a gateway to a large network the process of rereading a large block of rules will involve locking the network down entirely while the rules are parsed. This could take quite a while.

Re:First (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#36205032)

/sbin/service iptables save

Re:First (1)

billcopc (196330) | more than 3 years ago | (#36205120)

Ever heard of iptables-save ?

Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.

Re:First (1)

WuphonsReach (684551) | more than 3 years ago | (#36205640)

Heck, Fedora/RHEL/CentOS bootscripts do it for you during shutdown, and reload them during startup.

By default, I'm pretty sure they do not save the iptables chains on shutdown/restart. Not without edits to the iptables-config file.

/etc/sysconfig/iptables-config

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

(Taken from a RHEL 5.6 server.)

Re:First (1)

Lennie (16154) | more than 3 years ago | (#36204744)

I think this is just a frontend to iptables

Re:WTF?? (5, Interesting)

miknix (1047580) | more than 3 years ago | (#36204746)

Most Linux systems use IP tables type firewalls and the problem is that if you want to make a change to the firewall, it's hard to modify on the fly without reloading the entire firewall

Can please someone explain me what's wrong with appending and deleting a firewall rule:

$ iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -D INPUT 2

where on earth does this need iptables to be restarted?

if we want to save the firewall state:

$ iptables-save > /root/ipt.state

where /root/ipt.state is just a human readable file

and then load the firewall state:

$ iptables-restre < /root/ipt.state

AFAIK this is not "restarting" iptables, just replacing the entire ruleset in one shot.
Again, WTF?

Re:WTF?? (1, Informative)

justsomebody (525308) | more than 3 years ago | (#36205118)

Can please someone explain me what's wrong with appending and deleting a firewall rule:

sorry, couldn't resist ;)

$ iptables-restre /root/ipt.state

should be

$ iptables-restore /root/ipt.state

Re:WTF?? (1)

miknix (1047580) | more than 3 years ago | (#36205154)

there is still something missing, isn't there :<P

Re:WTF?? (0)

Anonymous Coward | more than 3 years ago | (#36205188)

"iptables -D INPUT 2"

That "2" is what's wrong -- you can't assume no one has inserted other rules, and that the 2 still refers to the rule you think it refers to. The latest kernel adds ipsets, which are simple lists of IPs, for instance. Presumably with these you can simply remove the entry by value, or replace the set, while guaranteeing that the IPTables are still refering to the set in a general way.

Re:WTF?? (0)

Anonymous Coward | more than 3 years ago | (#36205572)

you can't assume no one has inserted other rules, and that the 2 still refers to the rule you think it refers to

Of course you can you blithering idiot: iptables -L. Combine with w if you're ultra paranoid.

Re:WTF?? (1)

MikeBabcock (65886) | more than 3 years ago | (#36205456)

Actually, its possible that with an iptables-restore, the dynamic rules (iptables -m state --state RELATED ... ) might no longer function for existing connections. I'm not familiar enough with the internals to know for certain.

In my case though, its not relevant; I always dynamically adjust my settings on the fly and then save my changes with iptables-save. When I'm done a large set of changes, I reboot the machine to make sure my changes load properly and don't negatively affect startup apps.

Re:WTF?? (1)

miknix (1047580) | more than 3 years ago | (#36205554)

That's a good point! The connection tracking for the state module is handled by the nf_conntrack iptables module, I'm not sure but I think the module will only flush its "cache" when the module is unloaded.. but don't get this for granted, I would need to recheck..
Also, it is easy to check your point in iptables but do *other* (as in proprietary) firewalls do it?

Re:WTF?? (1)

MikeBabcock (65886) | more than 3 years ago | (#36205588)

I'm sure an OpenBSD person could speak for pf on this issue, but all the Cisco PIX people I know insist on reboots when changes are made.

Re:WTF?? (1)

suutar (1860506) | more than 3 years ago | (#36205462)

Perhaps "replacing the entire ruleset" is what he meant by "reloading the entire firewall".

Re:First (1)

MikeBabcock (65886) | more than 3 years ago | (#36205412)

I'm confused about the same thing. Must be an issue with GUI management of the firewall settings (via iptables-save; iptables-restore).

I've always done live management of my Linux firewalls, including on Linux 2.2 and earlier. Using iptables from the command-line is the only way to go.

Re:First (0)

Anonymous Coward | more than 3 years ago | (#36205752)

Not even sure why reloading is a problem. I have a script that does a firewall flush in the first line, then applies all the rules... and I just make changes and run the script.... reloading it takes a fraction of a second. I'm unsure why this is an issue. Maybe for obscenely long firewall rules???

-Restil

Modern technology in Linux (1, Insightful)

Anonymous Coward | more than 3 years ago | (#36204552)

Linux, as always, proves that it is always up to date with modern technology. Next you'll have kernel-level drivers that don't break on recompilation of the kernel!11

My new favorite phrase... (1)

Deathnerd (1734374) | more than 3 years ago | (#36204558)

"making changing". God bless the Internet.

reloading? (5, Insightful)

El_Muerte_TDS (592157) | more than 3 years ago | (#36204560)

it's hard to modify on the fly without reloading the entire firewall

It is? Then what have I been doing wrong for all these year?

Re:reloading? (2, Interesting)

LordHatrus (763508) | more than 3 years ago | (#36204592)

I believe what they're trying to say is that it's more akin to the Windows world of things - "Hey, this apache-thing is trying to bind to port 80... do you want to let it through the firewall?"

Re:reloading? (0)

Anonymous Coward | more than 3 years ago | (#36204612)

Well, you're either allowing everything for a short time period, or dropping any new requests for the same time period. TCP/IP is pretty resilient so it's not such a big deal, but hey it's another buzzword that linux is compliant with. Time to celebrate.

Re:reloading? (1)

asdfghjklqwertyuiop (649296) | more than 3 years ago | (#36205340)

No you aren't.

iptables -t filter -I INPUT -p tcp --dport 80 -j ACCEPT

At no point is anything incorrectly dropped or accepted.

Long in the tooth... (1)

Frosty Piss (770223) | more than 3 years ago | (#36204714)

Well, you know, it's been around a long time - it's just not sexy . If it is to compete with current "mind-share", it has to be tied into "The Cloud"...

Re:reloading? (0)

bill_mcgonigle (4333) | more than 3 years ago | (#36204890)

It is? Then what have I been doing wrong for all these year?

Not modifying the firewall on the fly. Perhaps you've been restarting the firewall while your users were using the system. Different thing.

Re:reloading? (0)

Anonymous Coward | more than 3 years ago | (#36204904)

No.

Re:reloading? (1)

Junta (36770) | more than 3 years ago | (#36205248)

For example, say I want to start allowing port 22:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

That is not restarting firewall while users were using the system. I may have to do some juggling if I want the rule in the middle.

On a related note, I've always detested redhat firewall configuration for making more chains than needed for their straightforward configuration, making the rules appear far more complicated than they are.

Bull. Iptables allow this already. (-1)

Anonymous Coward | more than 3 years ago | (#36204568)

Bull. iptables DO allow modifing the rules, adding, deleting. Or the main articles it too shortened to explain what actually is so ground braking.

Seriously? (2, Interesting)

The O Rly Factor (1977536) | more than 3 years ago | (#36204606)

/sbin/service iptables save
/sbin/service iptables restart

You really CAN'T take the time out of your day to type that?

Re:Seriously? (1, Offtopic)

node 3 (115640) | more than 3 years ago | (#36204652)

If you ever want the masses to take up Linux, then yes, this is exactly the sort of thing you have to fix. Why should someone even have to know such commands in the first place?

And I don't understand your reasoning anyway. Just because something isn't terribly difficult (once you know what to type), that doesn't mean it's not good to make things even easier. But somehow, whenever anyone tries (GNOME, Ubuntu), they get pilloried.

Re:Seriously? (1)

Haedrian (1676506) | more than 3 years ago | (#36204788)

If you're playing around with iptables you're probably not a 'masses' user. There are some nice frontends for end users, but this sort of thing is for the person owning a server or whatever.

Again, you use console because its faster.

Re:Seriously? (2)

fnj (64210) | more than 3 years ago | (#36204810)

Oh, honest to God. Do we have to spell it out? So you make a bloody tinkertoy launcher on the desktop that says "restart firewall" and it runs the command line "sudo /sbin/service iptables restart." Takes about one minute to create. That is so simple even a monkey too stupid to learn anything can do it. Then you make more launchers to do other firewall tasks.

Re:Seriously? (2)

mcavic (2007672) | more than 3 years ago | (#36204874)

Restarting iptables doesn't even hurt anything. I've done it with VPN users connected and talking over VOIP.

Re:Seriously? (1)

node 3 (115640) | more than 3 years ago | (#36205748)

Or you just fix the fucking firewall so you don't have to create a "bloody tinkertoy". Seriously, iptables is ok for a server or a nerd desktop machine, but even a "bloody tinkertoy" is too complex. The mere notion of a "restart firewall" icon is unnecessary, and completely indefensible compared to simply fixing the firewall system in the first place.

Re:Seriously? (1)

The O Rly Factor (1977536) | more than 3 years ago | (#36204930)

This is Fedora we're talking about. The only thing I'm running Fedora, RHEL, CentOS, et. al. on are high performance workstations and production servers, where I need a good, solid, time tested static firewall that I know is going to work, every time.

If "the masses" want to continue to disregard RTFMing and want a hand-holding experience like everything else computing-based in their lives, then they can go play with Ubuntu, or Mac OS.

Now get off my lawn.

Re:Seriously? (2)

Runaway1956 (1322357) | more than 3 years ago | (#36205060)

Why should someone even have to know such commands in the first place?

How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive. If you can't change a flat tire, you shouldn't be licensed to drive. If you can't walk around your vehicle to see if all the parts in the correct places, (lights, tires, bumpers, windows - basic shit like that) then you should be charged with reckless driving when the cop pulls you over for driving on a flat tire, and a broken turn signal.

Just because you can have your car - or your computer - do things for you automagically shouldn't relieve you of the responsibility to UNDERSTAND THE SYSTEM!!

Re:Seriously? (1)

Sarten-X (1102295) | more than 3 years ago | (#36205176)

I don't need to know how to disassemble and rebuild the engine in order to drive. I don't need to know how the transmission works, or the brakes, or the windshield wipers' intermittent timer. I just need to know that they will work as needed, when needed. When they don't work, I can get somebody else to fix them.

This applies to computers, as well. I don't really need to know how the ALU works, I don't need to know the Ethernet protocols, and I don't need to know the commands to directly manipulate a firewall. Does that somehow make me ineligible to use a computer?

Re:Seriously? (1)

DarkOx (621550) | more than 3 years ago | (#36205420)

Where do you draw the line? See you disassemble and rebuild and engine analogy to my mind would be more comparable to knowing how to implement something like netfliter than to knowing how to use the iptables command to manipulate it.

If you and other people maintain this silly attitude that its unreasonable to have to *learn* something in order to operate complex tools there is no end in sight. Next you will be telling us you should not have to know where to click in all those menus and buttons.

Re:Seriously? (1)

node 3 (115640) | more than 3 years ago | (#36205734)

Why should someone even have to know such commands in the first place?

How about an automotive analogy? If you can't parallel park, you can't claim to know how to drive.

Sure you can.

If you can't change a flat tire, you shouldn't be licensed to drive.

Says who? But sure, let's follow this automotive analogy. If you don't make it so that you can drive a car without being able to change a flat, then you have no business complaining when someone who does gets all the business.

Just because you can have your car - or your computer - do things for you automagically shouldn't relieve you of the responsibility to UNDERSTAND THE SYSTEM!!

That's, quite simply, nothing more than elitist nerd bullshit.

Re:Seriously? (0)

Anonymous Coward | more than 3 years ago | (#36204876)

That isn't without reloading...

Re:Seriously? (0)

Anonymous Coward | more than 3 years ago | (#36205104)

I guess they made a /sbin/service iptables save-restart

Re:Seriously? (4, Informative)

AdamWill (604569) | more than 3 years ago | (#36205534)

Try reading the original feature page:

http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]

the main benefit of this is not for manual changes, really. See 'Benefit to Fedora'. Hell, just read the whole thing. It makes it quite clear.

Dbus (2)

vajorie (1307049) | more than 3 years ago | (#36204622)

The apps can tell the firewall to open up a port for a period of time and then shut it back down.

Woohoo!

Playing with dbus (1)

vajorie (1307049) | more than 3 years ago | (#36204634)

Does this mean that if I can crash dbus, I can take down my (your server's) firewall?

Re:Playing with dbus (2)

Lennie (16154) | more than 3 years ago | (#36204764)

no, it takes down dbus and it might make some thing on your _desktop_ not work anymore (because I think that is what this is for). iptables is in the kernel, it is not effected.

ACL (0)

Anonymous Coward | more than 3 years ago | (#36204640)

I wish we had Cisco-style Access Lists on linux

Re:ACL (1)

inode_buddha (576844) | more than 3 years ago | (#36205132)

Linux ACL not enough?

On-demand holes (1)

Anonymous Coward | more than 3 years ago | (#36204680)

"So an application can say, hey I need a port open, please open a pinhole in the firewall."

This is exactly the spirit of firewalls.

Whoa, you can dynamically open ports! (2)

cras (91254) | more than 3 years ago | (#36204690)

The apps can tell the firewall to open up a port for a period of time and then shut it back down.

I mean, it sounds almost like they could listen() a specific port, and once they're done with it, they could close() it! If all applications could always do this automatically, I think we could actually get rid of manual firewall configuration entirely!

Re:Whoa, you can dynamically open ports! (1)

Junta (36770) | more than 3 years ago | (#36205220)

Generally, linux desktop INPUT firewalls strike me as superfluous. That said, there is one use case, filtering out ports higher than 1024 from listening. This would mean any socket acting server-like would have to be explicitly blessed by someone with admin rights, which could mitigate certain types of trojan attacks.

What cracks me up is all these firewalling rules being automatically removed and inserted by installing the relevant application. For example install openssh and the firewall magically gets a rule to allow port 22. *This* is particularly asinine and is the sort of thing worthy of ridicule. If they can listen on a privileged port, they could change firewall rules, so filtering INPUT below 1024 for fear of malware is stupid (though it is a useful workaround for crappy apps without sufficient configurability to bind to specific interfaces).

Re:Whoa, you can dynamically open ports! (2)

MikeBabcock (65886) | more than 3 years ago | (#36205514)

I filter ports below 1024 because I don't necessarily want them listening to connections from just anyone.

I have several machines with rules like "iptables -I INPUT -i eth0 -p tcp --dport 22 -s 10.14.3.0/24 -m state --state NEW --syn -j ACCEPT" so that SSH isn't even listening to everyone, just the subnet I want it to listen to.

PS for the people who may reply, that usually looks like:

iptables -I INPUT -i eth0 -j INPUT-LAN
iptables -A INPUT-LAN -s 10.14.0.0/16 -j MARK --set-mark 2
iptables -A INPUT-LAN -s 10.14.3.0/24 -j MARK --set-mark 3
iptables -A INPUT-LAN -p tcp -m state --state NEW --syn -j INPUT-LAN-NEW
iptables -A INPUT-LAN-NEW -p tcp --dport 22 -m mark --mark 3 -j ACCEPT
iptables -A INPUT-LAN-NEW -p tcp --dport 80 -m mark --mark 2 -j ACCEPT
iptables -A INPUT-LAN-NEW -p tcp --dport 3128 -m mark --mark 2 -j ACCEPT ... since doing the state check in each line gets unwieldy quickly. Also, MARK is a great way to not have to repeat subnets and other matches, assuming you're not using them differently in mangle for ipsec or something.

OpenBSD (2, Informative)

discore (80674) | more than 3 years ago | (#36204704)

"'Fedora 15 is really the first mainstream operating system to have a dynamic firewall where you can add or change rules and keep the firewall up and responding while you're making changing.'"

What?

http://www.openbsd.org/faq/pf/

pf will always be better than iptables in every way.

Re:OpenBSD (0)

Anonymous Coward | more than 3 years ago | (#36204856)

Yeah, that's why they said "mainstream". OpenBSD has many virtues, but popularity is not one of them.

Re:OpenBSD (0)

Anonymous Coward | more than 3 years ago | (#36205488)

Yeah, that's why they said "mainstream". OpenBSD has many virtues, but popularity is not one of them.

Err, what?

1) The article is blatantly wrong, Linux and many other OS's have had the ability to update firewall rules on the fly for very many years.
2) OpenBSD is mainstream, it's used all over the place. Because it doesn't crash you don't notice it.
3) PF is also used on NetBSD, FreeBSD, DragonflyBSD. FreeBSD is very much mainstream.

WinXP (0)

Anonymous Coward | more than 3 years ago | (#36204910)

Windows XP's firewall is dynamic, too. Add and remove rules without rebooting. Rules can even be per-application.. is this even possible with iptables?

This feature has been mainstream for more than a decade in the market-leading OS.

But no, I guess Fedora got it first. Yet another Linux innovation! When will Microsoft catch up!??!?!

Re:WinXP (2)

jd (1658) | more than 3 years ago | (#36205198)

IPTables rules can not only be per-application, per-user and per-instance, or per any definable group thereof (intserv), the rules themselves can contain whatever conditions you like (including checks for packet labels, layer 7 checks, etc). The main question I have to ask is why Red Hat still uses IPTables rather than nf-HiPAC or nftables, the two competing replacement stacks. IPTables is long-in-the-tooth and can't compete on performance or flexibility with the alternatives, so extending IPTables' functionality (rather than switching to something that already provides the facility and spending those resources on development) seems pointless and a little naive.

If you're going to spend developer time and dollars on a capability, always always always look 2-5 years ahead rather than 2-5 years behind.

Re:WinXP (1)

justsomebody (525308) | more than 3 years ago | (#36205224)

the only way you could get same feature was using zonealarm (except zonealarm didn't close port after application stopped). and before answering, read right documentation, not the blurb this author wrote

Re:WinXP (0)

Anonymous Coward | more than 3 years ago | (#36205232)

Windows XP's firewall is dynamic, too. Add and remove rules without rebooting. Rules can even be per-application.. is this even possible with iptables?

This feature has been mainstream for more than a decade in the market-leading OS.

But no, I guess Fedora got it first. Yet another Linux innovation! When will Microsoft catch up!??!?!

The article is falsely claiming an innovation, if you understood anything about Linux you would know that but I guess they don't teach Linux in Microsoft's marketing classes.

As for calling XP's firewall a firewall.. Get real, you can't filter on the same OS the security holes are on and expect decent security.

Re:WinXP (1)

justsomebody (525308) | more than 3 years ago | (#36205288)

and yes, you can from early iptables start, which predates any firewall presence in windows.

you can set rulesets in specific tables, you can add/remove them dynamically, save/restore from the very first time of iptables replacing ipchains, which already had that feature too.

Re:OpenBSD (0)

Anonymous Coward | more than 3 years ago | (#36205178)

I agree that pf is better than iptables. Iptables would be dead pretty quick if pf or something like it was ever available on linux.

However even with iptables it's perfectly possible to add and remove rules on the fly without wiping out states. The statement in the article saying that this can't be done is likely a misquote, it's certainly false.

Re:OpenBSD (4, Informative)

justsomebody (525308) | more than 3 years ago | (#36205206)

no need to get upset. author just worded it really badly. as most already said, iptables already had add/remove/save/restore, although i can see you get bonner every time you mention openbsd

here is how this works
- service/program starts and sends d-bus message "hey, i need xxx port to work (yes, i really meant classic pr0n port;)
- user gets prompted and needs to validate decision trough authentication.
- port is open
- when software stops, it sends another d-bus message "close pr0n port"
- port is closed

this is not scenario which would be usable in any server environment. but for n00b user running something... might just be life saver not to get confused with bunch of for him too advanced howtos.

Re:OpenBSD (1)

hedwards (940851) | more than 3 years ago | (#36205338)

Bonner? Wasn't he the lead singer for U2?

Re:OpenBSD (0)

Anonymous Coward | more than 3 years ago | (#36205552)

Nope, he's called Booh-Noooo!

*rimshot*

Re:OpenBSD (0)

Anonymous Coward | more than 3 years ago | (#36205646)

No doubt. I totally agree. The fact that you have to have all of these front ends to work with IPTables is a testimony of how ridiculously complicated IPTables syntax is.

What's the point? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36204720)

So an application can say hey I need a port open, please open a pinhole in the firewall.

I don't get that. If you want applications to be free to open ports, why would you filter them in the first place? (and what does it mean to filter ports that are closed anyway?)

I would say controlling such an ability in an application belongs to something that acts on bind(9) calls.

Re:What's the point? (1)

jd (1658) | more than 3 years ago | (#36205208)

It's basically tcpwrappers implemented as an IPTables facility, only without quite as much control over what external sources can do the opening. It's interesting but as IPTables is due to be replaced anyway, it's a pointless enhancement that simply wastes developer time.

Ignorant and misleading article. (5, Informative)

sydb (176695) | more than 3 years ago | (#36204724)

This article is ignorant and misleading. The "new technology" is nothing to do with Linux, iptables rules are already dynamic, it's the Fedora management tooling that no longer wipes the entire set of rules and loads them afresh.

The truth is here: http://fedoraproject.org/wiki/Features/DynamicFirewall [fedoraproject.org]

Re:Ignorant and misleading article. (0)

Anonymous Coward | more than 3 years ago | (#36205758)

Whoa. Fedora learns #!/bin/bash.
That's it, I've finally found a reason to dump Gentoo!

OpenBSD's PF has been adaptive for years (4, Informative)

badger.foo (447981) | more than 3 years ago | (#36204728)

The concept isn't very new or radical, but it will be interesting to see how their implementation behaves in real life.

Over in OpenBSD [openbsd.org] land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples [home.nuug.no] . One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples [home.nuug.no] ). In addition, the OpenBSD versions of dhcpd [openbsd.org] and bgpd [openbsd.org] as well as other applications are routinely set up to interact with your filtering config via tables.

Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy [openbsd.org] for example) or relayd [openbsd.org] (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.

My BSDCan slides [home.nuug.no] has more material, as of course does The Book of PF [nostarch.com] , and never forget The PF docs [openbsd.org] as the authoritative source.

Re:OpenBSD's PF has been adaptive for years (0)

Anonymous Coward | more than 3 years ago | (#36204756)

Linux has been dynamic in the same ways for years too, the article/summary is retarded. Linux has named rulesets which can be referenced by other rulesets, you can dynamically add/remove individual filter lines from any ruleset, even the default ones. It also has ipsets, which is like what you describe w/ OpenBSD (other tools can dynamically update an efficient table of IPs or networks that rules reference).

Re:OpenBSD's PF has been adaptive for years (1)

Anonymous Coward | more than 3 years ago | (#36205300)

The article is misleading. IPtables isn't as bad as it suggests and has had dynamic rules since always.

You linked to the old version of the book of PF' [nostarch.com] . It's an excellent book.

Anyone who uses iptables a lot really should try pf. They will love it.

Re:OpenBSD's PF has been adaptive for years (-1)

Anonymous Coward | more than 3 years ago | (#36205324)

What a useless paragraph of huge penis wanking; iptables can do dynamic firewalling already. Fuck off and go back to your nerd OS.

Re:OpenBSD's PF has been adaptive for years (1)

hedwards (940851) | more than 3 years ago | (#36205348)

I've grown fond of PF over time. It's amazing to me how much it can do with a little foresight. Unfortunately, it's still a bitch to work with FTP.

This is not revolutionary, but nice (1)

straponego (521991) | more than 3 years ago | (#36204754)

Right now I have scripts to list the current ruleset, figure out the deltas between the new ruleset and old, add or remove rules as appropriate, and save that config to disk for reboots. It works well enough, better than restarting iptables, but it should be more efficient with these changes. I wondered why there wasn't a method (that I found; correct me if I'm wrong) for running batch changes without invoking the iptables command for each change.

Re:This is not revolutionary, but nice (0)

Anonymous Coward | more than 3 years ago | (#36204898)

The standard tools "iptables-save" + "iptables-restore" already do atomic replacement. They don't do smart diffs to insert/remove the minimal set of changes, but instead they re-apply the whole saved set in one transaction "between packets".

Re:This is not revolutionary, but nice (0)

Anonymous Coward | more than 3 years ago | (#36205274)

iptables is no magic, it uses some kernel API to do the job. I'm sure you could do it directly from say a python script without invoking the iptables utility.

Ugh... bloatware (2)

ka9dgx (72702) | more than 3 years ago | (#36204826)

I'm one of the token Windows system admins here... and even I know that this stuff is just bloatware.

  • dynfw [gentoo.org] is just a script to do a few things with iptables, its not new functionality.
  • OpenSCAP [open-scap.org] is just some tools to manage code signing, which is an attempt to enumerate goodness, and doesn't actually fix things by improving security.

I thought they were talking about something new and useful... not just some hype... oh well... looks like they care catching up with uSoft in that department.

lol (1)

GMC-jimmy (243376) | more than 3 years ago | (#36204882)

It's funny seeing newly converts feverishly pecking at GUI buttons in their favorite distro as if every piece of software on it was made at the same factory. You have to be gentle with them.

Temporary rules to keep the IP addr. table clean (1)

VortexCortex (1117377) | more than 3 years ago | (#36204900)

So... the Firewall stores allowed IP addresses in a table structure, lets say an AVL/RedBlack tree or a hash table. You certainly don't want every outbound connection (hole you punch) in the firewall to be permanent. So, why not add a time stamp, and if it remains unused for a long enough period of time, you remove that IP rule?

You don't want to have to constantly run a background thread that scans the table for expired entries -- That would be needlessly wasteful! Instead, why don't we look at the nodes while we're traversing the tree or hash looking for a match to determine if a packet should be blocked or allowed, and then just remove any expired rules we come across!

In a hash table, collisions (two different addresses mapping to the same bucket) are frequently resolved by storing a pointer to a linked list in the bucket instead of just one address. Since you'll occasionally be iterating across more than one IP rule, you can remove expired rules as you do so -- similar to the way you would for tree traversal.

Obvious, right? I mean... I don't see why no one figured this out a long time ago!

Wait... wait... You're probably thinking of responding with something along the lines of: "No shit, you dumbass, that's how it's done already." I know; I know... that's my point -- That's the way my game servers have been doing things since the early 90s.

Well, there's just one catch -- That's illegal; It can be patent infringing. Remember that patent suit brought against Google by Bedrock claiming that their use of Linux infringes a patent, and that all of Linux may be infringing?

Patent 5,893,120 -- "methods and apparatus for information storage and retrieval using a hashing technique with external chaining and on-the-fly removal of expired data."

The court found Google to be in violation. Of course the patent should never have been granted... Any professional skilled in the art of hash tables, and familiar with the concept of a stateful firewall will arrive at this solution... (please dissolve the PTO, it's broken, okay?)

So -- I hope Red Hat/Fedora is using a Red-Black tree or AVL tree -- instead of a Hash... I would check, but honestly, I'm a lazy Debian kind of guy.

Re:Temporary rules to keep the IP addr. table clea (1)

ziesemer (959438) | more than 3 years ago | (#36205158)

Re:Temporary rules to keep the IP addr. table clea (1)

Sarten-X (1102295) | more than 3 years ago | (#36205268)

Oh look, it's a troll!

There's a few problems with your post. First, the story is about a management application, which shouldn't know anything about how recently-useful a rule was. Also, self-expiring rules would be a maintenance nightmare for any resource that's accessed only occasionally.

"It's broken, okay?" is not a persuasive argument. Please do continue trolling. I find it entertaining. Next time, though, please be a bit more subtle.

CSF Anyone? (1)

Taigitsune (1450245) | more than 3 years ago | (#36205144)

Looks like Fedora will be adding some features that CSF (ConfigServer Firewall) has provided for years. Huzzah! As an aside, am I the only one who thinks it's insane to allow applications to tell the firewall what to do? The firewall is a sanity check to keep applications in line.

Watch Fedora f*ck it up (-1)

Anonymous Coward | more than 3 years ago | (#36205452)

This sounds like a bad idea. I'm sure there is a misguided developer(s) at Fedora saying "Look, it's so much better to allow applications and regular users to change the firewall rules all by themselves. We don't need root to manage the firewall". Probably the same guy(s) that thought it was just fine to allow regular user accounts to do software updates or install system software.

Riding the short dbus (0)

Anonymous Coward | more than 3 years ago | (#36205668)

Know how long it takes to "reload" my iptables firewall? About 1 second. However, a dedicated Linux firewall on better hardware might have tens of thousands of rules, so it might take 30 seconds or so to reload.

Kinda interested to see what they do with dbus though; this could make it more efficient for external programs to modify the firewall without parsing complex iptables output. For example, I can open and close ports when I start/end specific programs through scripts, but if some dbus-based framework existed to do that more elegantly I think that would be cool.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?