On 11/09/2012 07:45 PM, Reindl Harald wrote:
Am 09.11.2012 17:45, schrieb Thomas Woerner:
On 11/09/2012 05:24 PM, Eric H. Christensen wrote:
Please have a look at the feature list for F-18.
firewalld replaces system-config-firewall/lokkit, and the iptables and ip6tables services, not the iptables package
and command.
The ip*tables services and also system-config-firewall/lokkit are still available and also usable after
deactivation of the firewalld serice. With the latest request to move the services of iptables and ip6tables in a
sub package, I will add a requirement to system-config-firewall for this
PLEASE do not "Require: system-config-firewall"
this would pull useless dependencies
What I meant: Add a requirement for iptables-services to
system-config-firewall-base, this is currently not there.
what we (users) really need is "iptables.service" as it was and
working "/sbin/iptables-save > /etc/sysconfig/iptables" to lod
the with whatever shell script generated "/etc/sysconfig/iptables"
so satisfy over many years perfect working setups for
(the same for iptables6.service)
* firewalls
* NAT
* routing
as example i have a large shellscript
with the following start
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
for i in $CHAINS; do $IPTABLES -t $i -Z; done
and ending with "/sbin/iptables-save > /etc/sysconfig/iptables"
after that any needed rules are added with iptables-command
this script is distributed to a LOT of machines of any type
at the begin it has basic rules for any machine (accept, block, reject)
followed by a lot of
if [ "$HOSTNAME" == "hostname" ]; then
<specific rules>
fi
this is maintained on a staging server, distributed to any amchine
and called with "ssh root@host '/scirpts/iptables.sh"
for other networks / routers / nat-gateways outside the main network
a fork of this thing exists, using over years grown knowledge and
adds specific rules, mostly controlled by a lot of variables at the
begin
call this script does NOt interrupt connections
it handles really a lot of specific filters
it works like a charme
these setups does not need firewalld at all nor do
they need any dependency of GUI/TUI tools
Yes, full ack.
You will be able to use it after switching off firewalld.service and
enabling iptables.service and ip6tables.service.
I will add a script for switching from and to dynamic/static mode:
switch-firewall
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
