On 12/27/2010 08:06 PM, nodata wrote: > On 23/12/10 17:03, Thomas Woerner wrote: >> Hello, >> >> as discussed some time ago, I worked on the proof of concept >> implementation of firewalld. FirewallD is a service daemon with a D-BUS >> interface that provides a dynamic managed firewall. >> >> For more information on firewalld, please have a look at: >> https://fedoraproject.org/wiki/FirewallD/ >> >> About this version: >> >> This is mostly the proof of concept implementation with some changes and >> is feature complete for F-15 as a firewalld preview version. It will not >> be enabled per default and will also not get installed per default. The >> system-config-firewall with static firewall model will still be the >> default firewall solution for Fedora 15. >> >> What this firewalld version can do: >> >> - It supports most of the firewall features system-config-firewall had, >> but there are three limitations: >> >> 1) custom firewall rule files (iptables save format) are not >> supported and most likely will never be, but there is support for >> custom rules (limited functionality). >> >> 2) sysctl changes for ip_forward are not done, yet. >> >> 3) There are no permanent firewall settings, this means that all >> settings are lost after a service restart or reboot. Permanent >> firewall settings will be added later on. >> >> - The firewall daemon manages the firewall dynamically. This means that >> changes are done without recreating the whole firewall. Also there is >> no need to reload all firewall modules anymore. Firewall helpers are >> loaded and unloaded if needed. >> >> - A simple tray applet (firewall-applet) shows the status of the public >> firewall and is makes it simple to enable and disable firewall >> services. The applet does not show firewall configuration settings >> done with the libvirt interface. >> >> - firewall-cmd is the command line client that makes it possible to >> enable, disable, query and list firewall features. firewall-cmd is >> also not able to show firewall settings of the libvirt interface. >> >> - There is an rule and chain interface for libvirt, but the PolicyKit >> policy is not in place, yet. >> >> What this version can not do (future features): >> >> - firewall-config, the firewall configuration utility, is not functional >> - System vs. User/Session configuration >> - Zone support >> - NetworkManager firewall rule support >> >> >> firewalld made it into a fedorahosted repo at: >> >> git://git.fedorahosted.org/git/firewalld.git >> >> The fedoraproject wiki page at >> https://fedoraproject.org/wiki/FirewallD/ >> exists and will get more updates soon. The feature request page for >> Fedora 15 is also up to date: >> https://fedoraproject.org/wiki/Features/DynamicFirewall#How_To_Test >> >> For test packages, please have a look at >> http://twoerner.fedorapeople.org/firewalld/ >> >> firewalld has a requirement for system-config-firewall-1.2.28. This >> version has checks for an active firewalld in the tools. >> >> Please have a look at >> http://koji.fedoraproject.org/koji/buildinfo?buildID=211013 >> for the Fedora 15 packages of this version. It is usable on fedora >> versions< 15. >> >> How To Test >> - Install firewalld and firewall-applet >> - Start the firewalld service >> - Start the tray applet firewall-applet >> - Use firewall-cmd to enable for example ssh: >> firewall-cmd --enable --service=ssh >> - Enable samba for 10 seconds: >> firewall-cmd --enable --service=samba --timeout=10 >> - Enable ipp-client: >> firewall-cmd --enable --service=ipp-client >> - Disable ipp-client: >> firewall-cmd --disable --service=ipp-client >> - To restore your static firewall with lokkit again simply use: >> lokkit --enabled >> >> You can also use the D-BUS interface directly. This is required for >> libvirt (and later on also NetworkManager). The D-BUS interface >> documentation is work in progress and will be added later on. >> >> >> >> Comments and additional information is highly welcome. >> >> Thanks in advance, >> Thomas >> > > Hi, > > First of all thanks for making this work on the command line first and > gui second. > > Can I ask a stupid question? Does dbus have the kind of performance > necessary to support this type of application? > > Thanks. I have done tests here and the performance of D-BUS is good. The biggest amount of time was used to add or remove rules or to load or unload netfilter kernel helpers. D-BUS is used to submit requests to the firewalld. If there are too many requests that they can not be handled by D-BUS in a reasonable time, then this could be bad usage of firewalld. Firewall changes should not happen all day long. Thanks, Thomas -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
