F19 Firewall

Eric H. Christensen sparks at fedoraproject.org
Thu Sep 26 14:12:00 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, Sep 25, 2013 at 01:07:59PM -0500, Lance Lassetter wrote:
> Firewalld is just not workable enough for me.  For instance I need to have quirky netfilter rules to make my squid proxy setup to work properly.  There is no easy way to do this with firewalld. Also I set up an iptables queue so that netfilter supports suricata ips mode.  This also, no easy way...
> 
> Netfilter is just so diverse and firewalld seems to strip a lot of that diversity away.
> 
> What about the idea that people who want to write their own iptables custom scripts that can be, after wiriting the script and implementening it, a smart way for the script to be imported...the whole script, into firewalld.  Last I tried, my nat rules weren't compatible with firewalld.  Like maybe a simpe iptables-save then a firewalld-save or the like.  Then maybe ask if to import it into firewalld's 'home', 'work', 'public', etc.

It sounds a bit like you are trying to use firewalld on a server.  I would not recommend using firewalld for anything but client boxes and, specifically, client boxes with simple rules.  If you are using this on a server I would uninstall firewalld and not use the complexity that it adds to iptables but rather just use iptables (and ip6tables).  There is nothing wrong with using your scripts on iptables and not using firewalld.  You seem to know how to configure iptables which is what firewalld aims to fix for people that don't.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security Team

sparks at redhat.com - sparks at fedoraproject.org
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQGcBAEBCgAGBQJSRECuAAoJEB/kgVGp2CYvMg4L/i8HCunAahLtrCT0up514ag8
S+z9CLNr7f6SrdzGNDyBKfq4uM+Vgg8kJIf4AZNj9/F1DE55sKQB0rRSXVxZ1qZ1
qu7A8c+okUCaZ95LuBLzS7iGC7RIpfIGmNdd/sLlbF7G0nbN+GjWIVtpVw4JGbua
2ENKU/BOBceA+sfruBU9FXWDl3zreNU5ucVsiZjHJ8LwJclTSURSwaqrY+cTfaUq
xEuOtwxNV+hBf0lvSHffvPeyCsToEJLu2ZIKGGLmI6Kf7vtzGXRp4TTzKrDTu8nF
THfzxX3XtN5RE1JBpx44bThd6lj38Mt/qqEY4sdtMfsihF9l2JQdJvxitb9EiBdF
g2HJpRggMjfMpZH+m4nthEb+oFzscweBg5qcEe+5EnimiRB30+NsdBLgtsthk8tP
3+jeQPfAaINlaGStVEpugr5bGVRstANIRyKLSSKqbJy+w8JQAN8RYRivMeJMn5YI
E1U8QWv/TBSFvWmHn+bj7zhY3siDwOM+G+i7P7B3gA==
=rFhQ
-----END PGP SIGNATURE-----

More information about the security mailing list