[ale] Firewalld is incomplete
DJ-Pfulio
DJPfulio at jdpfu.com
Sun Jan 27 12:07:45 EST 2019
firewalld is just another interface into the Linux kernel firewall, just
like iptables or ufw.
New things take time to mature. It will get there, but that takes time.
On 1/27/19 11:48 AM, Alex Carver via Ale wrote:
> What is the purpose of firewalld? I tried reading the documentation and
> it seems it tries to abstract the firewall rules and expose a D-bus
> interface to the firewall. Maybe abstracting is useful if firewall
> rules need to be portable across different implementations (iptables,
> ip6tables, etc.) but having D-bus access to the firewall disturbs me.
> That seems to get perilously close to a clone of UPnP and all of the
> risks associated.
>
> On 2019-01-27 07:06, Phil Turmel via Ale wrote:
>> Geez! I guess I won't be switching away from manual iptables rules
>> anytime soon.
>>
>> On 1/26/19 9:17 PM, Jim Kinney via Ale wrote:
>>> The firewall was overdue for replacement. So when it died today,
>>> rebuilding it with all firewalld seemed to be acceptable.
>>>
>>> The setup has a single network line to the upstream router. That line
>>> has 5 IP addresses. Those are nat'ed into the lan to various lan
>>> addresses. This is done with several iptables entries for nat and port
>>> forwarding.
>>>
>>> But firewalld has no rule set to handle destination IP! Um. Yeah.
>>> Source IP but not destination. So how to direct packets?
>>>
>>> Ah! Could put each ip in a zone and redirect a zone. But that doesn't
>>> work as zones are defined by interface or source IP.
>>>
>>> :-(
>>>
>>> It's possible to do direct rules into firewalld but those are not
>>> available to save and rerun (outside of a bash script) at
>>> boot/firewall restart.
More information about the Ale
mailing list