On 8/3/20 3:25 AM, ToddAndMargo via users wrote:
On 2020-08-02 16:03, Gordon Messmer wrote:
firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100
-p tcp -m tcp --dport 22 -j MARK –set-mark 0x1
Would you mind taking apart all the switches in the
above run string and expaining each of them?
firewall-cmd is only concerned with the first half of that command:
firewall-cmd --permanent --direct --add-rule ipv4 mangle OUTPUT 100
firewalld will "add" a rule to its "permanent" set, the rule will
include flags passed "directly" to iptables. The rule is for the
"OUTPUT" chain in the "ipv4" "mangle" table. If there are other direct
rules, the priority "100" will be used when sorting them.
In my original email, I mistakenly suggested the "raw" table because I
copy-pasted that from a rule that I use to avoid processing UDP DNS
traffic through conntrack. :)
The others are the arguments you would give to "iptables -A OUTPUT",
which I took from the link in the original request:
-p tcp -m tcp --dport 22 -j MARK –set-mark 0x1
Marking packets in this fashion is the mechanism for selecting which
routing table will be used for the packet. The packet is marked, the
mark is processed by traffic rules, and the matching rule specifies a
routing table.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
