What's the purpose of the *INPUT_direct* custom-chain in the
filter/INPUT chain? Is this the recommended chain to use when inserting
custom rules via the --direct option? Is it sort of like, to keep
I just recently converted my iptables rules to firewalld. Most of it was
straightforward. However I had trouble with trying to log my rejected
My old /etc/sysconfig/iptables INPUT chain ended with
-A INPUT -m limit --limit 6/hour --limit-burst 10 -j LOG
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Is there a simple way to do this with firewalld?
If not could it be implemented. I find that logging rejected packets can
sometimes help find trouble with the firewall setup.
I was able to find a work around with some direct passthrough entries,
but it is fragile (depends on the current firewalld entries creation
order and naming structure).
It fixes two more regressions introduced with 0.3.9:
- broken persistent port forwarding (RHBZ#1056154)
- not allowing Router Advertisements with IPv6_rpfilter (RHBZ#1058505)
one regression introduced with 0.3.4:
- default zone rules being applied to all zones (RHBZ#1057875)
and some more bug-fixes, like RHBZ#1055190
Hopefully we'll be more lucky with future releases than we were
with 0.3.9 (which introduced some regressions).