Announcement

Collapse
No announcement yet.

Firewalld 1.3 Released With Easier Firewall Management For More Services

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ll1025
    replied
    Originally posted by partcyborg View Post

    It is you who have no clue what you are talking about: https://www.uv.es/cuan/vyos_bsdrp/
    I'm not really clear why I'm on this thread or getting updates, but that's a pretty weak link.

    No hardware, no kernel version, no details on the rules or the cmdline used to generate packets, and the author states at the top "This is a basic benchmark that is not close to the real world."

    Beyond that, the entire result seems to be due to drivers, as per the author: That seems to be a mellanox driver queue balancing because it only uses 12 cores at 100% and the other cores are idle

    In other words, the entire test seems to be due to driver / kernel differences, rather than anything to do with the merits of the packet filter. Treating this anything more than an interesting anecdote is incredibly disingenuous.

    Leave a comment:


  • partcyborg
    replied
    Originally posted by npwx View Post

    I'm not sure what "all around" is referring to. Performance wise that's they are not even in the same universe, nftables beats the shit out of any *BSD packet filter even without using features such as hardware offloading. On top of that it scales almost linear with the number of cores. Syntax is a matter of taste obviously, but nftables uses a well defined grammar, uses keywords as defined in the various RFCs to refer to header fields and is actually very easy to read.

    So I don't think you have any clue what you're talking about.
    It is you who have no clue what you are talking about: https://www.uv.es/cuan/vyos_bsdrp/

    Leave a comment:


  • npwx
    replied
    Originally posted by partcyborg View Post

    This is one area where the modern BSDs are way ahead of linux. OpenBSD's pf (FreeBSD uses it too now) is way better than iptables all around.
    I'm not sure what "all around" is referring to. Performance wise that's they are not even in the same universe, nftables beats the shit out of any *BSD packet filter even without using features such as hardware offloading. On top of that it scales almost linear with the number of cores. Syntax is a matter of taste obviously, but nftables uses a well defined grammar, uses keywords as defined in the various RFCs to refer to header fields and is actually very easy to read.

    So I don't think you have any clue what you're talking about.

    Leave a comment:


  • Nth_man
    replied
    Years ago, I saw a program in Windows that, although the easily-configurable-per-program firewall "would not let it connect to internet", it launched Internet Explorer with a crafted URL, effectively sending data...
    Last edited by Nth_man; 08 January 2023, 05:02 AM.

    Leave a comment:


  • veikok
    replied
    Does firewalld also support outgoing connection filtering? Quite pointless to only filter incoming connections.

    Leave a comment:


  • NobodyXu
    replied
    Originally posted by uid313 View Post
    Can it do application-based filtering? So that I can only whitelist Firefox.
    AFAIK, for application based filtering, you have the following options:
    - Use eBPF to install rules to archive this
    - Install firejail and setup per-executable sandboxing
    - Run apps inside containers, e.g. flatpat, snapd, docker
    - Use distro such as Qubes OS, which provides out-of-the-box sandboxing support so that you can run every app sandboxed in a VM created from template and even the network stack, usb stack, storage stack is run inside a xen vm.
    Last edited by NobodyXu; 06 January 2023, 08:20 AM.

    Leave a comment:


  • ll1025
    replied
    There's a lot to respect in the plain barebones utility of iptables but it's always seemed like a relic. Its syntax and usability are pretty poor when compared with even decades olds options (like Cisco ACLs) and it's missing rather useful features:
    • Filtering based on binary path
    • Filtering based on encryption state (whether by DPI or enforcement of IPSec tunnels)
    • filtering based on UID
    These don't come up super often but I've certainly used them in Windows before. It can be useful when testing an application to block it's outbound communications, or to enforce encryption ala Windows "Connection Security" automatic tunneling.

    Imagine if you could trivially create a rule that said "if traffic would be sent to host B, dynamically create a tunnel and send the traffic over that interface or else block the traffic". The utility of this is diminishing with the proliferation of LetsEncrypt / HTTPS everywhere but there are still protocols like NFS / iSCSI / SMB / SNMP / 9100 printing floating around that could do with a little security.

    Leave a comment:


  • uid313
    replied
    But does it have a GTK4 user interface to control it?
    Can it do application-based filtering? So that I can only whitelist Firefox.

    Leave a comment:


  • ll1025
    replied
    Originally posted by Britoid View Post

    I'd be very in favour of systemd coming with a firewall...

    firewalld is written in python and it's very easy to mess up a python install, imho it's not sensible to have such an important piece of software written in it.
    Oh boy do I have bad news for you. Don't ever look into what backends are used in enterprise. The cybersecurity space is filled with python devs.

    Leave a comment:


  • toves
    replied
    Originally posted by partcyborg View Post

    This is one area where the modern BSDs are way ahead of linux. OpenBSD's pf (FreeBSD uses it too now) is way better than iptables all around.
    There is apparently a bit of history behind pf which I think was described in "The Book of PF" Peter Hansteen No Starch Press 2014. If I recall correctly the original obsd firewall was ipfilter (ipf) that had a license to which Theo objected. Pf was developed by the obsd team to replace ipf (quite quickly too I think.)

    I have heard that there have been attempts to port pf to Linux but I suspect the profound differences between the bsd and linux networking make porting extremely difficult.

    Leave a comment:

Working...
X