Am 15.11.2012 19:58, schrieb Adam Williamson:
I don't think anyone asked you to do any of those things. Fedora
obviously does not have the power to replace iptables with firewalld on
your router, so the question is not 'can you replace iptables with
firewalld on everything in your network and see if it works'. The
question is more 'can you see if firewalld does a good job of imitating
iptables on a single Fedora machine on your network, or a small amount
of them'. The whole point is it should be able to imitate an
iptables-type setup fairly transparently, so it should 'play nice' with
the rest of your setup. Can't you just test that?
and that is why i posted earlier this day a masked copy of the script
ONE script distributed from a admin-server is deplayoed to ANY
machine and exuted with "ssh root@machine /scripts/iptables.sh"
this thing was written, optimized and maintained for many years
it containes rules to block specific outgoing AND incoming
connections in a more or less dynmic infrastructure
there is no "this is the iptables of machine X"
i am not only responsible for ONE network, there are finally
MANY networks, they are more or less based on this one script
the reason is simply that if you have, can and do maintain
larger environemnts more or less a a one-man-show you need to
find workloads and solutions to surivive this which is achievd
since years - starting tis from scratch means wasting weeks of
lifetime
don't get me wrong: force this would be no improvement
finally: i am pretty sure that my environments are even SMALL
compared with many others out there, iptables-service is a one-shot
thing at startup, low-level this all is netfilter of the kernel
so i refuse to understand any sense removing the iptables command
and "iptables.service" to replace it for the sake of replacment
if your argumentation would be this direction i would say
"so why do we not remove XFCE, GNOME whatever because KDE exists"