F19 Firewall

Lance Lassetter lancelassetter at gmail.com
Wed Sep 25 18:07:59 UTC 2013 

Firewalld is just not workable enough for me.  For instance I need to have quirky netfilter rules to make my squid proxy setup to work properly.  There is no easy way to do this with firewalld. Also I set up an iptables queue so that netfilter supports suricata ips mode.  This also, no easy way...

Netfilter is just so diverse and firewalld seems to strip a lot of that diversity away.

What about the idea that people who want to write their own iptables custom scripts that can be, after wiriting the script and implementening it, a smart way for the script to be imported...the whole script, into firewalld.  Last I tried, my nat rules weren't compatible with firewalld.  Like maybe a simpe iptables-save then a firewalld-save or the like.  Then maybe ask if to import it into firewalld's 'home', 'work', 'public', etc.

Lance

Kurt Seifried <kseifried at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Some random thoughts:
>
>1) it would be nice to have capabilities like "do you want to let
>program X talk to the internet/receive connections" for client
>software with a GUI notification (like basically all the windows
>client/Mac OS X client firewall stuff). I would say this is probably
>the biggest capability needed for normal end users.
>
>2) Tying firewall into networking detection, e.g. windows "is this
>your home/business/public network" and then remembering it (I assume
>IP/Mac address of default gateway would be a reasonably good way to
>identify networks).
>
>3) Make it easy to modify policy, e.g. in section 1) if you choose to
>block/deny something and realize that was the wrong decision how do
>you go in an modify it? In Windows this is a PITA for normal users.
>
>Overall I'm not really sure firewalld solves much, anyone running a
>server will probably be able to tweak iptables to allow incoming
>services they want. So do we aim it at the end user/workstation style
>usage primarily (especially ones that move around networks)?
>
>- -- 
>Kurt Seifried Red Hat Security Response Team (SRT)
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>
>iQIcBAEBAgAGBQJSQdXYAAoJEBYNRVNeJnmTC6wQAIW3HNlAqfSkMSZqbFG6kbj/
>GOlnzjJOrUzt/LWwOGPCTmg/GgSOHrT4t1gT1577sL2LM5wPGCF/oll84RehiZd8
>PXNiyq3QnsOJFLjmEbm1YfGpDGae5+uR4IR3Bm1MVHBjvquhlqaje0b1yI2gs8Do
>LY9sXeGmYh+YjKIUDJrOCCS/I/xE8Zl4D+aU/s1BumV9LxwsOURTzXv5x32C8zwS
>5MH5rvX9LO5vJn0VMByRsoXrCSybyLnRmsDvAH9yYx+WjforKsU4wq2QVLYDtjU/
>0TO/n7qP1WO7doixYLymxwm+Fnk8J7HGa2t/2of2ZvX2AB3eRLmzj+tKzKohZR4H
>jxCLImHLx/puPr6VA/4ENSrHltCCbTSDvlZGxTHAeHwszmQzYMXZ8Qv/leRf4ThO
>E3wvuoIpgUWSEbE8RjVmXjX/Cd1GYz6ns35ydy2kZgHr4AfQifF+hdWHPP63/hrJ
>C21iZylvIMJKF2cWOXwR4X+Zr9tDthf+UDeEE3J/uQAfj3LDvjdHXqd0xcgOSrae
>nP0hPHj0apZrzY0zJfcn3JNipRDDl3qNgs8Q8tFAut5WvubCdLlVFXvLWMs6mOA2
>6TmN4ZzEh0zfeGLq+LZ1kAY0ZsIds9ziyKsxAPGlTQz3Ax9rjb40BOwClHc4wbOF
>6DzOg7WN87fRSO/wCTy3
>=dDnL
>-----END PGP SIGNATURE-----
>--
>security mailing list
>security at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/security

More information about the security mailing list