I have notice one problem with forwarding rules. It seems that the semantic associated with the interface is different. Not sure. I have to check in the kernel code to understand what is happening here.
Again, check it out and retest carefully before committing your firewall to this new version.
The dialog has been reworked. It shows in graphic mode. I have added a section called features and moved some stuff from the top of the dialog there.
You can now add a single line comment explaining the purpose of a rule.
The module has an algorithm to order the rules and this works most of the time. It is based on the net-mask, the policy, the interface and so on. A new field called "ordering factor" has been added. This allows you to have a final say on the ordering. The default factor is 50. The is the primary criterion for ordering. Further, the rule list is ordered using this factor when it is displayed.
In a short future, I will add a concept of pre-cooked solutions for fire-walling and this ordering factor will be used to allow mixing of "generated" and "manual" rules.
By default, Linuxconf generates two IP-chain rules (or more sometime) for each rule entered in Linuxconf. It generates a rule "from -> to" and a rule "to -> from".
A new check-box (on by default) limit this behavior. When disabled Linuxconf only generates "from -> to".
This feature is not implemented yet, but the dialog has now two new check-boxes. One in the "from" area and one in the "to" area. It controls whether TCP SYN packet are accepted. They have no effect currently.
An input rule deals with "input interface". The other rules (forward and output) deals with the "output interface". To differentiate those case, the field title change between input rules and the others.
Firewall rules are sometime weak, because the exact interface or host IP number is not known. This is the case with PPP dialout and dialin: One will often use PPP0, guessing that it is the device which will be allocated. This is also the case with "per user" fire-walling.
We are introducing the concept of logical interface and logical hosts. Where you normally enter a host IP or name you can now enter an logical host and the IP number will be lookup-ed into other Linuxconf modules. The same applies to interfaces.
A logical host or interface is presented like this:
The firewall module uses the FWINFO_API inter module API to get the information. If the information is not available then the rule is not generated and a message is entered in the log. Each participating module implements this API and supply the information. So far, the dialout and pppdialin module has been enhanced to support it.
Note that this is the responsibility of those module to trigger the firewall module to install new rules (in the kernel). For example, when a dialout connection is established, the dialout module send a signal to the firewall module and it updates its rules. The dialout module has a check-box just for that.
The new command lines were added also to allow a third party to enable the new rules.
There are the following:
linuxconf --modulemain firewall --resetfw linuxconf --modulemain firewall --setfw
The first disable all rules, the seconds enable the rules.
This is equivalent to --setfw. It was added to make it more consistent with the rest.
This does the same as "linuxconf --status", but only for the firewall.
This should simplify the old "redir" setup since you do everything from the same dialog. It allows arbitrary traffic redirection, not just TCP. Check it out. Not tested much though.
The fwinfo api was changed to accomodate a new module: userfirewall. Now a module may provide several IP/netmask for one query. The firewall module will generate one rule for each IP/netmask pair, as needed.
The userfirewall module will be announced shortly.
Various enhancements were made to the module:
This new facility allows you to map a given rule by interface,protocol,source,source port, destination, destination port. You can also map by source and destination sub-net. By specifying two mappings, Linuxconf will create all needed chains and generate the dispatch rules.
This new feature is really useful for large firewall, and especially for users of the userfirewall module (which maps users and groups to firewall rules).
Negation is supported in the from and to field. You can enter addresses in the form
Still other negations are possible (on the protocol and interface) and will be added in future release.
The chain dispatch mechanism has been enhanced. A new check-box controls how the firewall rules are updated in the kernel. The default mode is to wipe the kernel rules and put new one in place. With the "update the kernel gracefully" check-box enabled, only the relevant chains are updates. This produces faster updates and avoid opening holes while the firewall is changing. This is necessary with the userfirewall module, which can change the firewall rules several times per minutes.
A column named "redir" was added near the end. It contains an X if the rule is a redirection.
Now, if you do not have time to review this, there is a check-box in the feature section of the "firewall defaults" dialog. It is called "Use IP chains even on kernel 2.4"