RE: Is the current firewall model static?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
From: Andrew Beverley [mailto:andy@xxxxxxxxxxx]
Sent: dinsdag 20 december 2011 11:11
> On Tue, 2011-12-20 at 10:25 +0100, Hansa wrote:
> > Hi there,
> >
> > Fedora is running a project called firewalld. Firewalld manages the
> firewall
> > dynamically via D-BUS
> > (http://fedoraproject.org/wiki/FirewallD/#Why_A_Firewall_Daemon).
> They say:
> > "the current firewall model is static and **every** change requires a
> > complete firewall restart. This includes also to unload the firewall
> > netfilter kernel modules and to load the modules that are needed for
> the new
> > configuration."
> >
> > I would be very surprised if their claim is true. Because that would
> break
> > statefull connections when changing the rules. I'm not familiar with
> the
> > code so I can't comment on that. Hence my question. Is the current
> firewall
> > model static?
> 
> I think that what they mean is that the current *Fedora* firewall model
> is static. It looks like firewalld still uses iptables, but is slightly
> more intelligent as to how it processes changes to rules and so on.

I wasn't aware the firewall model is implemented differently across different Linux flavors. I thought netfilter implements a packet filtering framework into the Linux kernel. Shouldn't it work the work the same on every Linux flavor? I did the following test.

Ssh on port 22 into a Linux box with following filter rules
# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
4    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Remove line 3, so new ssh connections are rejected. The current ssh session however should be working because of rule number 1.

# iptables -D INPUT 3
# echo "yup it does"
yup it does

Seems pretty much dynamic to me :)
Am I missing something?

-Hansa

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux