Hi one question before decisions are nailed down http://fedoraproject.org/wiki/Features/firewalld-default > An explicit transition is planned after Fedora 18 with dropping support for the > static firewall with system-config-firewal/lokkit. A migration from the static > firewall model will be needed then. are there only the ui-interfaces meant or do someone consider drop "iptbales.service" at all? if so please re-consider this! there are many configurations which are happy with the static firewall s routers and (distributed) iptbales-scripts no need, for a graphical UI only a shell-script finished with /sbin/iptables-save > /etc/sysconfig/iptables does the whole job as long "/etc/sysconfig/iptables" is load at boot-time __________________ as example: i have one big and distributed "iptables.sh" for more than 20 machines where global settings made for all machines and based on $HOSTNAME incoming server-ports opend maybe not everybody likes this model of a 50 KB script but it works since years has a fine documentation and the flexibility of a shell-script gives us options which can be hardly replaced __________________ another example: software-router like this only the snippet with the routing-part: echo "NAT Routing / Forwarding" echo "----------------------------------------------------------------------------------------" echo "Spoof-Protection" $IPTABLES -A INPUT -i eth1 -s $WAN_RHSOFT,$WAN_RHSOFT_BROADCAST,0.0.0.0/8,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,224.0.0.0/3,255.255.255.255 -j DROP $IPTABLES -A OUTPUT -o eth1 -s $WAN_RHSOFT_BROADCAST,0.0.0.0/8,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,224.0.0.0/3,255.255.255.255 -j DROP echo "LAN: $LAN_RHSOFT" $IPTABLES -A FORWARD -i eth1 -o br0 -d $LAN_RHSOFT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br0 -o eth1 -s $LAN_RHSOFT -j ACCEPT $IPTABLES -A POSTROUTING -o eth1 -t nat -s $LAN_RHSOFT -j MASQUERADE echo "VPN: $LAN_LOUNGE" $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_LOUNGE -d $LAN_RHSOFT -j ACCEPT $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_LOUNGE -j ACCEPT $IPTABLES -A POSTROUTING -o tap0 -t nat -s $LAN_RHSOFT -j MASQUERADE echo "VM: $LAN_VMWARE" $IPTABLES -A FORWARD -i br0 -o vmnet8 -s $LAN_RHSOFT -d $LAN_VMWARE -j ACCEPT $IPTABLES -A FORWARD -i vmnet8 -o br0 -s $LAN_VMWARE -d $LAN_RHSOFT -j ACCEPT $IPTABLES -A POSTROUTING -o vmnet8 -t nat -s $LAN_RHSOFT -j MASQUERADE echo "VOIP: $LOUNGE_VOIP" $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 5060 -j DNAT --to-destination $RHSOFT_VOIP $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 50600 -j DNAT --to-destination $RHSOFT_HANDY echo "Drop all other forwardings" $IPTABLES -A FORWARD -j DROP echo "----------------------------------------------------------------------------------------"
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
