Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
Fedora 17 New Security Feature part X - Firewalld

FirewallD is a service daemon with a D-BUS interface that provides a dynamic managed firewall.

It will be the default firewall in Fedora 18, but will be available to run in Fedora 17.

NOTE:  I was informed that this feature was supposed to be default in Fedora 17, but has been decided to wait until Fedora 18.

The problem with the previous firewall model was that it was static, you would need to basically reload the firewall rules any time you made a change, and this would break established connections.  This is a real problem for virtualization (libvirt), since you might be changing your firewall often bringing up and down virtual machines.  FirewallD provides a daemon that applications can talk to over DBUS, to request modifications to firewall rules. 

Another nice feature would be to allow a user to have rules that control firewall rules depending on the wireless network to which they connect.  For example NetworkManager could come up with a question of whether this is the Home Network, Work Network or Public Network.   Firewall rules might allow Avahi to connect if you are on a Home or Work network but not a Public Network.

In the future I would like to add make FirewallD a SELinux Userpace Manager.  This would allow a policy writer could to control which applications are able to manipulate firewall rules pertaining to which ports.  Something like

allow cupsd_t cups_port_t:tcp_firewall { open close };



2012-04-30 07:31 am (UTC)

When I close the port I don't want a busted rpm pre or post opening it behind my back everytime I patch. An option would be "open if not explicitly closed" (and my first firewalld policy rule will be to explicitly close all).

Re: nooooooooooooooooooooooo


2012-04-30 05:20 pm (UTC)

Could you open a bug report with this idea.

IE have setsebool/semanage modify a boolean, iff the user has not customized it.

You are viewing danwalsh