8:31 a.m.
I routinely see questions related to firewall on forums which cannot be
answered without seeing the actual configuration. Unfortunately
firewalld does not seem to offer any simple way to list it.
firewall-cmd --list-all
only shows current zone.
firewall-cmd --list-all-zones
shows way too much and it still does not show effective policies or
direct rules
firewall-cmd --list-all-policies
again shows too much and again does not show effective zones
It would be really helpful to have something like
firewall-cmd --show-current-config
that displays active zones, policies and direct rules with all their
configuration.
8:56 a.m.
On Fri, Nov 04, 2022 at 04:31:51PM +0300, Andrei Borzenkov wrote:
I routinely see questions related to firewall on forums which cannot
be
answered without seeing the actual configuration. Unfortunately firewalld
does not seem to offer any simple way to list it.
firewall-cmd --list-all
only shows current zone.
Yeah. --list-all existed before policies.
Perhaps it should list all zones and policies, but that would be very
verbose. It's also a change in behavior.
We could add --list-all-active, which could list active zones and
policies. We already have --get-active-zones and --get-active-policies,
but those don't list details.
2:36 a.m.
On 04.11.2022 16:56, Eric Garver wrote:
On Fri, Nov 04, 2022 at 04:31:51PM +0300, Andrei Borzenkov wrote:
> I routinely see questions related to firewall on forums which cannot be
> answered without seeing the actual configuration. Unfortunately firewalld
> does not seem to offer any simple way to list it.
>
> firewall-cmd --list-all
>
> only shows current zone.
Yeah. --list-all existed before policies.
Well, --list-all does not even list all active zones. It lists only
default zone which may or may not be active.
Perhaps it should list all zones and policies, but that would be
very
verbose. It's also a change in behavior.
We could add --list-all-active, which could list active zones and
policies. We already have --get-active-zones and --get-active-policies,
but those don't list details.
Do you need an issue on github?
7:50 a.m.
On Sat, Nov 05, 2022 at 10:36:47AM +0300, Andrei Borzenkov wrote:
On 04.11.2022 16:56, Eric Garver wrote:
> On Fri, Nov 04, 2022 at 04:31:51PM +0300, Andrei Borzenkov wrote:
> > I routinely see questions related to firewall on forums which cannot be
> > answered without seeing the actual configuration. Unfortunately firewalld
> > does not seem to offer any simple way to list it.
> >
> > firewall-cmd --list-all
> >
> > only shows current zone.
>
> Yeah. --list-all existed before policies.
>
Well, --list-all does not even list all active zones. It lists only default
zone which may or may not be active.
There is already --list-all-zones and --list-all-policies. They will
dump all zones/policies.
> Perhaps it should list all zones and policies, but that would be
very
> verbose. It's also a change in behavior.
>
> We could add --list-all-active, which could list active zones and
> policies. We already have --get-active-zones and --get-active-policies,
> but those don't list details.
>
Do you need an issue on github?
Yes. We can discuss a new CLI option there.
5:52 a.m.
On Mon, Nov 7, 2022 at 4:50 PM Eric Garver <egarver(a)redhat.com> wrote:
>
> Do you need an issue on github?
Yes. We can discuss a new CLI option there.
https://github.com/firewalld/firewalld/issues/1050
6:06 p.m.
--On Friday, November 04, 2022 5:31 PM +0300 Andrei Borzenkov
<arvidjaar(a)gmail.com> wrote:
I routinely see questions related to firewall on forums which cannot
be
answered without seeing the actual configuration. Unfortunately firewalld
does not seem to offer any simple way to list it.
I use the back-end's commands to dump the "real" firewall. Like
"iptables-save" or "iptables -L -v -n". It's a bit like debugging
a C++
program by looking at the generated assembly language. I've done that when
chasing a compiler optimizer bug back in the 90s. (Compilers tend to be
much better now.)
2:37 a.m.
On 05.11.2022 02:06, Kenneth Porter wrote:
--On Friday, November 04, 2022 5:31 PM +0300 Andrei Borzenkov
<arvidjaar(a)gmail.com> wrote:
> I routinely see questions related to firewall on forums which cannot be
> answered without seeing the actual configuration. Unfortunately firewalld
> does not seem to offer any simple way to list it.
I use the back-end's commands to dump the "real" firewall. Like
Yes, of course. Everything is a sequence of 0 and 1 at the end :)
5:13 p.m.
On 11/5/2022 12:37 AM, Andrei Borzenkov wrote:
Yes, of course. Everything is a sequence of 0 and 1 at the end 😄
LOL, I cut my teeth on a Heathkit microprocessor trainer back around
1980. It had only a hexadecimal keypad to enter programs and an LED
display. So it was pretty close to entering raw bits! And I built a lot
of low-level hardware that required staring at bit fields in the
microsequencer to debug.
So looking at an iptables dump is comparative luxury. 😎
536
days inactive
548
days old
firewalld-users@lists.fedorahosted.org
7 comments
3 participants
participants (3)
-
Andrei Borzenkov -
Eric Garver -
Kenneth Porter