Re: About F19 Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/15/2013 08:52 PM, P J P wrote:

      Hi,

I upgraded to F19 recently. And I happened to look at the output of iptables(8) today.

    $ iptables -nL

It's baffling! It's crazy 4 pages long listing!!

Why
  are there so many chains? Most are empty. Those which have rules, jump
from one chain to another and that jumps to yet another.


These chains are needed to

1) Separate zones.
NM connections, interfaces and source addresses or ranges can be bound to zones. The initial default zone is public and all connections will be bound to this zone. The user or administrator can bind connections to other zones by either doing this in the NM connection editor or within the ifcfg file. 

2) Make sure that a newly added rule will have the desired effect.
If you are mixing deny and allow rules, you can not say which effect it will have. Either there are unwanted accepts or rejects or drops. A simple and straight forward solution is to have separate chains for deny and allow rules. The same applies also for logging rules. 


Multicast
  DNS is allowed in the internal network(chain IN_internal_allow). I
guess  IN_internal_allow  is meant for some closed group internal
network, not sure.

     ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW

Who uses it?
This has been added because of a FESCo decision to enable Multicast DNS (mDNS). 


Then
  I looked at the firewall configuration GUI tool. That's even more
baffling. On the left hand side, it lists zones: home, internal, public,
  work etc. without any explanation whatsoever what each one is suppose
to do. It also has a default zone which is 'public'. I guess that must
be the running firewall configuration. So even if I'm at work or at
home, I'm using firewall configuration that is meant for public network,
  am I? Besides, who is going to switch between these zones everyday from
  home to work to home again?
You do not need to change it, but you can if you want to. If for example you are using wifi connections at home, work, .. you can bind these to the (for you) appropriate zone. For example work for your work wifi connection. It will be used only if you are connecting to your work wifi connection (it is bound to the SSID).
The default zone (initially public) is used for all connections and interfaces where the zone has not been set to another value. 

You can customize the zones and services according to your needs.


I think for individual users, which
is majority of the users, this is a stupid firewall. It doesn't have to
be so complicated that even if one tries to understand it, he/she can
not. :(

---
Regards
    -Prasad
http://feedmug.com



--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux