Am 15.11.2012 19:02, schrieb Miloslav Trmač: > On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> Am 15.11.2012 18:06, schrieb Adam Williamson: >>> Right. I hate to say it, but Harald is correct here: AFAIK, all those >>> and other firewall configuration mechanisms were ultimately just >>> UI/abstraction layers wrapped around iptables. They wrote iptables >>> rules. firewalld is very different. > > (Side-reply to Adam:) I can't see the difference; /sbin/iptables still > works if you have firewalld running. > >> i am one of the second groups and doing DISTRIBUTED iptables-configurations >> for whole infrastructures since many years and using here any capability >> of iptables which can be hardly covered with abstraction layers > > It would be very helpful for judging the maturity/suitability of > firewalld if you could try converting your iptables script to > firewall-cmd --direct (which, at least I hope, should be possible to > do with a few sed commands), and report back whether the pass-through > capability is good enough. you CAN NOT easily convert iptables.sh scripts containing hundrets of commands in a specific order which are well tested over years and your replacment for any hardware firewall/router this things are not written at once this things are growed, optimized and maintained over years this things are tested in zones where security is hardly needed it is a bad idea to touch them and re-test it all in production as you can IMPOSSIBLE build a infrastructure with tons of severs and clients with very specific block/reject/allow in a test environment without wasting hundrests of hours of your work and the main problem: this thinhs are working fine since forever you will have no benefit to convert them to something else it is one thing to develop new tools and abstraction layers a whole different story is throw away perfect workloads for nothing in the time we discuss this here someone could maintain iptables.service the next 20 years at all!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
