raising warning flag on firewalld-default feature

Mon Nov 12 09:25:53 UTC 2012

On 11/09/2012 07:45 PM, Reindl Harald wrote:
>
>
> Am 09.11.2012 17:45, schrieb Thomas Woerner:
>> On 11/09/2012 05:24 PM, Eric H. Christensen wrote:
>> Please have a look at the feature list for F-18.
>>
>> firewalld replaces system-config-firewall/lokkit, and the iptables and ip6tables services, not the iptables package
>> and command.
>>
>> The ip*tables services and also system-config-firewall/lokkit are still available and also usable after
>> deactivation of the firewalld serice. With the latest request to move the services of iptables and ip6tables in a
>> sub package, I will add a requirement to system-config-firewall for this
>
> PLEASE do not "Require: system-config-firewall"
> this would pull useless dependencies
>
What I meant: Add a requirement for iptables-services to 
system-config-firewall-base, this is currently not there.

> what we (users) really need is "iptables.service" as it was and
> working "/sbin/iptables-save > /etc/sysconfig/iptables" to lod
> the with whatever shell script generated "/etc/sysconfig/iptables"
> so satisfy over many years perfect working setups for
>
> (the same for iptables6.service)
>
> * firewalls
> * NAT
> * routing
>
> as example i have a large shellscript
> with the following start
>
>    $IPTABLES -P INPUT DROP
>    $IPTABLES -P FORWARD DROP
>    $IPTABLES -F
>    $IPTABLES -X
>    CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
>    for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
>    for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
>    for i in $CHAINS; do $IPTABLES -t $i -Z; done
>
> and ending with "/sbin/iptables-save > /etc/sysconfig/iptables"
> after that any needed rules are added with iptables-command
>
> this script is distributed to a LOT of machines of any type
>
> at the begin it has basic rules for any machine (accept, block, reject)
> followed by a lot of
>
> if [ "$HOSTNAME" == "hostname" ]; then
>   <specific rules>
> fi
>
> this is maintained on a staging server, distributed to any amchine
> and called with "ssh root at host '/scirpts/iptables.sh"
>
> for other networks / routers / nat-gateways outside the main network
> a fork of this thing exists, using over years grown knowledge and
> adds specific rules, mostly controlled by a lot of variables at the
> begin
>
> call this script does NOt interrupt connections
> it handles really a lot of specific filters
> it works like a charme
>
> these setups does not need firewalld at all nor do
> they need any dependency of GUI/TUI tools
>
Yes, full ack.

You will be able to use it after switching off firewalld.service and 
enabling iptables.service and ip6tables.service.

I will add a script for switching from and to dynamic/static mode: 
switch-firewall