Re: About F19 Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/20/2013 09:05 PM, P J P wrote:

    Hi,

----- Original Message -----

From: Thomas Woerner <twoerner@xxxxxxxxxx>
Subject: Re: About F19 Firewall
1) Separate zones.
NM connections, interfaces and source addresses or ranges can be bound
to zones. The initial default zone is public and all connections will be
bound to this zone. The user or administrator can bind connections to
other zones by either doing this in the NM connection editor or within
the ifcfg file.



    Yeah, Mateusz explained that earlier.  I don't use NM either.
You can use ZONE=<zone> in the ifcfg file of the interface to set the zone also if they are not managed by NM. 
If it is missing or unset, the default zone will be used.




2) Make sure that a newly added rule will have the desired effect.

If you are mixing deny and allow rules, you can not say which effect it
will have. Either there are unwanted accepts or rejects or drops. A
simple and straight forward solution is to have separate chains for deny
and allow rules. The same applies also for logging rules.



    iptables(8) takes action(jumps to target) at the first rule that matches or continues further till it finds a match and falls back to the chain policy if no rule is matched. From the manual:

---TARGETS

        A  firewall  rule specifies criteria for a packet and a target.  If the
        packet does not match, the next rule in the chain is the  examined;  if
        it does match, then the next rule is specified by the value of the tar‐
        get, which can be the name of a user-defined chain or one of  the  spe‐
        cial values ACCEPT, DROP, QUEUE or RETURN.
        ...
        If the end of a built-in chain is reached or  a  rule
        in a built-in chain with target RETURN is matched, the target specified
        by the chain policy determines the fate of the packet.
---
You have to make sure where you are adding new rules. Here is a simple example where you want to drop everything from 192.168.1.18: 

If you do it wrong if could end up like this (output of iptables -S):

-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.18 -j DROP
-A INPUT -j REJECT
All from 192.168.1.0/24 is accepted, the following rule does not have any effect. It is not used at all. But it you add the rule to be the first, you will drop packets from 192.168.1.18 and will accept all the others from 192.168.1.0/24. 




You do not need to change it, but you can if you want to. If for example
you are using wifi connections at home, work, .. you can bind these to
the (for you) appropriate zone. For example work for your work wifi
connection. It will be used only if you are connecting to your work wifi
connection (it is bound to the SSID).

The default zone (initially public) is used for all connections and
interfaces where the zone has not been set to another value.

You can customize the zones and services according to your needs.



    Yes, I understand the functionality, but I doubt if it'll be used at all. It's not desktop background that people would want to change everyday.


firewalld is not a desktop firewall in the first place.



---
Regards
    -Prasad
http://feedmug.com



Regards,
Thomas
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux