[ale] Firewalld is incomplete

Jim Kinney jim.kinney at gmail.com
Sat Jan 26 21:17:15 EST 2019


The firewall was overdue for replacement. So when it died today, rebuilding it with all firewalld seemed to be acceptable.

The setup has a single network line to the upstream router. That line has 5 IP addresses. Those are nat'ed into the lan to various lan addresses. This is done with several iptables entries for nat and port forwarding. 

But firewalld has no rule set to handle destination IP! Um. Yeah. Source IP but not destination. So how to direct packets?

Ah! Could put each ip in a zone and redirect a zone. But that doesn't work as zones are defined by interface or source IP.

:-(

It's possible to do direct rules into firewalld but those are not available to save and rerun (outside of a bash script) at boot/firewall restart.

W. T. F. ??

Rich rules don't support destination IP either.

W.
T.
F.
!?!?

So manual iptables it is with a bug notice going to firewalld devs.

Maybe there's a way to do it but 7+ hours into docs and attempts, I pulled the plug and went for what works. 



-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190126/a076c9e2/attachment.html>


More information about the Ale mailing list