  Global control of firewalling


  There are various tools out there to configure and control firewall.
  This dialog allows you to decide if Linuxconf should control your
  firewall and how.

  11..  PPrriinncciipplleess

  Linux firewall controls IP packets at they are entering, flowing
  through and exiting the machine. Each step is controlled by a set of
  rules. We have the _i_n_p_u_t, _f_o_r_w_a_r_d, and _o_u_t_p_u_t rules.

  Each rule set is configured independantly and may be enabled
  independantly.  Even if a rule set if configured, it may be turned off
  in the current dialog, generally for testing purpose.


  11..11..  FFiirreewwaallll iinntteeggrriittyy

  If you enable one rule set, _L_i_n_u_x_c_o_n_f assumes it is in charge of the
  firewall and will make sure it is current (the kernel state match the
  configuration) every time you exit from Linuxconf (this is
  interactive, so you will notice).

  If you do not enable any rule set, then you are on your own. This
  means you can use any tool you want to handle this task.


  22..  DDiiaalloogg ddeessccrriippttiioonn

  The dialog has  four sections


  22..11..  RRuulleess ccoonnttrrooll

  You can turn on an off each rule set. When you turn on a rule set, the
  default policy is set to _d_e_n_y. You must provide rules to allow some
  traffic.

  The accounting rule set is a feature to turn on packet accounting
  without affecting the logic of the firewall. Not that any rule has two
  counters: packet and bytes counter. Each counter is full 64 bits so
  you can get interesting statistic of of them and they won't overflow.
  So packet accounting is not strictly needed since other rules will do
  their accounting).

  Uses the ipchains command to review the various counters.


               /sbin/ipchains -L -nv


  22..22..  SSppeecciiaall kkeerrnneell mmoodduulleess

  You have one check-box for each masquerading helper module.  IP
  masquerading in forwarding rules, is used as a general proxy for
  Intranet, hiding private IP address. It works for most protocol. But
  for the few special ones, you have some kernel modules.  You enable
  each one here.

  22..33..  EExxttrraa kkeerrnneell mmoodduulleess

  You can enter the name of various modules unknown to linuxconf.
  Linuxconf will make sure the kernel module is loaded.


  22..44..  FFeeaattuurreess


  22..44..11..  UUppddaattee tthhee kkeerrnneell ggrraacceeffuullllyy

  This check-box controls how the firewalling rules are installed in the
  kernel.


  22..44..11..11..  DDeeffaauulltt wwaayy

  Normally, Linuxconf wipes the kernel firewall rules and put the new
  ones in place. It performs the following steps:


  +o  Change the default policy to _A_C_C_E_P_T.

  +o  Erase the old rules in the kernel.

  +o  Put the new one in place.

  +o  Set the default polity to _D_E_N_Y.

  This strategy allows one to change the firewalling rules, even from a
  network connection, without locking yourself out in the middle of the
  update.

  This "not so graceful" update has the following advantages:


  +o  Reliable: It brings the firewall to a known state, whichever was
     the previous state.

  +o  Good chance of not locking you out (except if you have not provided
     suitable rules).

  It has the following disadvantage


  +o  It is slow.

     On very large firewall, with 10,000 rules or more it takes several
     seconds to put the firewall rules in place.

  +o  It is insecure.

     During the update, the firewall is not a firewall any more. This is
     not really a bug, since firewall are generally seldom updated (at
     boot time, and once in a while when the admin sees fit).

     If you are using a module like userfirewall, or your firewall is
     updated from the PPP connection/disconnection (the dialout,
     pppdialin and redhatppp can interact with the firewall), then the
     firewall may be updated on a regular basis, potentially several
     times per minute.


  22..44..11..22..  GGrraacceeffuull mmooddee

  In graceful mode, linuxconf will only update the firewall chains which
  have to be updated. Further, it will potentially only affect a subset
  of a chain. This is much faster. Also, during the update, it does not
  change the default policy. So even if you change you firewall rules
  often, you will only see a very short service interuption (potentially
  few packet losses).

  This mode while faster and smarter is somewhat less reliable.  It
  assumes it has been in control of the firewall at all time.  The
  current kernel interface is rather slow and it takes a while to
  extract its current state. So instead, the module keeps the current
  state in /var/run/firewall.chains and reread that to tell how to
  update the firewall. If this file falls out of sync with the kernel,
  then the firewall won't be updated properly. If it ever happens, just
  do:


               linuxconf --modulemain firewall --resetfw
               linuxconf --modulemain firewall --update