this is probably a silly question, but I haven't been able to find a very good comparison outlining the advantages of firewalld over iptables -- what are they?
Patrick, why must i root login, to block all ports,in Panic Mode?, which should be done as fast as possible, don't you think? the microsecond a hack attempt ocurrs on any port? Why take valuable seconds, to root login, since i have already logged in, on the desktop,It must be me?, i must then be root to block ports in the Panic mode,that's overkill don't you think? and to fricken slow. Panic mode should be automatically tripped, by any port connection attempt. on port 80 when a connection already exists.I have issues with neighbors using my wi fi via hacking the wep security key, which is a useless easily cracked security device. They are cloning/clone the router profiles, and the IP has no idea there spoofing the router profile from a different device/computer/handheld.Since the software an IP uses,to identify it's customers, does not do a registration on the local machine hardware,which Microsoft does when you install there OS,they always have done a registration, and registers the Chipset ID # numbers, and the BIOS # Number, and the OS # Number,and the Browser #Number the GUI the Global unique Identification number,of your browser, as it's known, and the CPU ID # Number ECT... and then it should do a Captcha code,simpl;y to get the keyboards processor number, after it has my (Keyboard Chipset # number). Then we would know with absolute certainty this connection is the proper customers Local machine,and not a cracker hacker, stealing my internet service,all which could be done using the Registration that Microsoft, and Linux already gather at install,and could not be spoofed,because it would do a realtime check against the existing registration,every time, we connect, and the registration file, would not be on our local machine,to get hacked/cracked please think hard about this wifi security issue, drug dealers are the main offenders here,they hide behind our IP's, using our cracked wep keys, and the firewalld app, could include my suggestion, and you could make your self a hell of lot of money, once you wrote this program, and got it working good.Then you should include me, in the royalties.Thank you, Randy Fitzgerald.
On Wed, Aug 19, 2015 at 8:54 AM, Patrick Hinkley < patrickrhinkley@outlook.com> wrote:
this is probably a silly question, but I haven't been able to find a very good comparison outlining the advantages of firewalld over iptables -- what are they?
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On Wed, Aug 19, 2015 at 11:54:54AM -0400, Patrick Hinkley wrote:
this is probably a silly question, but I haven't been able to find a very good comparison outlining the advantages of firewalld over iptables -- what are they?
There are two big ones:
- higher-level API programs can use - keeping track of state
The classic example for the last one is that with firewalld, you can restart iptables without breaking all of your virtual machines.
Date: Wed, 19 Aug 2015 19:07:11 -0400 From: mattdm@fedoraproject.org To: firewalld-users@lists.fedorahosted.org Subject: Re: what are the advantages of firewalld over iptables?
On Wed, Aug 19, 2015 at 11:54:54AM -0400, Patrick Hinkley wrote:
this is probably a silly question, but I haven't been able to find a very good comparison outlining the advantages of firewalld over iptables -- what are they?
There are two big ones:
- higher-level API programs can use
- keeping track of state
The classic example for the last one is that with firewalld, you can restart iptables without breaking all of your virtual machines.
Do I understand correctly that the state issue (failure to maintain established connections) is only relevant when restarting iptables (service iptables restart), not when e.g. adding/deleting a rule (iptables -A / iptables -D) or restoring (iptables-restore < /etc/sysconfig/iptables)?
-- Matthew Miller mattdm@fedoraproject.org Fedora Project Leader _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
I believe I've found an explanation regarding the VM issue you mention: http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your-kv...
If I understand correctly, the issue is that temporary rules inserted into iptables by other applications are lost when any of the following are called: service iptables stop; service iptables start; service iptables restart; iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by such as: iptables -A
The issue would also not apply when making your temporary rules permanent via: service iptables save
Is my understanding correct?
From: patrickrhinkley@outlook.com To: firewalld-users@lists.fedorahosted.org Subject: RE: what are the advantages of firewalld over iptables? Date: Thu, 20 Aug 2015 22:19:12 -0400
Date: Wed, 19 Aug 2015 19:07:11 -0400 From: mattdm@fedoraproject.org To: firewalld-users@lists.fedorahosted.org Subject: Re: what are the advantages of firewalld over iptables?
On Wed, Aug 19, 2015 at 11:54:54AM -0400, Patrick Hinkley wrote:
this is probably a silly question, but I haven't been able to find a very good comparison outlining the advantages of firewalld over iptables -- what are they?
There are two big ones:
- higher-level API programs can use
- keeping track of state
The classic example for the last one is that with firewalld, you can restart iptables without breaking all of your virtual machines.
Do I understand correctly that the state issue (failure to maintain established connections) is only relevant when restarting iptables (service iptables restart), not when e.g. adding/deleting a rule (iptables -A / iptables -D) or restoring (iptables-restore < /etc/sysconfig/iptables)?
-- Matthew Miller mattdm@fedoraproject.org Fedora Project Leader _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
I believe I've found an explanation regarding the VM issue you mention: http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your-kv...
If I understand correctly, the issue is that temporary rules inserted into iptables by other applications are lost when any of the following are called:
It's more than that. new rules inserted with iptables -I will override the rules aded by libvirt, often causing trafic to miss libvirt's rules.
service iptables stop; service iptables start; service iptables restart; iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by such as: iptables -A
The issue would also not apply when making your temporary rules permanent via: service iptables save
"service iptables save" has its own problems. For starters, it will save *everything* that is currently in the in-memory rules, not just "what was previously saved + the rules you want saved". This could mean that some of the previous rules would be removed from the configuration (it something had for some reason temporarily removed them) or it could mean some extra rules that were intended to only be there temporarily would be permanently added (for example, if a libvirt virtual network is taken down, libvirt removes the iptables rules that it had previously added, but if you have saved those rules as you suggest above, then the next time your iptables service i restarted, all of those rules would be re-added, even though they are no longer applicable.
What it all comes down to is that without firewalld, there is no central controlling authority, so everybody steps all over everybody else. If all applications that need to modify the iptables rules go through firewalld, it is in a good position to assure that the various applications don't interfere with each others' rules.
(BTW, libvirt looks for the firewalld service, and always uses it if it is active).
Thank you both for your very informative replies. I just wish there was a clear outline of these issues somewhere to make it easier to understand what differentiates firewalld from iptables....
In my case, since I control the firewalls on my computers and servers directly, without interference from other applications, there is not currently a compelling reason I can see to make the switch from iptables to firewalld. I'd make the switch for the sake of "future-proofing", but for firewalld's inability to control outbound connections.
Subject: Re: what are the advantages of firewalld over iptables? To: firewalld-users@lists.fedorahosted.org From: laine@redhat.com Date: Fri, 21 Aug 2015 14:57:26 -0700
On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
I believe I've found an explanation regarding the VM issue you mention: http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your-kv...
If I understand correctly, the issue is that temporary rules inserted into iptables by other applications are lost when any of the following are called:
It's more than that. new rules inserted with iptables -I will override the rules aded by libvirt, often causing trafic to miss libvirt's rules.
service iptables stop; service iptables start; service iptables restart; iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by such as: iptables -A
The issue would also not apply when making your temporary rules permanent via: service iptables save
"service iptables save" has its own problems. For starters, it will save *everything* that is currently in the in-memory rules, not just "what was previously saved + the rules you want saved". This could mean that some of the previous rules would be removed from the configuration (it something had for some reason temporarily removed them) or it could mean some extra rules that were intended to only be there temporarily would be permanently added (for example, if a libvirt virtual network is taken down, libvirt removes the iptables rules that it had previously added, but if you have saved those rules as you suggest above, then the next time your iptables service i restarted, all of those rules would be re-added, even though they are no longer applicable.
What it all comes down to is that without firewalld, there is no central controlling authority, so everybody steps all over everybody else. If all applications that need to modify the iptables rules go through firewalld, it is in a good position to assure that the various applications don't interfere with each others' rules.
(BTW, libvirt looks for the firewalld service, and always uses it if it is active).
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 08/21/2015 08:50 PM, Patrick Hinkley wrote:
I believe I've found an explanation regarding the VM issue you mention: http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your-kv...
If I understand correctly, the issue is that temporary rules inserted into iptables by other applications are lost when any of the following are called: service iptables stop; service iptables start; service iptables restart; iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by such as: iptables -A
Yes, that is correct.
The issue would also not apply when making your temporary rules permanent via: service iptables save
Is my understanding correct?
With service iptables save you are also saving rules of the other services, that could collide with new rules if the configuration of the service changed and other rules need to be added instead.
firewalld-users@lists.fedorahosted.org