Hi,
----- Original Message -----
From: Thomas Woerner <twoerner(a)redhat.com>
Subject: Re: About F19 Firewall
1) Separate zones.
NM connections, interfaces and source addresses or ranges can be bound
to zones. The initial default zone is public and all connections will be
bound to this zone. The user or administrator can bind connections to
other zones by either doing this in the NM connection editor or within
the ifcfg file.
Yeah, Mateusz explained that earlier. I don't use NM either.
2) Make sure that a newly added rule will have the desired effect.
If you are mixing deny and allow rules, you can not say which effect it
will have. Either there are unwanted accepts or rejects or drops. A
simple and straight forward solution is to have separate chains for deny
and allow rules. The same applies also for logging rules.
iptables(8) takes action(jumps to target) at the first rule that matches or continues
further till it finds a match and falls back to the chain policy if no rule is matched.
From the manual:
---TARGETS
A firewall rule specifies criteria for a packet and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the tar‐
get, which can be the name of a user-defined chain or one of the spe‐
cial values ACCEPT, DROP, QUEUE or RETURN.
...
If the end of a built-in chain is reached or a rule
in a built-in chain with target RETURN is matched, the target specified
by the chain policy determines the fate of the packet.
---
You do not need to change it, but you can if you want to. If for
example
you are using wifi connections at home, work, .. you can bind these to
the (for you) appropriate zone. For example work for your work wifi
connection. It will be used only if you are connecting to your work wifi
connection (it is bound to the SSID).
The default zone (initially public) is used for all connections and
interfaces where the zone has not been set to another value.
You can customize the zones and services according to your needs.
Yes, I understand the functionality, but I doubt if it'll be used at all. It's
not desktop background that people would want to change everyday.
---
Regards
-Prasad
http://feedmug.com