From Francis.Montagnac at inria.fr Sat Jul 20 16:25:20 2019 Content-Type: multipart/mixed; boundary="===============8465754895204231260==" MIME-Version: 1.0 From: Francis.Montagnac at inria.fr To: users at lists.fedoraproject.org Subject: Re: Iptables->Firewalld Upgrade: Really Necessary? Date: Sat, 20 Jul 2019 18:24:46 +0200 Message-ID: <19752.1563639886@kermit.inria.fr> In-Reply-To: eec1c1d6-e7c5-1b55-2477-1bcd7c5e2464@tkevans.com --===============8465754895204231260== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Hi On Fri, 19 Jul 2019 18:20:35 -0400 Tim Evans wrote: > I really, really need to figure out how to port my iptables ruleset to = > work with firewalld. = You may try first to port your iptables by using the "Direct Options" that provides firewall-cmd. I plan to use it for a while ... Example (you may need to add the --permanent option) that seems to work: ## I forgot the priority here: firewall-cmd --direct --add-rule ipv4 filter OUTPUT -p tcp -m state --state= NEW -m tcp -d 127.0.0.1/32 -m owner --uid-owner 0 -j ACCEPT usage: --direct --add-rule { ipv4 | ipv6 | eb } = ## Correct all: firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m state --sta= te NEW -m tcp -d 127.0.0.1/32 -m owner --uid-owner 0 -j ACCEPT success ## Check firewall-cmd --direct --get-all-rules ipv4 filter OUTPUT 0 -p tcp -m state --state NEW -m tcp -d 127.0.0.1/32 -m = owner --uid-owner 0 -j ACCEPT ## The rule is added to OUTPUT_direct iptables -v -L OUTPUT_direct Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destina= tion = 0 0 ACCEPT tcp -- any any anywhere localho= st state NEW tcp owner UID match root -- = francis --===============8465754895204231260==--