raising warning flag on firewalld-default feature

Reindl Harald h.reindl at thelounge.net
Fri Nov 9 18:45:10 UTC 2012 


Am 09.11.2012 17:45, schrieb Thomas Woerner:
> On 11/09/2012 05:24 PM, Eric H. Christensen wrote:
> Please have a look at the feature list for F-18.
> 
> firewalld replaces system-config-firewall/lokkit, and the iptables and ip6tables services, not the iptables package
> and command.
> 
> The ip*tables services and also system-config-firewall/lokkit are still available and also usable after
> deactivation of the firewalld serice. With the latest request to move the services of iptables and ip6tables in a
> sub package, I will add a requirement to system-config-firewall for this

PLEASE do not "Require: system-config-firewall"
this would pull useless dependencies

what we (users) really need is "iptables.service" as it was and
working "/sbin/iptables-save > /etc/sysconfig/iptables" to lod
the with whatever shell script generated "/etc/sysconfig/iptables"
so satisfy over many years perfect working setups for

(the same for iptables6.service)

* firewalls
* NAT
* routing

as example i have a large shellscript
with the following start

  $IPTABLES -P INPUT DROP
  $IPTABLES -P FORWARD DROP
  $IPTABLES -F
  $IPTABLES -X
  CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
  for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
  for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
  for i in $CHAINS; do $IPTABLES -t $i -Z; done

and ending with "/sbin/iptables-save > /etc/sysconfig/iptables"
after that any needed rules are added with iptables-command

this script is distributed to a LOT of machines of any type

at the begin it has basic rules for any machine (accept, block, reject)
followed by a lot of

if [ "$HOSTNAME" == "hostname" ]; then
 <specific rules>
fi

this is maintained on a staging server, distributed to any amchine
and called with "ssh root at host '/scirpts/iptables.sh"

for other networks / routers / nat-gateways outside the main network
a fork of this thing exists, using over years grown knowledge and
adds specific rules, mostly controlled by a lot of variables at the
begin

call this script does NOt interrupt connections
it handles really a lot of specific filters
it works like a charme

these setups does not need firewalld at all nor do
they need any dependency of GUI/TUI tools





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121109/fe58a361/attachment.sig>

More information about the devel mailing list