Repository :
http://git.fedorahosted.org/cgit/docs/firewall-guide.git
On branch : master
---------------------------------------------------------------
commit 447632875918bc6f19554016563176090314f0e0
Author: Simon Clark <simon.richard.clark(a)gmail.com>
Date: Fri Jan 23 17:50:45 2015 +0000
Corrected some spelling errors.
---------------------------------------------------------------
en-US/Using_Firewalls.xml | 77 ++++++++++++++++++++-------------------------
1 files changed, 34 insertions(+), 43 deletions(-)
diff --git a/en-US/Using_Firewalls.xml b/en-US/Using_Firewalls.xml
index 3bef0ab..35e0a2d 100644
--- a/en-US/Using_Firewalls.xml
+++ b/en-US/Using_Firewalls.xml
@@ -1,68 +1,59 @@
-<?xml version='1.0' encoding='utf-8' ?>
+<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "firewall-guide.ent">
]>
-
<chapter id="chapt-Documentation-Firewall_Guide-Using_Firewalls">
-<title>Using Firewalls</title>
-<section id="sec-Introduction_to_firewalld">
-<title>Introduction to firewalld</title>
-<para>
+ <title>Using Firewalls</title>
+ <section id="sec-Introduction_to_firewalld">
+ <title>Introduction to firewalld</title>
+ <para>
The dynamic firewall daemon <systemitem
class="daemon">firewalld</systemitem> provides a dynamically managed
firewall with support for network zones to assign a level of trust to a network and its
associated connections and interfaces. It has support for <systemitem
class="protocol">IPv4</systemitem> and <systemitem
class="protocol">IPv6</systemitem> firewall settings. It supports
Ethernet bridges and has a separation of runtime and permanent configuration options. It
also has an interface for services or applications to add firewall rules directly.
</para>
-</section>
-
-<section id="sec-Understanding_firewalld">
- <title>Understanding firewalld</title>
- <para>
+ <para>
+ The firewall daemon manages the firewall dynamically, which means that it can apply
changes without restarting the whole firewall. Therefore there is no need to reload all
firewall kernel modules for every change. However, using a firewall daemon requires that
all firewall modifications are done with that daemon to make sure that the state in the
daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall
rules added by the <application>iptables</application> and
<application>ebtables</application> command line tools.
+</para>
+ <para>
+ The daemon provides information about the current active firewall settings via
<application>D-BUS</application> and also accepts changes via
<application>D-BUS</application> using
<application>PolicyKit</application> authentication methods.
+</para>
+ </section>
+ <section id="sec-Understanding_firewalld">
+ <title>Understanding firewalld</title>
+ <para>
A graphical configuration tool,
<application>firewall-config</application>, is used to configure
<systemitem class="daemon">firewalld</systemitem>, which in turn
uses <application>iptables tool</application> to communicate with
<application>Netfilter</application> in the kernel which implements packet
filtering.</para>
- <para>
+ <para>
To use the graphical <application>firewall-config</application> tool,
press the super key and start typing <command>firewall</command>. The firewall
icon will appear. Press enter once it is highlighted. The
<application>firewall-config</application> tool appears. You will be prompted
for your user password. <remark>Tested on Fedora 19 </remark>
</para>
- <para>
+ <para>
The <application>firewall-config</application> tool has drop a down
selection menu labeled <guilabel>Current View</guilabel>. This enables
selecting between <guibutton>Runtime Configuration</guibutton> and
<guibutton>Permanent Configuration</guibutton> mode. Notice that if you select
<guibutton>Permanent Configuration</guibutton>, an <guibutton>Edit
Services</guibutton> button appears on the right hand side of the
<guilabel>Services</guilabel> tab and an <guibutton>Edit ICMP
Types</guibutton> button appears on the right hand side of the <guilabel>ICMP
Filter</guilabel> tab. The reason these buttons only appear in permanent
configuration mode is that runtime changes are limited to enabling or disabling a service.
You cannot change a service's parameters in run time mode.
</para>
-
- <para>
+ <para>
The firewall service provided by <systemitem
class="daemon">firewalld</systemitem> is dynamic rather than static
because changes to the configuration can be made at anytime and are immediately
implemented, there is no need to save or apply the changes. No unintended disruption of
existing network connections occurs as no part of the firewall has to be
reloaded.</para>
- <para>
+ <para>
There is also an applet, <application>firewall-applet</application>,
which can be used to quickly launch the
<application>NetworkManager</application> configuration tab for the network
connection in use. From the <guilabel>General</guilabel> tab changes to the
assigned firewall zone can be made. This applet is not installed by default in
&PRODUCT;. <remark>this may change</remark></para>
- <para>
+ <para>
A command line client, <application>firewall-cmd</application>, is provided.
It can be used to make permanent and non-permanent run-time changes as explained in
<filename>man firewall-cmd(1)</filename>. Permanent changes need to be made as
explained in <filename>man firewalld(1)</filename>.
</para>
- <para>
+ <para>
The configuration for <systemitem
class="daemon">firewalld</systemitem> is stored in various XML files in
<filename>/usr/lib/firewalld/</filename> and
<filename>/etc/firewalld/</filename>. This allows a great deal of flexibility
as the files can be edited, written to, backed up, used as templates for other
installations and so on.
</para>
- <para>
+ <para>
Other applications can communicate with <systemitem
class="daemon">firewalld</systemitem> using D-bus. <remark>Where
can users find more info about this?</remark>
</para>
-
-</section>
-
-<section id="sec-Comparison_of_Firewalld_to_system-config-firewall">
- <title>Comparison of Firewalld to system-config-firewall and
iptables</title>
- <para>
+ </section>
+ <section id="sec-Comparison_of_Firewalld_to_system-config-firewall">
+ <title>Comparison of Firewalld to system-config-firewall and
iptables</title>
+ <para>
The essential differences between <systemitem
class="daemon">firewalld</systemitem> and the
<application>iptables service</application>
are:
- <itemizedlist>
- <listitem>
- <para>
- The <application>iptables service</application> stores configuration
in <filename>/etc/sysconfig/iptables</filename> while <systemitem
class="daemon">firewalld</systemitem> stores it in various XML files in
<filename class='directory'>/usr/lib/firewalld/</filename> and
<filename class='directory'>/etc/firewalld/</filename>. Note that the
<filename>/etc/sysconfig/iptables</filename> file does not exist as
<systemitem class="daemon">firewalld</systemitem> is installed be
default on &PRODUCT;.
- </para>
- </listitem>
- <listitem>
- <para>
+ <itemizedlist><listitem><para>
+ The <application>iptables service</application> stores configuration
in <filename>/etc/sysconfig/iptables</filename> while <systemitem
class="daemon">firewalld</systemitem> stores it in various XML files in
<filename class="directory">/usr/lib/firewalld/</filename> and
<filename class="directory">/etc/firewalld/</filename>. Note that
the <filename>/etc/sysconfig/iptables</filename> file does not exist as
<systemitem class="daemon">firewalld</systemitem> is installed by
default on &PRODUCT;.
+ </para></listitem><listitem><para>
With the <application>iptables service</application>, every single change
means flushing all the old rules and reading all the new rules from
<filename>/etc/sysconfig/iptables</filename> while with <systemitem
class="daemon">firewalld</systemitem> there is no re-creating of all
the rules; only the differences are applied. Consequently, <systemitem
class="daemon">firewalld</systemitem> can change the settings during
run time without existing connections being lost.
- </para>
-</listitem>
- </itemizedlist>
+ </para></listitem></itemizedlist>
Both use <application>iptables tool</application> to talk to the kernel
packet filter.
</para>
-<!--<para>
+ <!--<para>
<remark>Insert diagram from Jiri Popelka showing the hierarchy of applications
above the kernel packet filter that go to make up the firewall
implementation</remark>
</para> -->
-</section>
-
-
-
-
- <!--Topics, Reference-->
+ </section>
+ <!--Topics, Reference-->
</chapter>