Hi,
My use case is setting up a Centos 7 router/gateway/firewall between an office lan and an industrial lan network. Both with private ipv4 network addresses, so with no need for nat / masquerading / port forwarding. There will be restrictions from the office to the industrial lan and other restrictions from industrial to the office lan.
I was used to work with iptables in Centos 5 and 6, but willing to learn the modern approach of firewalld. But I am struggling for days now to find out how to work with the firewalld concepts for my use case. Also I can not find any relevant documentation to support my use case.
I can write direct rules for the FORWARD chain using my iptables knowledge, but then what is the advantage of using firewalld over iptables? Firewalld makes it more complicated, because of adding a lot of unused chains. Any recommendations how I should continue with firewalld or should I just replace it with iptables for my setup? Is there any development going on for better support of the FORWARD chain?
I have found how I can turn on logging for dropped packages. But I can not find an option to change the log level from warning to info. Any suggestion how to do this?
Thanks
On Wed, Jun 05, 2019 at 07:09:46AM -0000, Ronald Verbeek wrote:
Hi,
My use case is setting up a Centos 7 router/gateway/firewall between an office lan and an industrial lan network. Both with private ipv4 network addresses, so with no need for nat / masquerading / port forwarding. There will be restrictions from the office to the industrial lan and other restrictions from industrial to the office lan.
I was used to work with iptables in Centos 5 and 6, but willing to learn the modern approach of firewalld. But I am struggling for days now to find out how to work with the firewalld concepts for my use case. Also I can not find any relevant documentation to support my use case.
I can write direct rules for the FORWARD chain using my iptables knowledge, but then what is the advantage of using firewalld over iptables? Firewalld makes it more complicated, because of adding a lot of unused chains. Any recommendations how I should continue with firewalld or should I just replace it with iptables for my setup? Is there any development going on for better support of the FORWARD chain?
I agree that firewalld is not a great fit for your use case as it lacks proper FORWARD filtering.
OUTPUT/FORWARD filtering is a high priority IMO, but it'll take quite a bit of work.
I have found how I can turn on logging for dropped packages. But I can not find an option to change the log level from warning to info. Any suggestion how to do this?
Rich rules can be used to log packets with different log levels.
firewalld-users@lists.fedorahosted.org