On Wed, 2011-12-21 at 10:18 +0100, Hansa wrote: > > I think that what they mean is that the current *Fedora* firewall model > > is static. It looks like firewalld still uses iptables, but is slightly > > more intelligent as to how it processes changes to rules and so on. > > I wasn't aware the firewall model is implemented differently across > different Linux flavors. I thought netfilter implements a packet > filtering framework into the Linux kernel. Shouldn't it work the work > the same on every Linux flavor? Once the iptables binary has been called and the rules have been set, then yes, it's the same across any flavour of Linux (I guess). I meant that the distro's implementation of how the rules are managed is different. There are loads of different ways. A quick search on a Ubuntu system reveals the following. I'm guessing that all of these use iptables, but some are better than others at changing rules "on the fly". ufw - program for managing a Netfilter firewall apf-firewall - easy iptables based firewall system dtc-xen-firewall - A small firewall script for your dom0 ebox-firewall - eBox - Firewall ferm - maintain and setup complicated firewall rules fiaif - An easy to use, yet complex firewall filtergen - packet filter generator for various firewall systems firehol - An easy to use but powerful iptables stateful firewall firestarter - gtk program for managing and observing your firewall guarddog - firewall configuration utility for KDE ipkungfu - iptables-based Linux firewall kmyfirewall - iptables based firewall configuration tool for KDE mason - Interactively creates a Linux packet filtering firewall pyroman - Very fast firewall configuration tool uif - Advanced iptables-firewall script uruk - Very small firewall script, for configuring iptables > I did the following test. > > Ssh on port 22 into a Linux box with following filter rules > # iptables -L -n --line-numbers > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 4 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1. > > # iptables -D INPUT 3 > # echo "yup it does" > yup it does > > Seems pretty much dynamic to me :) With any of the above wrappers, you'll always be able to add and remove rules directly using iptables commands. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
