[ale] Firewalld is incomplete
Phil Turmel
philip at turmel.org
Sun Jan 27 10:06:16 EST 2019
Geez! I guess I won't be switching away from manual iptables rules
anytime soon.
On 1/26/19 9:17 PM, Jim Kinney via Ale wrote:
> The firewall was overdue for replacement. So when it died today,
> rebuilding it with all firewalld seemed to be acceptable.
>
> The setup has a single network line to the upstream router. That line
> has 5 IP addresses. Those are nat'ed into the lan to various lan
> addresses. This is done with several iptables entries for nat and port
> forwarding.
>
> But firewalld has no rule set to handle destination IP! Um. Yeah. Source
> IP but not destination. So how to direct packets?
>
> Ah! Could put each ip in a zone and redirect a zone. But that doesn't
> work as zones are defined by interface or source IP.
>
> :-(
>
> It's possible to do direct rules into firewalld but those are not
> available to save and rerun (outside of a bash script) at boot/firewall
> restart.
>
> W. T. F. ??
>
> Rich rules don't support destination IP either.
>
> W.
> T.
> F.
> !?!?
>
> So manual iptables it is with a bug notice going to firewalld devs.
>
> Maybe there's a way to do it but 7+ hours into docs and attempts, I
> pulled the plug and went for what works.
More information about the Ale
mailing list