You are not logged in.

#1 2013-08-18 23:56:38

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Understanding firewall differences

I have moderate understanding of ipfw, some understanding of iptables and a vague confusion about firewalld.

On Linux, I've been using basically the "simple stateful firewall" on both Arch and Fedora. However, Fedora now uses firewalld by default so I tried to find out about it here. However, I must say that I'm now more confused than ever. The idea seems to be that firewalld, unlike iptables, is (1) dynamic, (2) supports? or is more? or...? stateful filtering, and (3) orders rules.

Clearly there's something I'm not understanding. iptables is stateful, like ipfw. Moreover, if you add the port scanning rules explained in the wiki, for example, my understanding was that the firewall then essentially created dynamic filtering in response to threats meeting the specified criteria. That is, why isn't iptables considered dynamic?

I guess since iptables, unlike ipfw, doesn't number rules there can be a problem with adding a rule out of order. Is that the advantage of firewalld? That is, is it just that you can add a rule "in the middle" without restarting the firewall?

[I'm assuming the zoning stuff is essentially just some sort of preset filtering options you can apply as required to save specifying the details for each case. Or am I overlooking the importance of this feature?]


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#2 2013-08-19 00:24:51

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Understanding firewall differences

cfr wrote:

iptables is stateful

Where did you read that? And more to the point, who cares?

cfr wrote:

doesn't number rules

What? Look at "man iptables":

       -I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule
              number.   So,  if  the  rule  number is 1, the rule or rules are
              inserted at the head of the chain.  This is also the default  if
              no rule number is specified.

Edit: Firewalld creates an iptables script - as shown at the bottom of wiki page.

Last edited by brebs (2013-08-19 00:28:10)

Offline

#3 2013-08-19 01:06:28

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Understanding firewall differences

brebs wrote:
cfr wrote:

iptables is stateful

Where did you read that? And more to the point, who cares?

Well the Arch wiki describes it as stateful - "simple stateful firewall". This is an advantage, as I understand it, because without it you cannot have rules which say "let traffic of type Y out on port X and let responses to those packets of type V back in on port W". So without it, you have to allow all traffic of a particular type on a particular port in - not just traffic which is coming in response to stuff you send out. This is why people configured ipfw manually in OS X - the GUI interface set up a non-stateful firewall with it. You could only use it to create a stateful firewall if you configured it at the command line (or with another GUI, I suppose).

cfr wrote:

doesn't number rules

What? Look at "man iptables":

       -I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule
              number.   So,  if  the  rule  number is 1, the rule or rules are
              inserted at the head of the chain.  This is also the default  if
              no rule number is specified.

Then what problem is firewalld supposed to solve? I've actually never understood how to use this with iptables which is probably why I forgot about it. It doesn't show you the numbers so how are you meant to know which number to use to insert a rule between two existing rules? ipfw will show you the rule numbers and, by default, always gives rules numbers which are multiples of 10 so there is always room between rules and you can see which numbers will insert a rule where. Or does this only work in iptables if you specify a number when inserting the rule?

And iptables has manual pages which might as well be written in runes as far as I am concerned. ipfw's manual pages I understood significant chunks of - not the more esoteric bits but the basics. With iptables I basically followed the wiki to set something up but I cannot say that I understand it or that I have any confidence in it. It is also why I now have a more permissive ruleset - I have never managed to figure out how to reproduce my ipfw config.

I'm sure iptables has significant advantages - I just don't understand it well enough to appreciate or use them.

Edit: Firewalld creates an iptables script - as shown at the bottom of wiki page.

I saw that but I still don't understand. If that is just iptables - I thought maybe firewalld was just using similar syntax - why are iptables commands not compatible with firewalld?

Last edited by cfr (2013-08-19 01:07:06)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#4 2013-08-19 01:42:23

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Understanding firewall differences

iptables is *the* firewall language, which is in the kernel.

"Stateful" is just a confusing word to use. A firewall *must* track connection states (e.g. iptables' RELATED & ESTABLISHED keywords) anyway.

Ubuntu's UFW, and Fedora's Firewalld, are attempts to make iptables usable for non-geeks.

I recommend to just learn iptables. Google for examples.

Most people would just tell iptables to reload an edited ruleset, rather than insert rules - because as you mention, keeping track of rule numbers is tedious.

Last edited by brebs (2013-08-19 01:44:28)

Offline

#5 2013-08-19 01:56:58

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Understanding firewall differences

OK. Thanks. I thought maybe Fedora had done something like Apple when they moved away from ipfw just because of all the talk of application-level stuff and zones. (I've never used Apple's firewall, though - just read about it. The last version of OS X I used just had ipfw which worked great.)

I think my failure to understand iptables is more basic. With ipfw I could look at the list of configured rules from ipfw show and I could trace what would happen to a packet entering the system. With iptables I can't do that for some reason - I don't really understand the basic concept and the rules all look as if they are in the wrong places (even though they are not). They still look like that no matter how many examples I look at.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#6 2013-08-19 02:31:16

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Understanding firewall differences

brebs wrote:

"Stateful" is just a confusing word to use. A firewall *must* track connection states (e.g. iptables' RELATED & ESTABLISHED keywords) anyway.

Not quite; saying that a firewall implementation is stateful means that the implementation itself is able to track each connection (as opposed to individual packets) and allow the relevant return traffic (aka ESTABLISHED) or RELATED (eg, FTP data connection is technically separate to the control channel connection).

If the implementation isn't stateful, then rules must be manually added to allow return traffic (or written loose enough that the state doesn't matter). For example, on your desktop machine, you would have to allow source port 80 in the INPUT chain to be able to browse the web.

brebs wrote:

I recommend to just learn iptables. Google for examples.

This. Once you understand iptables, then look at other helpers to assist you in managing the ruleset.

Offline

#7 2013-08-19 03:17:54

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Understanding firewall differences

What I don't understand is why you have different chains or what you are meant to do with them. That's probably why I never understand how the rules will affect a packet.

At first, I thought chains were just a different way of specifying in/out so whereas with ipfw you can specify in, out or neither (for both), with iptables you need to add the rule to one chain, or the other or both chains (for both). But that only explains INPUT and OUTPUT - at most. And I'm not sure it really explains those. It doesn't explain other chains or why you create more chains when setting up the firewall.

Nothing I've found really explains what these mean or how they are meant to interact - not in terms I understand, anyway.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#8 2013-08-19 03:24:20

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Understanding firewall differences

This image might help if you're more of a graphical learner: http://www.csie.ntu.edu.tw/~b93070/CNL/ … ge2070.gif

Offline

#9 2013-08-19 03:37:40

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Understanding firewall differences

cfr wrote:

What I don't understand is why you have different chains or what you are meant to do with them. That's probably why I never understand how the rules will affect a packet.

At first, I thought chains were just a different way of specifying in/out so whereas with ipfw you can specify in, out or neither (for both), with iptables you need to add the rule to one chain, or the other or both chains (for both). But that only explains INPUT and OUTPUT - at most. And I'm not sure it really explains those. It doesn't explain other chains or why you create more chains when setting up the firewall.

Nothing I've found really explains what these mean or how they are meant to interact - not in terms I understand, anyway.

The overall idea of a chain is similar to a subroutine or a function in programming -- it is used to logically group statements. The default chains specify "global" grouping depending on the packet destination. For example, in the filter table, INPUT and OUTPUT are for packets arriving and leaving the firewall, while FORWARD is for packets forwarded between network interfaces. But you can define your own chains which are called from rules located in the global ones. Just look through tutorials at http://www.linuxhomenetworking.com for a basic info.

To answer the original question, iptables is a low-level language, while firewalld is a high-level concept-oriented approach. For instance, it deals with concepts like zones etc. (which might be familiar from windows networking) that do not exist in iptables. Notice, this idea is not new nor original. Indeed, OpenWRT has been doing this for a long time with their UCI firewall (http://wiki.openwrt.org/doc/uci/firewall).

This situation is similar to creating vector graphics with e.g. xfig. You can draw circles and squares interactively, and the backend will convert them to an *.eps file. However, some people (me included) bypass xfig and create graphics in postscript directly, because it's a Turing complete programming language with gs(1) being the interpreter.

fukawi2 wrote:

Not quite; saying that a firewall implementation is stateful means that the implementation itself is able to track each connection (as opposed to individual packets) and allow the relevant return traffic (aka ESTABLISHED) or RELATED (eg, FTP data connection is technically separate to the control channel connection).

Ahhh, why is it everytime RELATED is mentioned people talk of FTP, but noone remembers ICMP sad

Last edited by Leonid.I (2013-08-19 03:39:30)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#10 2013-08-19 03:42:16

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Understanding firewall differences

Leonid.I wrote:

Ahhh, why is it everytime RELATED is mentioned people talk of FTP, but noone remembers ICMP sad

Yes of course, ICMP as well (well, the relevant ICMP packets). How silly of me to forget that when I'm always telling people not to block ICMP. I have an excuse though, I've been on holidays for the last 2 weeks tongue

Offline

#11 2013-08-19 06:30:46

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Understanding firewall differences

fukawi2 wrote:

If the implementation isn't stateful

What real-world firewall implementation *isn't* stateful? Connections *have* to be tracked, there is no choice. E.g. a HTTP request will start on port 80 and then jump to a different port.

I nearly said this originally, but preferred to be succinct and count it as obvious wink

cfr, use "iptables-save" to view the iptables rule. They are processed strictly in order, and are looking for an ACCEPT/REJECT/DROP so they can finish - this is crucial to remember.

man iptables:

TARGETS
       A  firewall rule specifies criteria for a packet and a target.  If the packet does not match, the next rule in the chain is the examined; if it does match, then the
       next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.

       ACCEPT means to let the packet through.  DROP means to drop the packet on the floor.  QUEUE means to pass the packet to userspace.  (How the packet can be  received
       by  a userspace process differs by the particular queue handler.  2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler.  Kernels 2.6.14 and later
       additionally include the nfnetlink_queue queue handler.  Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see  the  NFQUEUE
       target  as described later in this man page.)  RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.  If the end of a
       built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

Offline

#12 2013-08-19 06:53:14

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Understanding firewall differences

brebs wrote:

What real-world firewall implementation *isn't* stateful? Connections *have* to be tracked, there is no choice. E.g. a HTTP request will start on port 80 and then jump to a different port.

These days, yes most (if not all) implementations are stateful... It wasn't always that way, and older stateless devices do still exist (for better or for worse) so it doesn't hurt to be specific, but by and large it is mostly academic these days.

Offline

#13 2013-08-19 22:14:27

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Understanding firewall differences

Leonid.I wrote:

[
The overall idea of a chain is similar to a subroutine or a function in programming -- it is used to logically group statements. The default chains specify "global" grouping depending on the packet destination. For example, in the filter table, INPUT and OUTPUT are for packets arriving and leaving the firewall, while FORWARD is for packets forwarded between network interfaces. But you can define your own chains which are called from rules located in the global ones. Just look through tutorials at http://www.linuxhomenetworking.com for a basic info.

Thanks!

But if INPUT and OUTPUT are for packets arriving and leaving the firewall, why FORWARD? If those packets are not arriving or leaving the firewall, how can any rules in the firewall be relevant? And if they are arriving or leaving the firewall, why aren't they covered by INPUT and OUTPUT? The description sounds like there are things reaching the firewall and leaving the firewall and then there are these other things moving between network interfaces. Why not just one kind of in and one kind of out? Of course, it matters what kind of traffic and on which port and from where and from which port and so on but INPUT and OUTPUT can cover all of that.

I understand shell functions but on that analogy, the chains ought to be recipes and you'd then have the main part of the script to apply them. But in iptables, that all looks mixed together.

To answer the original question, iptables is a low-level language, while firewalld is a high-level concept-oriented approach. For instance, it deals with concepts like zones etc. (which might be familiar from windows networking) that do not exist in iptables. Notice, this idea is not new nor original. Indeed, OpenWRT has been doing this for a long time with their UCI firewall (http://wiki.openwrt.org/doc/uci/firewall).

Thanks. The Windows stuff doesn't help. If there is one thing I know less about than Linux networking, it is certainly Windows networking sad. I've never used or configured a Windows firewall, for example. The link looks promising, though - thanks smile.

The high/low level stuff helps. I think Fedora's documentation confused me because it sounded like iptables was incompatible with firewalld rather than just the commands. (Still not quite sure why the commands are incompatible but I see why the systemd services are.) And the .eps analogy helps. (Is metapost at all like postscript? Anyway, I've drawn things with metapost.)

Last edited by cfr (2013-08-19 22:16:07)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#14 2013-08-19 22:18:54

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Understanding firewall differences

fukawi2 wrote:

This image might help if you're more of a graphical learner: http://www.csie.ntu.edu.tw/~b93070/CNL/ … ge2070.gif

I'm not really a visual learner at all but this is the single clearest thing anybody has ever told me about iptables. Thank you!


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#15 2013-08-19 23:13:54

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Understanding firewall differences

cfr wrote:
fukawi2 wrote:

This image might help if you're more of a graphical learner: http://www.csie.ntu.edu.tw/~b93070/CNL/ … ge2070.gif

I'm not really a visual learner at all but this is the single clearest thing anybody has ever told me about iptables. Thank you!

You're welcome; I certainly found it useful in the past smile

cfr wrote:

But if INPUT and OUTPUT are for packets arriving and leaving the firewall, why FORWARD? If those packets are not arriving or leaving the firewall, how can any rules in the firewall be relevant? And if they are arriving or leaving the firewall, why aren't they covered by INPUT and OUTPUT

The path through the tables depends on the destination address of the packet (for "incoming" packets) or the source (for "outgoing" packets); only packets destined for an address local to the host or created by the local host will pass through INPUT and OUTPUT respectively. Any packets just "passing through" (ie, with a source and destination for addresses NOT local to the host) will hit FORWARD.

Offline

#16 2013-08-20 02:24:20

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Understanding firewall differences

^^^ This.

However, there is a subtlety associated with the way TCP is implemented in linux: if there are N interfaces with N unique IPs, any of these IPs are local to the host (the weak-host model, http://en.wikipedia.org/wiki/Host_model). This means that you can ssh into the server via an internal (LAN facing) interface, by using the server's public (WAN) address.

Last edited by Leonid.I (2013-08-20 02:25:48)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#17 2013-08-20 02:27:39

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Understanding firewall differences

I think you meant https://en.wikipedia.org/wiki/Host_model. And that is very confusing. (I don't mean you - I just mean that.)

EDIT: However, although I'm not more confused I'm starting to see why I'm confused. I just never thought about there being a difference like that - I guess I just assumed it would work the same way on all platforms. Actually, I don't think I realised there was an assumption here at all - I just thought that's how it worked.

So does that mean that you don't? can't? filter on a particular network interface?

EDIT: Er... I find the weak host model rather scary. How does anybody secure something that behaves like that? I realise this is an overreaction - obviously Linux can be extremely secure. Just... I didn't expect it to do something like this!

Last edited by cfr (2013-08-20 03:05:37)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB