Re: firewalld-0.4.2
by Sergio Villar Senin
On 30/05/16 20:44, Thomas Woerner wrote:
>
> Source port support in zones, services and rich rules
> -----------------------------------------------------
>
> Additionally to ports is it also now possible to allow source ports in a
> zones and also in a service in a similar way as existing ports. There is
> a new flag source-port for this.
>
> Source ports can also be used in rich rules as elements. The source
> ports can be combined with logging, limiting and also an action.
Oh yes!
Thank you especially for this.
BR
7 years, 9 months
Re: firewalld-0.4.2
by Rubén Rivero Capriles
Congratulations Thomas! Any guidelines for installl without conflict against previous yum installed version?
Este mensaje ha sido enviado gracias al servicio BlackBerry de Movilnet
-----Original Message-----
From: Thomas Woerner <twoerner(a)redhat.com>
Date: Mon, 30 May 2016 20:44:12
To: Firewalld users discussion list<firewalld-users(a)lists.fedorahosted.org>; Firewalld development list<firewalld-devel(a)lists.fedorahosted.org>
Reply-To: Firewalld users discussion list <firewalld-users(a)lists.fedorahosted.org>
Subject: firewalld-0.4.2
The new firewalld version 0.4.2 is available with several enhancements,
bug fixes and huge speed ups.
The main changes of firewalld-0.4.2 are
New transaction model
---------------------
Changes are done in one big transaction instead of smaller ones. This
speeds up firewalld start and restart tremendously.
The start is done up to in six or nine calls to the restore commands
depending on the configuration. This depends on ipset and also direct
configuration usage.
Also all other actions benefit from this change.
Enhanced handling of connections and interfaces
-----------------------------------------------
For interfaces that are handled by NetworkManager, requests to add or
change bindings are directed to NetworkManager in the firewall-cmd and
firewall-config tools.
For interfaces on Fedora and RHEL systems that are not handled by NM,
there is a new mechanism that changes the ifcfg file if there is one
using the interface.
This makes zone interface bindings more consistent.
Usability enhancements for firewall-config
------------------------------------------
firewall-config has a new side bar with the active bindings of
connections, interfaces and also sources. With this side bar it is
possible to change the binding assignments in a simple way.
A new overlay message window if the connection to firewalld could not be
established or if it is lost.
Speed ups for view changes runtime to permanent and back by introduction
of new D-Bus methods in firewalld.
The resize behavior has been fixed to be more expected.
Enhanced runtime to permanent migration
---------------------------------------
The enhanced migration is not saving interfaces that are under control
of NetworkManager to the permanent configuration. Zones, services etc.
are only migrated if there are changes compared to current permanent
configuration.
New ICMP block inversion
------------------------
The ICMP block is now completely handled per zone. With the new ICMP
block inversion flag in the zone it is possible to invert the ICMP
block. That means that the enabeld ICMP blocks are allowed and all
others are blocked. In a drop zone these remaining types are dropped and
not blocked.
The logging of denied rules have been added to icmp-blocks.
Source port support in zones, services and rich rules
-----------------------------------------------------
Additionally to ports is it also now possible to allow source ports in a
zones and also in a service in a similar way as existing ports. There is
a new flag source-port for this.
Source ports can also be used in rich rules as elements. The source
ports can be combined with logging, limiting and also an action.
Rich rules with destination only*
*-------------------------------------
Destination addresses can now be used in rich rules without an element.
This enabled the use of rich rules containing destination addresses
combined with an action and logging only.
There are also several other bug fixes or enhancements and code
optimizations.
------------------------------------------------------------------------
The new firewalld version 0.4.1.2 is available here:
https://fedorahosted.org/released/firewalld/firewalld-0.4.2.tar.bz2
Also on github:
https://github.com/t-woerner/firewalld/releases/tag/v0.4.2
And in the github repository:
https://github.com/t-woerner/firewalld/
<https://github.com/t-woerner/firewalld/tree/v0.4.0>
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedoraho...
7 years, 9 months
wish to install firewalld 0.4.1.2 on CentOs 7
by Rubén Rivero Capriles
I notice in ./configure that:
checking for python version... 2.7
checking for python platform... linux2
configure: error: glib-compile-schemas not found.
My current python version is 3.5 which I installed yesterday. How can I get rid of 2,7 ?
I had many firewalld conflicts today with the pythos 3.5 I installed yesterday. Iptables didn't work either. So I uninstalled both of them and downloaded from source firewalld-0.4.1.2.tar.bz2
After README I notice there are many important files for installation: Firewalld.spec Makefile.am Makefile.in fix_python_shebang.sh py-compile
How should I continue installation? Below is output from my recent failure of previous version of firewalld
sudo firewall-cmd --permanent --add-service=http
Error: Traceback (most recent call last):
File "/usr/lib64/python2.7/site-packages/dbus/service.py", line 707, in message_cb
retval = candidate_method(self, args, *keywords)
File "/usr/lib/python2.7/site-packages/slip/dbus/service.py", line 148, in wrapped_method
reply_handler=reply_handler, error_handler=error_handler)
File "/usr/lib/python2.7/site-packages/slip/dbus/polkit.py", line 270, in IsSystemBusNameAu thorizedAsync
reply_handler, error_handler, challenge, details)
File "/usr/lib/python2.7/site-packages/slip/dbus/polkit.py", line 256, in IsSystemBusNameAu thorizedAsync
timeout=method_call_no_timeout)
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 137, in __call_
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 584, in call_async
message.append(signature=signature, *args)
ValueError: Unable to guess signature from an empty dict
systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Fri 2016-05-27 17:09:14 BOT; 11s ago Process: 2202 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS) Main PID: 2202 (code=exited, status=0/SUCCESS)
May 27 17:07:44 mlp systemd[1]: Starting firewalld - dynamic firewall daemon...
May 27 17:07:44 mlp firewalld[2202]: 2016-05-27 17:07:44 ERROR: ebtables not usable, disabling ethernet bridge firewall.
May 27 17:09:14 mlp systemd[1]: firewalld.service start operation timed out. Terminating.
May 27 17:09:14 mlp systemd[1]: Failed to start firewalld - dynamic firewall daemon.
May 27 17:09:14 mlp systemd[1]: Unit firewalld.service entered failed state.
May 27 17:09:14 mlp systemd[1]: firewalld.service failed.
ps -efc
root 915 898 TS 19 16:40 pts/0 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid --debug 10
root 1882 898 TS 19 16:51 pts/0 00:00:00 /usr/bin/python -Es /usr/bin/firewall-cmd --permanent --add-service=ssh
7 years, 9 months
local port forwarding
by Benjamin Lefoul
Hi,
Strangely enough this seems to be a common problem without a clear answer (see for instance: https://ask.fedoraproject.org/en/question/32104/port-redirect-with-firewa... )
We have a file to be fetched via http on port 8080, so this works: # wget http://localhost:8080/file_to_fetch.txt
We want this to work as well: # wget http://localhost/file_to_fetch.txt
But adding the port forward to the trusted zone (with interface lo) won't do.
forward-ports: port=80:proto=tcp:toport=8080:toaddr=
Even adding it as a rich rule does not work. The only way around is with a direct rule:
# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="0" table="nat" ipv="ipv4" chain="OUTPUT">-d 127.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080</rule>
</direct>
We are using version 0.3.9 as packaged in CentOS7.
Surely there is another way?
Thanks,
Benjamin Lefoul
7 years, 10 months
Upnp
by John Obaterspok
Hi,
I currently have to disable firewalld since my gupnp service needs to subscribe to upnp events from different upnp devices.
Last year a SSDP conntrack helper was added in conntrack-tools 1.4.3
Has anything been done recently to allow using firewalld with upnp? Any hints of workarounds to allow me to use it?
-- john
7 years, 10 months