Dan; I use firewalld exclusively now but had been using iptables/iptables
for years and find that it is quite easy to see a solution to my problems
"If I could only insert a rule into a specific chain". My old startup
setup script was several pages long with many defined variables and, if the
wind was with me, generated what I wanted. But it was touchy to
reconfiguration and I just abandoned it for the predefined structure of
firewalld. Now the config is in xml and entirely maintained by firewalld.
I have considered just inserting a necessary rule in the runtime table but
I am concerned that doing so would mess up firewalld's config. Since it
would not alter the permanent xml I assume a reload would clean it out but
have been cautious about trying. Haven't needed to (yet) anyway.
Amicalement,
Dave
--
Maple Park Development
Linux Systems Integration
If IP addresses weighed one gram each:
IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit
and an isolation lab kit.
On Tue, Sep 27, 2016 at 9:47 AM, Dan White <d_e_white(a)icloud.com> wrote:
Thanks.
Nicely concealed features, Firewall Guys :P
So, to attempt the last step, I would use a rich-language rule with the
info from "man iptables-extensions" to get what I want.
How's that sound ?
Dan White | d_e_white(a)icloud.com
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe
is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Sep 27, 2016, at 10:34 AM, David Forrest <mapleparkdevelopment@gmail.
com> wrote:
Dan, firewalld uses netfilter (iptables/ip6tables) as its working part
and is more of a front end. iptables and firewalld are actually running the
same loaded file at runtime. So the descriptions for the formats can be
found in man files for iptables/ip6tables. I had to install the iptables
package to see my rules. From the man iptables-extensions page I found
this:
conntrack
This module, when combined with connection tracking, allows access
to the connection tracking state for this packet/connection.
[!] --ctstate statelist
statelist is a comma separated list of the connection states
to match. Possible states are listed below.
[!] --ctproto l4proto
Layer-4 protocol to match (by number or name)
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
Match against original/reply source/destination address
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port]
Match against original/reply source/destination port
(TCP/UDP/etc.) or GRE key. Matching against port ranges is only supported
in kernel
versions above 2.6.38.
[!] --ctstatus statelist
statuslist is a comma separated list of the connection
statuses to match. Possible statuses are listed below.
[!] --ctexpire time[:time]
Match remaining lifetime in seconds against given value or
range of values (inclusive)
--ctdir {ORIGINAL|REPLY}
Match packets that are flowing in the specified direction.
If this flag is not specified at all, matches packets in both directions.
States for --ctstate:
INVALID
The packet is associated with no known connection.
NEW The packet has started a new connection or otherwise
associated with a connection which has not seen packets in both directions.
ESTABLISHED
The packet is associated with a connection which has seen
packets in both directions.
RELATED
The packet is starting a new connection, but is associated
with an existing connection, such as an FTP data transfer or an ICMP error.
UNTRACKED
The packet is not tracked at all, which happens if you
explicitly untrack it by using -j CT --notrack in the raw table.
SNAT A virtual state, matching if the original source address
differs from the reply destination.
DNAT A virtual state, matching if the original destination
differs from the reply source.
Statuses for --ctstatus:
Amicalement,
Dave
--
Maple Park Development
Linux Systems Integration
http://www.maplepark.com/
If IP addresses weighed one gram each:
IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat
suit and an isolation lab kit.
On Tue, Sep 27, 2016 at 7:41 AM, Dan White <d_e_white(a)icloud.com> wrote:
> I see rules in my "iptables -S" dump like
>
> -A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j
> ACCEPT
>
> But how do I create one ? I cannot find any documentation on "state" or
> "ctstate" setting.
>
> Thanks.
>
> Dan White | d_e_white(a)icloud.com
> ------------------------------------------------
> “Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.” (Bill Waterson: Calvin &
Hobbes)
>
>
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fe
>
dorahosted.org
>
>
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.
fedorahosted.org
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.
fedorahosted.org