On Mon, Apr 23, 2012 at 7:32 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > Am 24.04.2012 02:08, schrieb Oron Peled: >> Looks like this transition (as is currently planned) is going to >> break many setups. I want to show the three following use-cases >> which may be severely broken by this transition. > > exactly this is the problem > > i have attached my ip-tables script making at home a software-router > with forwarding of two different networks from my LAN via openvpn > and a static route > > i only stripped the config-block and comments > > but as you can see there are many useful decisions > by $HOSTNAME and this is only one of my scripts for > two machines > ______________- > > another one is built the same way and serves 20 machines > while partly rules are for all machines, others depeding as > in my example on the hostname and there are a lot of really > useful and well thought specific drop/forward/reject rules > based on hostname and source/destination networks > > this script has about 50 KB and a handful of bash-includes > > well, one may say "unmaintainable" - but it is, it > has a good documentation and structure and we are using > it as reference for each "iptables.sh" needed where ever > > it is practically impossible to convert this stuff because > nobody did write it down in one day, it is grown and maintained > over years with the whole infrastructure - yes you MAYBE CAN > try to re-implement all this rules in firewalld > > but would you do this really in a production environment > in a security layer and how do you test from scratch? > > please do not come now "why fedora in prodction" > because it just works if things are not careless removed > from the distribution - so please do not take away power > featureswhich are not really hurt to maintain > > firewalld is at least another interface for netfilter > why want anybody take away perfectly working ones? Nothing is being taken away, the default is being changed. If you're using Fedora in production, I presume you're installing with Kickstart. You can set up anything you like in Kickstart, including not using firewalld if you so desire. -J > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel -- http://cecinestpasunefromage.wordpress.com/ ------------------------------------------------ in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
