[Freedombox-discuss] Firewall for FreedomBox

Sunil Mohan sunil at medhas.org
Fri Apr 18 12:17:24 UTC 2014


I have submitted patches[1] to Plinth so as to manage the firewall for
FreedomBox. Firewall shall operate automatically by enabling traffic for
services that are enabled and disabling traffic when the last of the
services using a port is disabled.

In the patches I propose to use FirewallD[2] as the tool that manages
iptables. It could be swapped out in my implementation with other such
tools with some effort. However, FirewallD seems to me the best fit for
our purpose.

- It works at a much higher level than iptables making configuration
less error prone and easy.

- It has the concept of services which are installable XML descriptions
of ports and protocols. We simply have to enable service "dns" instead
of worrying about ports and protocols.

- Compared to other such tools, it is a daemon which is meant to be
communicated with by other processes such a Plinth.

- Since it is a daemon, there is no restarting required after each
configuration change. It simply inserts/deletes the rules appropriate
for the operation just performed.

- It is possible to directly communicate with the daemon using DBus IPC
instead of several levels of error prone command line tools.

- It has a good command-line interaction tool and does not necessitate
editing configuration files.

- Custom iptables rules are possible.

- It handles permanent and currently running configuration separately
giving nice features such as temporary "panic" mode to block all traffic.

- It is readily available in Debian.

- It installs with very sane defaults blocking all services but SSH. We
can enable http(s) and other ports from freedombox-setup.

Your comments are welcome.


1) https://github.com/NickDaly/Plinth/pull/74

2) https://fedoraproject.org/wiki/FirewallD

Thank you,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20140418/54cfc139/attachment.sig>

More information about the Freedombox-discuss mailing list