For adding a custom iptables rule using firewall-cmd, I'm having a difficult time understanding the difference between these:
--direct --add-rule --direct --passthrough --direct --add-passthrough
The manual explanation sounds the same for all three. There must be a reason to have each one, they have to be different, can you help me know which I am to use?
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
Hello,
On Fri, Apr 13, 2018 at 06:44:15PM +0000, alen.alen@powdermail.com wrote:
For adding a custom iptables rule using firewall-cmd, I'm having a difficult time understanding the difference between these:
firewalld has three levels of custom rules. The offer different levels of control. In descending order (high level --> low level):
1) rich rules - abstraction over iptables. This small language is defined by firewalld and is guaranteed to work between firewalld release and iptables versions.
2) direct rules - passes rules directly to iptables. firewalld makes no attempt to verify the arguments that are sent to iptables. - usually used to insert rules into the pre-created <zone>_direct chains.
3) direct passthrough rules - similar #2 above, but allows you to insert into _any_ chain. Even the top-level chains of iptables. - used as a last resort
--direct --add-rule
As described in #2 above.
--direct --passthrough
Allows passing a command to iptables, but it will be untracked. This means once the command has executed firewalld has no further knowledge about it's execution. It does not keep runtime state that may have occurred and it does not cause any configuration changes.
This is almost certainly not what you want. I'm not even sure why it exists.
--direct --add-passthrough
As described in #3 above.
The manual explanation sounds the same for all three. There must be a reason to have each one, they have to be different, can you help me know which I am to use?
If you can use rich rules, then definitely use them over the others. They're portable even if the firewall backend changes (i.e. when we switch to nftables).
Hope that helps. Eric.
Quoting Eric Garver egarver@redhat.com:
Hello,
On Fri, Apr 13, 2018 at 06:44:15PM +0000, alen.alen@powdermail.com wrote:
For adding a custom iptables rule using firewall-cmd, I'm having a difficult time understanding the difference between these:
firewalld has three levels of custom rules. The offer different levels of control. In descending order (high level --> low level):
1) rich rules - abstraction over iptables. This small language is defined by firewalld and is guaranteed to work between firewalld release and iptables versions. 2) direct rules - passes rules directly to iptables. firewalld makes no attempt to verify the arguments that are sent to iptables. - usually used to insert rules into the pre-created <zone>_direct chains. 3) direct passthrough rules - similar #2 above, but allows you to insert into _any_ chain. Even the top-level chains of iptables. - used as a last resort
--direct --add-rule
As described in #2 above.
--direct --passthrough
Allows passing a command to iptables, but it will be untracked. This means once the command has executed firewalld has no further knowledge about it's execution. It does not keep runtime state that may have occurred and it does not cause any configuration changes.
This is almost certainly not what you want. I'm not even sure why it exists.
--direct --add-passthrough
As described in #3 above.
The manual explanation sounds the same for all three. There must be a reason to have each one, they have to be different, can you help me know which I am to use?
If you can use rich rules, then definitely use them over the others. They're portable even if the firewall backend changes (i.e. when we switch to nftables).
Hope that helps.
Yes it does very much!!
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
firewalld-users@lists.fedorahosted.org