danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Fedora 17 New Security Feature part X - Firewalld
danwalsh

FirewallD is a service daemon with a D-BUS interface that provides a dynamic managed firewall.

It will be the default firewall in Fedora 18, but will be available to run in Fedora 17.

NOTE:  I was informed that this feature was supposed to be default in Fedora 17, but has been decided to wait until Fedora 18.

The problem with the previous firewall model was that it was static, you would need to basically reload the firewall rules any time you made a change, and this would break established connections.  This is a real problem for virtualization (libvirt), since you might be changing your firewall often bringing up and down virtual machines.  FirewallD provides a daemon that applications can talk to over DBUS, to request modifications to firewall rules. 

Another nice feature would be to allow a user to have rules that control firewall rules depending on the wireless network to which they connect.  For example NetworkManager could come up with a question of whether this is the Home Network, Work Network or Public Network.   Firewall rules might allow Avahi to connect if you are on a Home or Work network but not a Public Network.

In the future I would like to add make FirewallD a SELinux Userpace Manager.  This would allow a policy writer could to control which applications are able to manipulate firewall rules pertaining to which ports.  Something like

allow cupsd_t cups_port_t:tcp_firewall { open close };


It's been deferred to f18.

https://fedorahosted.org/fesco/ticket/838

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh