Announcement

Collapse
No announcement yet.

Firewalld 1.3 Released With Easier Firewall Management For More Services

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Being used to the ease of use of Windows firewalls like GlassWire and SimpleWall, I think all Linux firewall suck and suck big time, all except OpenSnitch:
    OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch. - evilsocket/opensnitch

    Too bad that the Xanmod kernel developers refuse to make their kernel compatible with its advanced monitoring function.

    Comment


    • #12
      I still use "plain" iptables in a firewall. It is a rather complex setup and there is no migration tool known to me that will do the conversion to firewalld.
      Additionally, at least to my knowledge, firewalld also doesn't support nice things like "rule shadowing" so what is the benefit? The syntax? That is something you get used to eventually anyway.

      Comment


      • #13
        Originally posted by johncall View Post

        Do you configure raw nftables commands
        Yes, or script them.

        Originally posted by johncall View Post
        ​could firewalld help you do that?
        No; last I checked the wrapper apps (firewalld, ufw) offer a simple interfaces that do not implement all the features of nftables, or even list the current ruleset.

        Comment


        • #14
          Originally posted by partcyborg View Post

          This is one area where the modern BSDs are way ahead of linux. OpenBSD's pf (FreeBSD uses it too now) is way better than iptables all around.
          How about nftables?

          Comment


          • #15
            Originally posted by partcyborg View Post

            This is one area where the modern BSDs are way ahead of linux. OpenBSD's pf (FreeBSD uses it too now) is way better than iptables all around.
            There is apparently a bit of history behind pf which I think was described in "The Book of PF" Peter Hansteen No Starch Press 2014. If I recall correctly the original obsd firewall was ipfilter (ipf) that had a license to which Theo objected. Pf was developed by the obsd team to replace ipf (quite quickly too I think.)

            I have heard that there have been attempts to port pf to Linux but I suspect the profound differences between the bsd and linux networking make porting extremely difficult.

            Comment


            • #16
              Originally posted by Britoid View Post

              I'd be very in favour of systemd coming with a firewall...

              firewalld is written in python and it's very easy to mess up a python install, imho it's not sensible to have such an important piece of software written in it.
              Oh boy do I have bad news for you. Don't ever look into what backends are used in enterprise. The cybersecurity space is filled with python devs.

              Comment


              • #17
                But does it have a GTK4 user interface to control it?
                Can it do application-based filtering? So that I can only whitelist Firefox.

                Comment


                • #18
                  There's a lot to respect in the plain barebones utility of iptables but it's always seemed like a relic. Its syntax and usability are pretty poor when compared with even decades olds options (like Cisco ACLs) and it's missing rather useful features:
                  • Filtering based on binary path
                  • Filtering based on encryption state (whether by DPI or enforcement of IPSec tunnels)
                  • filtering based on UID
                  These don't come up super often but I've certainly used them in Windows before. It can be useful when testing an application to block it's outbound communications, or to enforce encryption ala Windows "Connection Security" automatic tunneling.

                  Imagine if you could trivially create a rule that said "if traffic would be sent to host B, dynamically create a tunnel and send the traffic over that interface or else block the traffic". The utility of this is diminishing with the proliferation of LetsEncrypt / HTTPS everywhere but there are still protocols like NFS / iSCSI / SMB / SNMP / 9100 printing floating around that could do with a little security.

                  Comment


                  • #19
                    Originally posted by uid313 View Post
                    Can it do application-based filtering? So that I can only whitelist Firefox.
                    AFAIK, for application based filtering, you have the following options:
                    - Use eBPF to install rules to archive this
                    - Install firejail and setup per-executable sandboxing
                    - Run apps inside containers, e.g. flatpat, snapd, docker
                    - Use distro such as Qubes OS, which provides out-of-the-box sandboxing support so that you can run every app sandboxed in a VM created from template and even the network stack, usb stack, storage stack is run inside a xen vm.
                    Last edited by NobodyXu; 06 January 2023, 08:20 AM.

                    Comment


                    • #20
                      Does firewalld also support outgoing connection filtering? Quite pointless to only filter incoming connections.

                      Comment

                      Working...
                      X