firewalld / iptables.service past F17
Jon Ciesla
limburgher at gmail.com
Tue Apr 24 14:30:55 UTC 2012
On Mon, Apr 23, 2012 at 7:32 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 24.04.2012 02:08, schrieb Oron Peled:
>> Looks like this transition (as is currently planned) is going to
>> break many setups. I want to show the three following use-cases
>> which may be severely broken by this transition.
>
> exactly this is the problem
>
> i have attached my ip-tables script making at home a software-router
> with forwarding of two different networks from my LAN via openvpn
> and a static route
>
> i only stripped the config-block and comments
>
> but as you can see there are many useful decisions
> by $HOSTNAME and this is only one of my scripts for
> two machines
> ______________-
>
> another one is built the same way and serves 20 machines
> while partly rules are for all machines, others depeding as
> in my example on the hostname and there are a lot of really
> useful and well thought specific drop/forward/reject rules
> based on hostname and source/destination networks
>
> this script has about 50 KB and a handful of bash-includes
>
> well, one may say "unmaintainable" - but it is, it
> has a good documentation and structure and we are using
> it as reference for each "iptables.sh" needed where ever
>
> it is practically impossible to convert this stuff because
> nobody did write it down in one day, it is grown and maintained
> over years with the whole infrastructure - yes you MAYBE CAN
> try to re-implement all this rules in firewalld
>
> but would you do this really in a production environment
> in a security layer and how do you test from scratch?
>
> please do not come now "why fedora in prodction"
> because it just works if things are not careless removed
> from the distribution - so please do not take away power
> featureswhich are not really hurt to maintain
>
> firewalld is at least another interface for netfilter
> why want anybody take away perfectly working ones?
Nothing is being taken away, the default is being changed. If you're
using Fedora in production, I presume you're installing with
Kickstart. You can set up anything you like in Kickstart, including
not using firewalld if you so desire.
-J
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
--
http://cecinestpasunefromage.wordpress.com/
------------------------------------------------
in your fear, seek only peace
in your fear, seek only love
-d. bowie
More information about the devel
mailing list