firewalld performance concerns
by R C
Hello,
I was wondering, in high performance environments (high compute loads,
high bandwith loads(IB)), is it a concern to run a firewall for network
performance reasons? Also, with high compute loads, I heard/read a
rumor that a firewall might actually cap traffic?
any thoughts?
yhanks,
Ron
12 hours, 58 minutes
NanoPI R4S: firewalld service on Debian (not RHEL, Fedora)
by Nayla Nikolic
Hi
I have a NanoPI R4S and would like to run the device as a firewall
server. My only task is to filter my network traffic with firewalld.
Now I have seen on GitHub that firewalld is a Redhat/Fedora etc project.
Are there any major disadvantages to running firewalld on Debian? I
would rather install Debian than Fedora on R4S.
Does firewalld run as well on Debian, as Fedora/RHEL etc?
best regards and have a nice weekend
Nayla
13 hours, 1 minute
Re: firewalld-users Digest, Vol 118, Issue 9
by John Griffiths
I use iptables and blacklists to add blocked IPs using firewald-cmd. No need for an individual rule and no need to restart.
----------------------------------------
Jun 21, 2024 12:05:07 AM firewalld-users-request(a)lists.fedorahosted.org:
> Send firewalld-users mailing list submissions to
> firewalld-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via email, send a message with subject or
> body 'help' to
> firewalld-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> firewalld-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of firewalld-users digest..."
> Today's Topics:
>
> 1. Re: firewalld performance concerns (Eric Garver)
> 2. Re: time needed to apply rule takes 1 second (Eric Garver)
> --
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
1 day, 15 hours
time needed to apply rule takes 1 second
by Marco Moock
Hello!
The time to apply a simple rule (adding port) takes about one second. I
use fail2ban which issues firewall-cmd commands. If now tens or
hundreds of IPs are banned, a restart will take minutes because all
rules are removed and then added.
Is there a good way to speed that up?
--
kind regards
Marco
Send unsolicited bulk mail to 1718601625muell(a)cartoonies.org
2 days, 12 hours
rich-rules logging without prefix
by Marco Moock
Hello!
I've a rich-rule:
rule family="ipv4" source address="185.122.204.97" log reject
type="icmp-admin-prohibited"
This results in nftables:
chain filter_IN_public_deny {
ip saddr 185.122.204.97 reject with icmp
admin-prohibited }
It does not include a logging prefix like here:
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
log prefix "filter_FWD_public_REJECT: "
reject with icmpx admin-prohibited
}
Is that intended?
How can I add it inside the rich-rule?
--
Gruß
Marco
Send unsolicited bulk mail to 1717962664muell(a)cartoonies.org
1 week, 5 days
Logging of firewalld
by Andreas Croci
Hello, I'm using openSUSE Leap and Tumbleweed, which both come with
firewalld enabled. I wanted to see who is trying to access my computers
and enabled the logs, but it writes to the normal journal and floods the
entries there with an awful lot of messages that make the thing
unreadable. I didn't find a way to specify a different file to log the
dropped packets to, other than enabling rsyslog. Is there a way to keep
using journald and still have the firewall log in a separate file?
Thank you.
Andreas
2 weeks, 1 day
reject rich-rule with ICMP administratively prohibited
by Marco Moock
Hello!
I have:
rule family="ipv4" source address="185.122.204.97" reject
This results in
chain filter_IN_public_deny {
ip saddr 185.122.204.97 reject with icmp
port-unreachable }
Is there a way to use firewalld rich-rules to use administratively
prohibited instead?
--
kind regards
Marco
Send unsolicited bulk mail to 1717319884muell(a)cartoonies.org
2 weeks, 5 days
