I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:
conntrack This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
[!] --ctstate statelist statelist is a comma separated list of the connection states to match. Possible states are listed below.
[!] --ctproto l4proto Layer-4 protocol to match (by number or name)
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask] Match against original/reply source/destination address
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port] Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist statuslist is a comma separated list of the connection statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time] Match remaining lifetime in seconds against given value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified direction. If this flag is not specified at all, matches packets in both directions.
States for --ctstate:
INVALID The packet is associated with no known connection.
NEW The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.
ESTABLISHED The packet is associated with a connection which has seen packets in both directions.
RELATED The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address differs from the reply destination.
DNAT A virtual state, matching if the original destination differs from the reply source.
Statuses for --ctstatus:
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White d_e_white@icloud.com wrote:
I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks.
Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists. fedorahosted.org
Thanks.
Nicely concealed features, Firewall Guys :P
So, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.
How's that sound ? Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 10:34 AM, David Forrest mapleparkdevelopment@gmail.com wrote:
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:
conntrack This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
[!] --ctstate statelist statelist is a comma separated list of the connection states to match. Possible states are listed below.
[!] --ctproto l4proto Layer-4 protocol to match (by number or name)
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask] Match against original/reply source/destination address
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port] Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist statuslist is a comma separated list of the connection statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time] Match remaining lifetime in seconds against given value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified direction. If this flag is not specified at all, matches packets in both directions.
States for --ctstate:
INVALID The packet is associated with no known connection.
NEW The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.
ESTABLISHED The packet is associated with a connection which has seen packets in both directions.
RELATED The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address differs from the reply destination.
DNAT A virtual state, matching if the original destination differs from the reply source.
Statuses for --ctstatus:
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White d_e_white@icloud.com wrote: I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Dan; I use firewalld exclusively now but had been using iptables/iptables for years and find that it is quite easy to see a solution to my problems "If I could only insert a rule into a specific chain". My old startup setup script was several pages long with many defined variables and, if the wind was with me, generated what I wanted. But it was touchy to reconfiguration and I just abandoned it for the predefined structure of firewalld. Now the config is in xml and entirely maintained by firewalld.
I have considered just inserting a necessary rule in the runtime table but I am concerned that doing so would mess up firewalld's config. Since it would not alter the permanent xml I assume a reload would clean it out but have been cautious about trying. Haven't needed to (yet) anyway.
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 9:47 AM, Dan White d_e_white@icloud.com wrote:
Thanks.
Nicely concealed features, Firewall Guys :P
So, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.
How's that sound ?
Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 10:34 AM, David Forrest <mapleparkdevelopment@gmail. com> wrote:
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:
conntrack This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
[!] --ctstate statelist statelist is a comma separated list of the connection states
to match. Possible states are listed below.
[!] --ctproto l4proto Layer-4 protocol to match (by number or name) [!] --ctorigsrc address[/mask] [!] --ctorigdst address[/mask] [!] --ctreplsrc address[/mask] [!] --ctrepldst address[/mask] Match against original/reply source/destination address [!] --ctorigsrcport port[:port] [!] --ctorigdstport port[:port] [!] --ctreplsrcport port[:port] [!] --ctrepldstport port[:port] Match against original/reply source/destination port
(TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist statuslist is a comma separated list of the connection
statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time] Match remaining lifetime in seconds against given value or
range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified direction.
If this flag is not specified at all, matches packets in both directions.
States for --ctstate: INVALID The packet is associated with no known connection. NEW The packet has started a new connection or otherwise
associated with a connection which has not seen packets in both directions.
ESTABLISHED The packet is associated with a connection which has seen
packets in both directions.
RELATED The packet is starting a new connection, but is associated
with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED The packet is not tracked at all, which happens if you
explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address
differs from the reply destination.
DNAT A virtual state, matching if the original destination
differs from the reply source.
Statuses for --ctstatus:
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White d_e_white@icloud.com wrote:
I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks.
Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fe dorahosted.org
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists. fedorahosted.org
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists. fedorahosted.org
David: I am not sure how your response relates to my question. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 03:20 PM, David Forrest mapleparkdevelopment@gmail.com wrote:
Dan; I use firewalld exclusively now but had been using iptables/iptables for years and find that it is quite easy to see a solution to my problems "If I could only insert a rule into a specific chain". My old startup setup script was several pages long with many defined variables and, if the wind was with me, generated what I wanted. But it was touchy to reconfiguration and I just abandoned it for the predefined structure of firewalld. Now the config is in xml and entirely maintained by firewalld.
I have considered just inserting a necessary rule in the runtime table but I am concerned that doing so would mess up firewalld's config. Since it would not alter the permanent xml I assume a reload would clean it out but have been cautious about trying. Haven't needed to (yet) anyway.
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 9:47 AM, Dan White d_e_white@icloud.com wrote: Thanks.
Nicely concealed features, Firewall Guys :P
So, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.
How's that sound ? Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 10:34 AM, David Forrest mapleparkdevelopment@gmail.com wrote:
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:
conntrack This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
[!] --ctstate statelist statelist is a comma separated list of the connection states to match. Possible states are listed below.
[!] --ctproto l4proto Layer-4 protocol to match (by number or name)
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask] Match against original/reply source/destination address
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port] Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist statuslist is a comma separated list of the connection statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time] Match remaining lifetime in seconds against given value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified direction. If this flag is not specified at all, matches packets in both directions.
States for --ctstate:
INVALID The packet is associated with no known connection.
NEW The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.
ESTABLISHED The packet is associated with a connection which has seen packets in both directions.
RELATED The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address differs from the reply destination.
DNAT A virtual state, matching if the original destination differs from the reply source.
Statuses for --ctstatus:
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White d_e_white@icloud.com wrote: I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Dan ; OK you had asked for an old style iptables rule insertion into firewalld. I didn't see an entry in the rich rules docs to enter the -m conntrack -ctstate and just suggested you try to use a direct insertion of the rule you want as you would have under iptables. IMHO This would affect the runtime only and not effect the permanent config of firewalld. The rule you quoted was in the IN_work_allow chain and you might try listing out those rules by running as root iptables -t filter -nvL IN_work_allow --line-numbers to list the IN_work_allow chain only (iptables -nvL --line-numbers to list the entire filter table) The ESTABLISHED or RELATED entries are in INPUT chain and probably as you would like them iptables -t filter -nvL INPUT --line-numbers
AND I do know that listing them only does not effect firewalld. IMHO adding, changing, or deleting them using the iptables binary MAY but likely won't affect the permanent configuration
NOTE: if you are at all uncomfortable with trying this, don't. Read the man pages on firewalld and the related command line firewall-cmd along with their relations. All of the iptables (and ip6tables) structure in built into them. and wait for someone else to answer your original question (and conk me on the head for confusing with the iptables discussion).
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 2:37 PM, Dan White d_e_white@icloud.com wrote:
David: I am not sure how your response relates to my question.
Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 03:20 PM, David Forrest <mapleparkdevelopment@gmail. com> wrote:
Dan; I use firewalld exclusively now but had been using iptables/iptables for years and find that it is quite easy to see a solution to my problems "If I could only insert a rule into a specific chain". My old startup setup script was several pages long with many defined variables and, if the wind was with me, generated what I wanted. But it was touchy to reconfiguration and I just abandoned it for the predefined structure of firewalld. Now the config is in xml and entirely maintained by firewalld.
I have considered just inserting a necessary rule in the runtime table but I am concerned that doing so would mess up firewalld's config. Since it would not alter the permanent xml I assume a reload would clean it out but have been cautious about trying. Haven't needed to (yet) anyway.
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 9:47 AM, Dan White d_e_white@icloud.com wrote:
Thanks.
Nicely concealed features, Firewall Guys :P
So, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.
How's that sound ?
Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 10:34 AM, David Forrest < mapleparkdevelopment@gmail.com> wrote:
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:
conntrack This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
[!] --ctstate statelist statelist is a comma separated list of the connection
states to match. Possible states are listed below.
[!] --ctproto l4proto Layer-4 protocol to match (by number or name) [!] --ctorigsrc address[/mask] [!] --ctorigdst address[/mask] [!] --ctreplsrc address[/mask] [!] --ctrepldst address[/mask] Match against original/reply source/destination address [!] --ctorigsrcport port[:port] [!] --ctorigdstport port[:port] [!] --ctreplsrcport port[:port] [!] --ctrepldstport port[:port] Match against original/reply source/destination port
(TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist statuslist is a comma separated list of the connection
statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time] Match remaining lifetime in seconds against given value or
range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified direction.
If this flag is not specified at all, matches packets in both directions.
States for --ctstate: INVALID The packet is associated with no known connection. NEW The packet has started a new connection or otherwise
associated with a connection which has not seen packets in both directions.
ESTABLISHED The packet is associated with a connection which has seen
packets in both directions.
RELATED The packet is starting a new connection, but is associated
with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED The packet is not tracked at all, which happens if you
explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address
differs from the reply destination.
DNAT A virtual state, matching if the original destination
differs from the reply source.
Statuses for --ctstatus:
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White d_e_white@icloud.com wrote:
I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks.
Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fe dorahosted.org
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fe dorahosted.org
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fe dorahosted.org
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists. fedorahosted.org
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists. fedorahosted.org
I think I muddled it out.
I used the "direct" option.
I tried firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT and firewall-cmd --direct --add-rule ipv4 filter OUTPUT 99 -p tcp -m tcp --dport 888 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT and both were accepted.
Here's the end of "iptables -S": -A OUTPUT_direct -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT_direct -p tcp -m tcp --dport 888 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
What you you all think ? Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 28, 2016, at 12:04 AM, David Forrest mapleparkdevelopment@gmail.com wrote:
Dan ; OK you had asked for an old style iptables rule insertion into firewalld. I didn't see an entry in the rich rules docs to enter the -m conntrack -ctstate and just suggested you try to use a direct insertion of the rule you want as you would have under iptables. IMHO This would affect the runtime only and not effect the permanent config of firewalld. The rule you quoted was in the IN_work_allow chain and you might try listing out those rules by running as root iptables -t filter -nvL IN_work_allow --line-numbers to list the IN_work_allow chain only (iptables -nvL --line-numbers to list the entire filter table) The ESTABLISHED or RELATED entries are in INPUT chain and probably as you would like them iptables -t filter -nvL INPUT --line-numbers
AND I do know that listing them only does not effect firewalld. IMHO adding, changing, or deleting them using the iptables binary MAY but likely won't affect the permanent configuration
NOTE: if you are at all uncomfortable with trying this, don't. Read the man pages on firewalld and the related command line firewall-cmd along with their relations. All of the iptables (and ip6tables) structure in built into them. and wait for someone else to answer your original question (and conk me on the head for confusing with the iptables discussion).
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 2:37 PM, Dan White d_e_white@icloud.com wrote: David: I am not sure how your response relates to my question. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 03:20 PM, David Forrest mapleparkdevelopment@gmail.com wrote:
Dan; I use firewalld exclusively now but had been using iptables/iptables for years and find that it is quite easy to see a solution to my problems "If I could only insert a rule into a specific chain". My old startup setup script was several pages long with many defined variables and, if the wind was with me, generated what I wanted. But it was touchy to reconfiguration and I just abandoned it for the predefined structure of firewalld. Now the config is in xml and entirely maintained by firewalld.
I have considered just inserting a necessary rule in the runtime table but I am concerned that doing so would mess up firewalld's config. Since it would not alter the permanent xml I assume a reload would clean it out but have been cautious about trying. Haven't needed to (yet) anyway.
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 9:47 AM, Dan White d_e_white@icloud.com wrote: Thanks.
Nicely concealed features, Firewall Guys :P
So, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.
How's that sound ? Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 10:34 AM, David Forrest mapleparkdevelopment@gmail.com wrote:
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime. So the descriptions for the formats can be found in man files for iptables/ip6tables. I had to install the iptables package to see my rules. From the man iptables-extensions page I found this:
conntrack This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
[!] --ctstate statelist statelist is a comma separated list of the connection states to match. Possible states are listed below.
[!] --ctproto l4proto Layer-4 protocol to match (by number or name)
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask] Match against original/reply source/destination address
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port] Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported in kernel versions above 2.6.38.
[!] --ctstatus statelist statuslist is a comma separated list of the connection statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time] Match remaining lifetime in seconds against given value or range of values (inclusive)
--ctdir {ORIGINAL|REPLY} Match packets that are flowing in the specified direction. If this flag is not specified at all, matches packets in both directions.
States for --ctstate:
INVALID The packet is associated with no known connection.
NEW The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.
ESTABLISHED The packet is associated with a connection which has seen packets in both directions.
RELATED The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address differs from the reply destination.
DNAT A virtual state, matching if the original destination differs from the reply source.
Statuses for --ctstatus:
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White d_e_white@icloud.com wrote: I see rules in my "iptables -S" dump like
-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
But how do I create one ? I cannot find any documentation on "state" or "ctstate" setting.
Thanks. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
_______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
firewalld-users@lists.fedorahosted.org