Bug 183666 - RFE: Per interface firewall policy
RFE: Per interface firewall policy
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Depends On:
  Show dependency treegraph
Reported: 2006-03-02 11:10 EST by Ivan Gyurdiev
Modified: 2008-08-02 19:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-11 00:50:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2006-03-02 11:10:52 EST
I am behind NAT on my ath0 interface, and don't need or want a firewall.
I am not behind NAT on my eth0 interface.

Different interfaces have different security requirements.

Firewall configuration needs to be per interface, not global.
Iptales has the capability to do this, and system-config-securitylevel should be
making use of it (and likely integrating with system-config-network, where you
manage each of your interfaces).
Comment 1 Thomas Woerner 2007-09-10 05:06:33 EDT
Please have a look at system-config-firewall in F8 and rawhide. There is support
for trusted devices and maquerading. Is this sufficient for you?
Comment 2 Ivan Gyurdiev 2007-09-11 00:50:20 EDT
Great - it's good to see progress is being made!

However, I no longer use multiple interfaces or Rawhide/testing distribution.
The bug was opened too long ago, and I've moved, changed my environment, and
shifted focus to stability.

I appreciate your response though - are there plans to integrate with SELinux
ports and interfaces labeling support eventually ?

Comment 3 Thomas Woerner 2007-09-11 08:34:18 EDT
This is already possible right now: Add the netfilter context file with the
--custom-rules option.
Please keep in mind, that adding rules will slow down the firewall throughput. 

It could lead in a DOS, if someone is flooding your machine with packages. All
packages get labeled even those which get dropped by the firewall rules.

Note You need to log in before you can comment on or make changes to this bug.