Re: C7, firewalld and rich rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 31 Jan 2019 at 13:13, mark <m.roth@xxxxxxxxx> wrote:

> Gordon Messmer wrote:
> > On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
> >
> >> Did you look at Shorewall? IMHO that's what is best used in such
> >> situations and it works since many years now.
> >
> > shorewall doesn't support nftables, which is largely the point of
> > firewalld:  The Linux firewall system is currently undergoing yet
> > another deprecation and migration from iptables to nftables. firewalld
> > should remain stable during the migration process.  As far as I know,
> > there are no plans to support nftables under shorewall, so new users will
> > most likely throw away any investment they make in learning and
> > implementing shorewall.
> >
> I seem to have missed a few posts in my thread. Let me note that
>    a) I'm at work. I have to do what is required.
>    b) we are moving from iptables to firewalld. No other options.
>
> Since the firewall system is moving from iptables to firewalld, WHY IS
> THERE NOT A PROGRAM INCLUDED with the firewalld package to convert
> EXISTING rules?
>
>


> Each firewall will have its own set of rules. We have three? four?
> internal firewalls, *each* with its own rules. Since that's us, I assume
> there are tens, if not hundreds of thousands just like us, many with more
> firewalls.
>
> Why would *ANYONE* think that everyone should just start from scratch,
> taking all the time in the world to get it converted?
>
>
You answered your own question. Because a lot of different places set up
their firewalls their own way and parsing all the different ones/ways seems
to break over and over again? Firewalld is still outputting text in
iptables format.. and will output it in nftables later when it is done. It
is just a program which tries to make decisions which certain classes of
systems need to be done automagically.

For most RHEL-7 systems which have custom iptables rules.. I thought the
package iptables-services.x86_64 sets up everything to keep that going. If
you need to move to firewalld because it should support future formats (
nftables, plughtables, xyzzytables, etc.) you are going to need to learn
the tool just like you had to from ipchains to iptables days. [Pretty much
every conversion tool from ipchains to iptables worked only on the simplest
but anyone with a custom firewall ended up having to learn the syntax.]



>        mark, still looking for a script
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux