2. Dialog description

The dialog has four sections

2.1 Rules control

You can turn on an off each rule set. When you turn on a rule set, the default policy is set to deny. You must provide rules to allow some traffic.

The accounting rule set is a feature to turn on packet accounting without affecting the logic of the firewall. Not that any rule has two counters: packet and bytes counter. Each counter is full 64 bits so you can get interesting statistic of of them and they won't overflow. So packet accounting is not strictly needed since other rules will do their accounting).

Uses the ipchains command to review the various counters.

        /sbin/ipchains -L -nv
        

2.2 Special kernel modules

You have one check-box for each masquerading helper module. IP masquerading in forwarding rules, is used as a general proxy for Intranet, hiding private IP address. It works for most protocol. But for the few special ones, you have some kernel modules. You enable each one here.

2.3 Extra kernel modules

You can enter the name of various modules unknown to linuxconf. Linuxconf will make sure the kernel module is loaded.

2.4 Features

Update the kernel gracefully

This check-box controls how the firewalling rules are installed in the kernel.

Default way

Normally, Linuxconf wipes the kernel firewall rules and put the new ones in place. It performs the following steps:

• Change the default policy to ACCEPT.
• Erase the old rules in the kernel.
• Put the new one in place.
• Set the default polity to DENY.

This strategy allows one to change the firewalling rules, even from a network connection, without locking yourself out in the middle of the update.

This "not so graceful" update has the following advantages:

• Reliable: It brings the firewall to a known state, whichever was the previous state.
• Good chance of not locking you out (except if you have not provided suitable rules).

It has the following disadvantage

• It is slow. On very large firewall, with 10,000 rules or more it takes several seconds to put the firewall rules in place.
• It is insecure. During the update, the firewall is not a firewall any more. This is not really a bug, since firewall are generally seldom updated (at boot time, and once in a while when the admin sees fit). If you are using a module like userfirewall, or your firewall is updated from the PPP connection/disconnection (the dialout, pppdialin and redhatppp can interact with the firewall), then the firewall may be updated on a regular basis, potentially several times per minute.

Graceful mode

In graceful mode, linuxconf will only update the firewall chains which have to be updated. Further, it will potentially only affect a subset of a chain. This is much faster. Also, during the update, it does not change the default policy. So even if you change you firewall rules often, you will only see a very short service interuption (potentially few packet losses).

This mode while faster and smarter is somewhat less reliable. It assumes it has been in control of the firewall at all time. The current kernel interface is rather slow and it takes a while to extract its current state. So instead, the module keeps the current state in /var/run/firewall.chains and reread that to tell how to update the firewall. If this file falls out of sync with the kernel, then the firewall won't be updated properly. If it ever happens, just do:

        linuxconf --modulemain firewall --resetfw
        linuxconf --modulemain firewall --update