I routinely see questions related to firewall on forums which cannot be answered without seeing the actual configuration. Unfortunately firewalld does not seem to offer any simple way to list it.
firewall-cmd --list-all
only shows current zone.
firewall-cmd --list-all-zones
shows way too much and it still does not show effective policies or direct rules
firewall-cmd --list-all-policies
again shows too much and again does not show effective zones
It would be really helpful to have something like
firewall-cmd --show-current-config
that displays active zones, policies and direct rules with all their configuration.
On Fri, Nov 04, 2022 at 04:31:51PM +0300, Andrei Borzenkov wrote:
I routinely see questions related to firewall on forums which cannot be answered without seeing the actual configuration. Unfortunately firewalld does not seem to offer any simple way to list it.
firewall-cmd --list-all
only shows current zone.
Yeah. --list-all existed before policies.
Perhaps it should list all zones and policies, but that would be very verbose. It's also a change in behavior.
We could add --list-all-active, which could list active zones and policies. We already have --get-active-zones and --get-active-policies, but those don't list details.
On 04.11.2022 16:56, Eric Garver wrote:
On Fri, Nov 04, 2022 at 04:31:51PM +0300, Andrei Borzenkov wrote:
I routinely see questions related to firewall on forums which cannot be answered without seeing the actual configuration. Unfortunately firewalld does not seem to offer any simple way to list it.
firewall-cmd --list-all
only shows current zone.
Yeah. --list-all existed before policies.
Well, --list-all does not even list all active zones. It lists only default zone which may or may not be active.
Perhaps it should list all zones and policies, but that would be very verbose. It's also a change in behavior.
We could add --list-all-active, which could list active zones and policies. We already have --get-active-zones and --get-active-policies, but those don't list details.
Do you need an issue on github?
On Sat, Nov 05, 2022 at 10:36:47AM +0300, Andrei Borzenkov wrote:
On 04.11.2022 16:56, Eric Garver wrote:
On Fri, Nov 04, 2022 at 04:31:51PM +0300, Andrei Borzenkov wrote:
I routinely see questions related to firewall on forums which cannot be answered without seeing the actual configuration. Unfortunately firewalld does not seem to offer any simple way to list it.
firewall-cmd --list-all
only shows current zone.
Yeah. --list-all existed before policies.
Well, --list-all does not even list all active zones. It lists only default zone which may or may not be active.
There is already --list-all-zones and --list-all-policies. They will dump all zones/policies.
Perhaps it should list all zones and policies, but that would be very verbose. It's also a change in behavior.
We could add --list-all-active, which could list active zones and policies. We already have --get-active-zones and --get-active-policies, but those don't list details.
Do you need an issue on github?
Yes. We can discuss a new CLI option there.
On Mon, Nov 7, 2022 at 4:50 PM Eric Garver egarver@redhat.com wrote:
Do you need an issue on github?
Yes. We can discuss a new CLI option there.
--On Friday, November 04, 2022 5:31 PM +0300 Andrei Borzenkov arvidjaar@gmail.com wrote:
I routinely see questions related to firewall on forums which cannot be answered without seeing the actual configuration. Unfortunately firewalld does not seem to offer any simple way to list it.
I use the back-end's commands to dump the "real" firewall. Like "iptables-save" or "iptables -L -v -n". It's a bit like debugging a C++ program by looking at the generated assembly language. I've done that when chasing a compiler optimizer bug back in the 90s. (Compilers tend to be much better now.)
On 05.11.2022 02:06, Kenneth Porter wrote:
--On Friday, November 04, 2022 5:31 PM +0300 Andrei Borzenkov arvidjaar@gmail.com wrote:
I routinely see questions related to firewall on forums which cannot be answered without seeing the actual configuration. Unfortunately firewalld does not seem to offer any simple way to list it.
I use the back-end's commands to dump the "real" firewall. Like
Yes, of course. Everything is a sequence of 0 and 1 at the end :)
On 11/5/2022 12:37 AM, Andrei Borzenkov wrote:
Yes, of course. Everything is a sequence of 0 and 1 at the end 😄
LOL, I cut my teeth on a Heathkit microprocessor trainer back around 1980. It had only a hexadecimal keypad to enter programs and an LED display. So it was pretty close to entering raw bits! And I built a lot of low-level hardware that required staring at bit fields in the microsequencer to debug.
So looking at an iptables dump is comparative luxury. 😎
firewalld-users@lists.fedorahosted.org