On 31/10/18 18:32, Gordon Messmer wrote:
On 10/30/18 8:31 AM, Frank Thommen wrote:
I am still puzzled that it is possible to circumvent firewalld so
easily. Basically it means, that firewalld is not to be trusted as
soon as containers with port forwarding are running on a system.
It's hard to see this as a security or trust problem. The root user can
modify the firewall, which is provided by the kernel. firewalld is just
a front-end. Adding rules to the kernel's firewall is not
"circumventing" the management front-end.
You do have to bear in mind that the firewall-cmd output reflects the
*configuration* and not the *state*. When docker adds rules, it
modifies the state, but not the configuration.
I see that (=have learned that :-) now, but for me it means, that
firewalld-cmd is not to be trusted (even though it is the recommended
tool to manage the local firewall). I'll have to go back and try to
understand confusing and hard-to-understand iptables output. :-(
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
