If we are expected to switch to firewalld we need to understand in detail how it works. So far I see a GUI and empty XML files with little information about how to do anything other than run firewall-cmd to add or delete specific rules.
This really needs documentation so we can understand how it works and maybe compare situations with iptables that we are to migrate from so that we all do not have to figure this out from scratch. I'm not really complaining, just think we need more information so we can move forward and hopefully not make mistakes. Thanks for the help.
On 01/20/2013 10:34 PM, David Highley wrote:
If we are expected to switch to firewalld we need to understand in detail how it works. So far I see a GUI and empty XML files with little information about how to do anything other than run firewall-cmd to add or delete specific rules.
This really needs documentation so we can understand how it works and maybe compare situations with iptables that we are to migrate from so that we all do not have to figure this out from scratch. I'm not really complaining, just think we need more information so we can move forward and hopefully not make mistakes. Thanks for the help.
I just looked at this a few minutes ago. The docs (such as they are) are in the fedoraproject Wiki. https://fedoraproject.org/wiki/FirewallD/
HTH
"G.Wolfe Woodbury wrote:"
On 01/20/2013 10:34 PM, David Highley wrote:
If we are expected to switch to firewalld we need to understand in detail how it works. So far I see a GUI and empty XML files with little information about how to do anything other than run firewall-cmd to add or delete specific rules.
This really needs documentation so we can understand how it works and maybe compare situations with iptables that we are to migrate from so that we all do not have to figure this out from scratch. I'm not really complaining, just think we need more information so we can move forward and hopefully not make mistakes. Thanks for the help.
I just looked at this a few minutes ago. The docs (such as they are) are in the fedoraproject Wiki. https://fedoraproject.org/wiki/FirewallD/
Yes, I read that information.
HTH
G.Wolfe Woodbury redwolfe@gmail.com
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 01/21/2013 01:00 PM, David Highley wrote:
https://fedoraproject.org/wiki/FirewallD/
Yes, I read that information.
I wish there was more info than that. It appears that I'll have to throw away everything I know about iptables. Is there any tool to convert current iptables rules into firewall-cmd equivalents?
-- Jorge
On Mon, 2013-01-21 at 19:45 -0400, Jorge Fábregas wrote:
On 01/21/2013 01:00 PM, David Highley wrote:
https://fedoraproject.org/wiki/FirewallD/
Yes, I read that information.
I wish there was more info than that. It appears that I'll have to throw away everything I know about iptables. Is there any tool to convert current iptables rules into firewall-cmd equivalents?
-- Jorge
From https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Direct_options
The arguments <args> of the passthrough option are the same as the corresponding iptables, ip6tables and ebtables arguments.
poc
On 01/21/2013 03:45 PM, Jorge Fábregas wrote:
On 01/21/2013 01:00 PM, David Highley wrote:
https://fedoraproject.org/wiki/FirewallD/
Yes, I read that information.
I wish there was more info than that. It appears that I'll have to throw away everything I know about iptables. Is there any tool to convert current iptables rules into firewall-cmd equivalents?
-- Jorge
Wait, so firewalld completely replaced iptables? I thought it was meant to just augment it... Does that mean that any old config in /etc/sysconfig/iptables is no longer used?
On Mon, 21 Jan 2013 19:45:25 -0400 Jorge Fábregas wrote:
I wish there was more info than that. It appears that I'll have to throw away everything I know about iptables.
Not necessarily, you could do what I did:
systemctl mask firewalld.service systemctl enable iptables.service systemctl enable ip6tables.service
and Bob's yer Uncle!
On Mon, 21 Jan 2013 17:13:03 -0800 Konstantin Svist wrote:
Does that mean that any old config in /etc/sysconfig/iptables is no longer used?
They could have made firewalld load any existing iptables sysconfig files at startup, but that's what'd they'd expect you to do! (works best if imagine Lloyd Bridges saying it :-).
Patrick O'Callaghan <pocallaghan <at> gmail.com> writes:
Lots of SNIPPING
From https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Direct_options
The arguments <args> of the passthrough option are the same as the corresponding iptables, ip6tables and ebtables arguments.
poc
So, could I just write a shell script that reads my /etc/sysconfig/iptables file and does a passthrough call for each rule? And then go through the dainbramage to get systemctl to execute rc.local to get it executed at startup?
I'm not so much worried about normal rules like opening a specific port as custom rules like filtering malformed packets, disallowing multiple connect attempts from the same IP address, etc.
Somehow I don't see the GUI as letting me craft rules like:
# The next two rules prevent non-standard TCP packets from evading the firewall.
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "packet with FIN+SYN rec'd: " -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
Cheers, Dave
On Sun, 2013-01-20 at 23:59 -0500, G.Wolfe Woodbury wrote:
On 01/20/2013 10:34 PM, David Highley wrote:
If we are expected to switch to firewalld we need to understand in detail how it works. So far I see a GUI and empty XML files with little information about how to do anything other than run firewall-cmd to add or delete specific rules.
This really needs documentation so we can understand how it works and maybe compare situations with iptables that we are to migrate from so that we all do not have to figure this out from scratch. I'm not really complaining, just think we need more information so we can move forward and hopefully not make mistakes. Thanks for the help.
I just looked at this a few minutes ago. The docs (such as they are) are in the fedoraproject Wiki. https://fedoraproject.org/wiki/FirewallD/
HTH
G.Wolfe Woodbury redwolfe@gmail.com
The wiki is good for the most part, but critically, documentation regarding masquerading is absent. Given that "NAT" is never "straight forwards" this should have some detailed documentation added. Otherwise, I think it's quite complete on that wiki, and the man page.
On 25.01.2013 14:46, William Brown wrote:
On Sun, 2013-01-20 at 23:59 -0500, G.Wolfe Woodbury wrote:
On 01/20/2013 10:34 PM, David Highley wrote:
If we are expected to switch to firewalld we need to understand in detail how it works. So far I see a GUI and empty XML files with little information about how to do anything other than run firewall-cmd to add or delete specific rules.
This really needs documentation so we can understand how it works and maybe compare situations with iptables that we are to migrate from so that we all do not have to figure this out from scratch. I'm not really complaining, just think we need more information so we can move forward and hopefully not make mistakes. Thanks for the help.
I just looked at this a few minutes ago. The docs (such as they are) are in the fedoraproject Wiki. https://fedoraproject.org/wiki/FirewallD/
HTH
G.Wolfe Woodbury redwolfe@gmail.com
The wiki is good for the most part, but critically, documentation regarding masquerading is absent. Given that "NAT" is never "straight forwards" this should have some detailed documentation added. Otherwise, I think it's quite complete on that wiki, and the man page.
I'm not sure that firewalld is the right tool to do NAT. It's something more like personal/desktop packet filter configuration tool right now. Maybe in next 2 or 5 years it evolves but looking at NetworkManager history and it's support for more advanced features like bridging, gives no such optimistic thoughts. Firewalld is awesome tool for opening/closing ports when in home, office or airport (or in grocery store). Other fancy features like NAT are better done by hand with iptables command. BTW why you need NAT on something else than router? Fedora is not the best router distro one can find.
Mateusz Marzantowicz
On Fri, 2013-01-25 at 16:10 +0100, Mateusz Marzantowicz wrote:
I'm not sure that firewalld is the right tool to do NAT. It's something more like personal/desktop packet filter configuration tool right now. Maybe in next 2 or 5 years it evolves but looking at NetworkManager history and it's support for more advanced features like bridging, gives no such optimistic thoughts. Firewalld is awesome tool for opening/closing ports when in home, office or airport (or in grocery store). Other fancy features like NAT are better done by hand with iptables command. BTW why you need NAT on something else than router? Fedora is not the best router distro one can find.
Firewalld offers it as a tool, so I would like to investigate to determine if it is the best solution to the job. It would be good to have a comparison against raw iptables or pf for example.
Also, there is nothing wrong with fedora as a router - It's a little bit to setup, but works well. It means that I can have OS consistency inside my household. (aka, Yes, I do have a fedora router)
On 01/20/2013 07:34 PM, David Highley wrote:
If we are expected to switch to firewalld we need to understand in detail how it works. So far I see a GUI and empty XML files with little information about how to do anything other than run firewall-cmd to add or delete specific rules.
This really needs documentation so we can understand how it works and maybe compare situations with iptables that we are to migrate from so that we all do not have to figure this out from scratch. I'm not really complaining, just think we need more information so we can move forward and hopefully not make mistakes. Thanks for the help.
FWIW, I didn't even see a GUI until I manually installed firewall-config and firewall-applet -- apparently they're not included as part of the upgrade...