firewalld this doesn't seem right....
Ed Greshko
Ed.Greshko at greshko.com
Tue Oct 2 07:24:03 UTC 2012
On 10/02/2012 03:04 PM, Chris Murphy wrote:
> On Oct 2, 2012, at 12:33 AM, Ed Greshko wrote:
>> If you run the firewall-config GUI there are no rules listed anywhere. "iptables -L" shows there are plenty defined.
> I'm not sure I follow. iptables and firewalld aren't at all related and shouldn't be used at the same time. firewall-config wouldn't list iptables rules.
I am not running iptables.service.
AFAIK, firewalld still uses the underlying iptables modules....
[egreshko at localhost ~]$ systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
[egreshko at localhost ~]$ lsmod | grep ip
ipt_MASQUERADE 12880 1
ip6table_mangle 12700 1
ip6t_REJECT 12939 2
nf_conntrack_ipv6 14569 23
nf_defrag_ipv6 18177 1 nf_conntrack_ipv6
ip6table_filter 12815 1
ip6_tables 26942 2 ip6table_filter,ip6table_mangle
iptable_nat 13383 1
nf_nat 25646 2 ipt_MASQUERADE,iptable_nat
iptable_mangle 12695 1
nf_conntrack_ipv4 19143 22 nf_nat,iptable_nat
nf_defrag_ipv4 12673 1 nf_conntrack_ipv4
nf_conntrack 107669 8 nf_conntrack_netbios_ns,ipt_MASQUERADE,nf_nat,xt_conntrack,nf_conntrack_broadcast,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
>
>> I thought that maybe they were "invisible" but I soon found out that doing a "Reload firewalld" causes all services to be unavailable. A systemctl restart of firewalld is needed to restore a "working" system.
> Hmm. The point of firewalld is exactly that restarts of the daemon aren't needed for behavior changes to be applied, unlike iptables.
>
Yes, since it has a D-BUS interface to allow dynamic changes without a reload. However, if you do hit reload on the "firewall-config" GUI the system becomes inaccessible via ssh, for example....
[egreshko at meimei ~]$ ssh 192.168.0.187
egreshko at 192.168.0.187's password:
Last login: Sun Sep 30 15:22:20 2012 from 192.168.0.18
[egreshko at localhost ~]$
Then hit "reload firewalld" on the GUI....and....
[egreshko at meimei ~]$ ssh 192.168.0.187
ssh: connect to host 192.168.0.187 port 22: No route to host
That's not right....
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
More information about the test
mailing list