Hello, I have submitted patches[1] to Plinth so as to manage the firewall for FreedomBox. Firewall shall operate automatically by enabling traffic for services that are enabled and disabling traffic when the last of the services using a port is disabled.
In the patches I propose to use FirewallD[2] as the tool that manages iptables. It could be swapped out in my implementation with other such tools with some effort. However, FirewallD seems to me the best fit for our purpose. - It works at a much higher level than iptables making configuration less error prone and easy. - It has the concept of services which are installable XML descriptions of ports and protocols. We simply have to enable service "dns" instead of worrying about ports and protocols. - Compared to other such tools, it is a daemon which is meant to be communicated with by other processes such a Plinth. - Since it is a daemon, there is no restarting required after each configuration change. It simply inserts/deletes the rules appropriate for the operation just performed. - It is possible to directly communicate with the daemon using DBus IPC instead of several levels of error prone command line tools. - It has a good command-line interaction tool and does not necessitate editing configuration files. - Custom iptables rules are possible. - It handles permanent and currently running configuration separately giving nice features such as temporary "panic" mode to block all traffic. - It is readily available in Debian. - It installs with very sane defaults blocking all services but SSH. We can enable http(s) and other ports from freedombox-setup. Your comments are welcome. Links: 1) https://github.com/NickDaly/Plinth/pull/74 2) https://fedoraproject.org/wiki/FirewallD Thank you, -- Sunil
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss