firewalld this doesn't seem right....

Ed Greshko Ed.Greshko at greshko.com
Tue Oct 2 07:24:03 UTC 2012 

On 10/02/2012 03:04 PM, Chris Murphy wrote:
> On Oct 2, 2012, at 12:33 AM, Ed Greshko wrote:
>> If you run the firewall-config GUI there are no rules listed anywhere.  "iptables -L" shows there are plenty defined.
> I'm not sure I follow. iptables and firewalld aren't at all related and shouldn't be used at the same time. firewall-config wouldn't list iptables rules.

I am not running iptables.service.

AFAIK, firewalld still uses the underlying iptables modules....

[egreshko at localhost ~]$ systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)

[egreshko at localhost ~]$ lsmod | grep ip
ipt_MASQUERADE         12880  1
ip6table_mangle        12700  1
ip6t_REJECT            12939  2
nf_conntrack_ipv6      14569  23
nf_defrag_ipv6         18177  1 nf_conntrack_ipv6
ip6table_filter        12815  1
ip6_tables             26942  2 ip6table_filter,ip6table_mangle
iptable_nat            13383  1
nf_nat                 25646  2 ipt_MASQUERADE,iptable_nat
iptable_mangle         12695  1
nf_conntrack_ipv4      19143  22 nf_nat,iptable_nat
nf_defrag_ipv4         12673  1 nf_conntrack_ipv4
nf_conntrack          107669  8 nf_conntrack_netbios_ns,ipt_MASQUERADE,nf_nat,xt_conntrack,nf_conntrack_broadcast,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6

>
>>  I thought that maybe they were "invisible" but I soon found out that doing a "Reload firewalld" causes all services to be unavailable.  A systemctl restart of firewalld is needed to restore a "working" system.
> Hmm. The point of firewalld is exactly that restarts of the daemon aren't needed for behavior changes to be applied,  unlike iptables.
>

Yes, since it has a  D-BUS interface to allow dynamic changes without a reload.  However, if you do hit reload on the "firewall-config" GUI the system becomes inaccessible via ssh, for example....

[egreshko at meimei ~]$ ssh 192.168.0.187
egreshko at 192.168.0.187's password:
Last login: Sun Sep 30 15:22:20 2012 from 192.168.0.18
[egreshko at localhost ~]$

Then hit "reload firewalld" on the GUI....and....

[egreshko at meimei ~]$ ssh 192.168.0.187
ssh: connect to host 192.168.0.187 port 22: No route to host

That's not right....

-- 
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled

More information about the test mailing list