Announcement

Collapse
No announcement yet.

Firewalld Prepares For Its Major 1.0 Release For Linux Firewall Management

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Firewalld Prepares For Its Major 1.0 Release For Linux Firewall Management

    Phoronix: Firewalld Prepares For Its Major 1.0 Release For Linux Firewall Management

    The Firewalld firewall management tool for Linux that is built around Netfilter/Nftables is preparing for its long awaited 1.0 release...

    https://www.phoronix.com/scan.php?pa...lld-1.0-Coming

  • #2
    deprecating the direct interface
    Firewalld UI is so odd and complicated. Seems like there is no way to express whats needed. Direct rules were a saving grace, working around all these limitations. Seems like it is time to look for a different way to manage firewall rules.

    Comment


    • #3
      This is cool. Shame about deprecating the direct interface, though I never needed it personally.

      I ended up switching from ufw to firewalld a few years ago. Firewalld supports integration with NetworkManager to have different profiles depending on which WiFi network you are connected to, which was a feature I needed. The command line interface for firewalld is confusing but thankfully the GUI works just fine for my basic needs on a laptop. On anything headless I keep using ufw.

      Comment


      • #4
        Never heard of it, I'm still using aif... Users of firewalld: any particular reason for switching?

        Edit: it seems aif is still more featureful and flexible
        Last edited by halo9en; 29 June 2021, 09:32 AM.

        Comment


        • #5
          iptables is great, but not so friendly for end-users, its more for network pros.
          Canonical made "ufw" which is great, but its too bad they have not touched it in years. It would be nice if it could check status without sudo.
          Perhaps notably absent from GNOME is any GUI for firewall.

          With iptables you can configure ports and IP addresses, but you cannot configure which applications to allow. It is a packet firewall, not an application firewall. It would be good if the Linux desktop had some application firewall too that is easy like Windows 10.

          Comment


          • #6
            Originally posted by uid313 View Post
            It would be good if the Linux desktop had some application firewall too that is easy like Windows 10.
            https://github.com/evilsocket/opensnitch

            Comment


            • #7
              Originally posted by uid313 View Post
              With iptables you can configure ports and IP addresses, but you cannot configure which applications to allow. It is a packet firewall, not an application firewall. It would be good if the Linux desktop had some application firewall too that is easy like Windows 10.
              As it was already written:

              > I want to make firewall rules based on which program initiates a connection (or accepts one).
              > I know we're on linux with open source programs, but why trust them to connect to the Internet if they don't need it?

              Years ago, I saw a program in Windows that, although the easily-configurable-per-program firewall "would not let it connect to internet", it launched Internet Explorer with a particular URL, effectively sending data...

              Comment


              • #8
                Originally posted by bitman View Post

                Firewalld UI is so odd and complicated. Seems like there is no way to express whats needed. Direct rules were a saving grace, working around all these limitations. Seems like it is time to look for a different way to manage firewall rules.
                Originally posted by Vorpal View Post
                This is cool. Shame about deprecating the direct interface, though I never needed it personally.
                I believe this is simply because they are looking to get rid of iptables — because direct interface still uses iptables format, it was never updated for nftables.

                Yes, it's a shame, but once you give a way to bypass your abstraction and directly manipulate the underlying technology, you lose any ability to actually switch to a different technology, which is unsustainable in long term.

                Comment


                • #9
                  Originally posted by intelfx View Post



                  I believe this is simply because they are looking to get rid of iptables — because direct interface still uses iptables format, it was never updated for nftables.

                  Yes, it's a shame, but once you give a way to bypass your abstraction and directly manipulate the underlying technology, you lose any ability to actually switch to a different technology, which is unsustainable in long term.
                  This is because with iptables, you write rules to implement an abstract policy. But with nftables there really is no concept of rules per-se, rather it ingests policy directly and implements it, so policy is no longer just an abstract idea but is actually codified.

                  This is a good thing. The part that sucks about iptables is that the ordering of rules matters. So if you have multiple management apps all trying to manage the firewall policy without good introspection into each other, plus with a user inserting rules they copy-pasted from stackoverflow, you can end up with really broken policy implementations.

                  Comment


                  • #10
                    Originally posted by FishB8 View Post
                    This is because with iptables, you write rules to implement an abstract policy. But with nftables there really is no concept of rules per-se, rather it ingests policy directly and implements it, so policy is no longer just an abstract idea but is actually codified.
                    Are you talking about the in-kernel nftables bytecode concept? I'm not seeing how that's relevant. From the end-user perspective, you're still very much writing rules (and firewalld is also just writing rules, I believe they don't deal with bytecode directly).

                    This is a good thing. The part that sucks about iptables is that the ordering of rules matters. So if you have multiple management apps all trying to manage the firewall policy without good introspection into each other, plus with a user inserting rules they copy-pasted from stackoverflow, you can end up with really broken policy implementations.
                    True. Firewalld is trying to be smart about it, though — by using nftables' hooks concept, it creates its own tables (not just chains), hooks them into default hooks and gives them lower priority, so that all other tools still see clean empty tables (whether they are using nft directly or iptables-nft layer).

                    Comment

                    Working...
                    X