From Fedora Project Wiki
No edit summary
No edit summary
Line 14: Line 14:
* Last updated: 2013-03-20
* Last updated: 2013-03-20
* Percentage of completion: 80%
* Percentage of completion: 80%
* The feature is limited to milestone 1 (base): configuration with files, no cli and no D-Bus interfaces
* Firewalld milestones for rich language and lockdown features, the milestones 1 and 2 (base and cli) a planned for F-19. Milestone 3 (gui) is planned for F-20.
* Firewalld milestones for rich language and lockdown features, the milestones 1 and 2 (base and cli) a planned for F-19. Milestone 3 (gui) is planned for F-20.
** Milestone 1: Rich config language via config files; minimal lockdown ~ end of March
** Milestone 1: Rich config language via config files; minimal lockdown ~ end of March
Line 31: Line 32:


== How To Test ==
== How To Test ==
Set the lock and use system-config-printer - it will try to open some ports.
1) Set Lockdown=yes in /ec/firewalld/firewalld.conf
 
2) Try to enable the service imaps in the default zone:
firewall-cmd --add-service=imaps
Results in: Error: ACCESS_DENIED: lockdown is enabled
 
3) Add command '<command name="/usr/bin/python /usr/bin/firewall-cmd*"/>' to /etc/firewalld/lockdown-whitelist.xml
 
4) Reload firewalld
firewall-cmd --reload
 
5) Try to enable service imaps again in the default zone:
firewall-cmd --add-service=imaps
No error


== User Experience ==
== User Experience ==
Line 43: Line 57:


== Documentation ==
== Documentation ==
TBD
With the lockdown feature changes to the firewall configutaion can be blocked or limited to a white list. The white list is empty by default and can contain commands, users, user ids and selinux contexts. The lockdown access check is limited to D-Bus methods that are chainging firewall rules. Query, list and get methods are not limited
 
Example:
   
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <command name="/usr/bin/python /usr/bin/firewall-cmd*"/>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <user id="815"/>
  <user name="user"/>
</whitelist>


== Release Notes ==
== Release Notes ==

Revision as of 12:28, 20 March 2013

firewalld Lockdown

Summary

This feature adds a simple configuration setting for firewalld to be able to lock down configuration changes from local applications.

The feature is limited to milestone 1: config files, without cli and D-Bus interfaces.

Owner

Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-03-20
  • Percentage of completion: 80%
  • The feature is limited to milestone 1 (base): configuration with files, no cli and no D-Bus interfaces
  • Firewalld milestones for rich language and lockdown features, the milestones 1 and 2 (base and cli) a planned for F-19. Milestone 3 (gui) is planned for F-20.
    • Milestone 1: Rich config language via config files; minimal lockdown ~ end of March
    • Milestone 2: New config language via D-BUS interfaces with command line client ~ end of May
    • Milestone 3: GUI early to mid July

Detailed Description

Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt). With this feature the administator can lock the firewall configuration so that either none or only applications that are in the allowed list are able to request firewall changes.

The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default. Comprehensive user and application policies will be added later on.

Benefit to Fedora

An easy way to lock the firewall configuration for local applications.

Scope

Only needs changes in firewalld and it's components.

How To Test

1) Set Lockdown=yes in /ec/firewalld/firewalld.conf

2) Try to enable the service imaps in the default zone:

firewall-cmd --add-service=imaps

Results in: Error: ACCESS_DENIED: lockdown is enabled

3) Add command '<command name="/usr/bin/python /usr/bin/firewall-cmd*"/>' to /etc/firewalld/lockdown-whitelist.xml

4) Reload firewalld

firewall-cmd --reload

5) Try to enable service imaps again in the default zone:

firewall-cmd --add-service=imaps

No error

User Experience

The lock down settings defaults to disabled. If enabled the user can be sure that there are no unwanted configuration changes for the firewall from local applications or services.

Dependencies

None.

Contingency Plan

This is a simple firewalld setting, which can be enabled or dropped easily.

Documentation

With the lockdown feature changes to the firewall configutaion can be blocked or limited to a white list. The white list is empty by default and can contain commands, users, user ids and selinux contexts. The lockdown access check is limited to D-Bus methods that are chainging firewall rules. Query, list and get methods are not limited

Example:

<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <command name="/usr/bin/python /usr/bin/firewall-cmd*"/>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <user id="815"/>
  <user name="user"/>
</whitelist>

Release Notes

Fedora 19 includes the latest firewalld version that supports the firewalld lockdown feature to be able to lock the firewall configuration for local applications.

Comments and Discussion