Re: raising warning flag on firewalld-default feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 09.11.2012 17:45, schrieb Thomas Woerner:
> On 11/09/2012 05:24 PM, Eric H. Christensen wrote:
> Please have a look at the feature list for F-18.
> 
> firewalld replaces system-config-firewall/lokkit, and the iptables and ip6tables services, not the iptables package
> and command.
> 
> The ip*tables services and also system-config-firewall/lokkit are still available and also usable after
> deactivation of the firewalld serice. With the latest request to move the services of iptables and ip6tables in a
> sub package, I will add a requirement to system-config-firewall for this

PLEASE do not "Require: system-config-firewall"
this would pull useless dependencies

what we (users) really need is "iptables.service" as it was and
working "/sbin/iptables-save > /etc/sysconfig/iptables" to lod
the with whatever shell script generated "/etc/sysconfig/iptables"
so satisfy over many years perfect working setups for

(the same for iptables6.service)

* firewalls
* NAT
* routing

as example i have a large shellscript
with the following start

  $IPTABLES -P INPUT DROP
  $IPTABLES -P FORWARD DROP
  $IPTABLES -F
  $IPTABLES -X
  CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
  for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
  for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
  for i in $CHAINS; do $IPTABLES -t $i -Z; done

and ending with "/sbin/iptables-save > /etc/sysconfig/iptables"
after that any needed rules are added with iptables-command

this script is distributed to a LOT of machines of any type

at the begin it has basic rules for any machine (accept, block, reject)
followed by a lot of

if [ "$HOSTNAME" == "hostname" ]; then
 <specific rules>
fi

this is maintained on a staging server, distributed to any amchine
and called with "ssh root@host '/scirpts/iptables.sh"

for other networks / routers / nat-gateways outside the main network
a fork of this thing exists, using over years grown knowledge and
adds specific rules, mostly controlled by a lot of variables at the
begin

call this script does NOt interrupt connections
it handles really a lot of specific filters
it works like a charme

these setups does not need firewalld at all nor do
they need any dependency of GUI/TUI tools

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux