Dan;  I use firewalld exclusively now but had been using iptables/iptables  for years and find that it is quite easy to see a solution to my problems "If I could only insert a rule into a specific chain".  My old startup setup script was several pages long with many defined variables and, if the wind was with me, generated what I wanted.  But it was touchy  to reconfiguration and I just abandoned it for the predefined structure of firewalld.  Now the config is in xml and entirely maintained by firewalld.

I have considered just inserting a necessary rule in the runtime table but I am concerned that doing so would mess up firewalld's config.  Since it would not alter the permanent xml I assume a reload would clean it out but have been cautious about trying. Haven't needed to (yet) anyway. 

Amicalement,
Dave
--
Maple Park Development
Linux Systems Integration
http://www.maplepark.com/

If IP addresses weighed one gram each:
 IPv4 = half the Empire State Building vs.  IPv6 = 56 billion earths

I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.

On Tue, Sep 27, 2016 at 9:47 AM, Dan White <d_e_white@icloud.com> wrote:
Thanks.

Nicely concealed features, Firewall Guys :P

So, to attempt the last step, I would use a rich-language rule with the info from "man iptables-extensions" to get what I want.  

How's that sound ?
Dan White | d_e_white@icloud.com
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)

On Sep 27, 2016, at 10:34 AM, David Forrest <mapleparkdevelopment@gmail.com> wrote:

Dan,  firewalld uses netfilter (iptables/ip6tables) as its working part and is more of a front end. iptables and firewalld are actually running the same loaded file at runtime.  So the descriptions for the formats can be found in man files for iptables/ip6tables.  I had to install the iptables package to see my rules.  From the man iptables-extensions page I found this:

 conntrack
       This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.

       [!] --ctstate statelist
              statelist is a comma separated list of the connection states to match.  Possible states are listed below.

       [!] --ctproto l4proto
              Layer-4 protocol to match (by number or name)

       [!] --ctorigsrc address[/mask]

       [!] --ctorigdst address[/mask]

       [!] --ctreplsrc address[/mask]

       [!] --ctrepldst address[/mask]
              Match against original/reply source/destination address

       [!] --ctorigsrcport port[:port]

       [!] --ctorigdstport port[:port]

       [!] --ctreplsrcport port[:port]

       [!] --ctrepldstport port[:port]
              Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.  Matching against port ranges is only supported in kernel
              versions above 2.6.38.

       [!] --ctstatus statelist
              statuslist is a comma separated list of the connection statuses to match.  Possible statuses are listed below.

       [!] --ctexpire time[:time]
              Match remaining lifetime in seconds against given value or range of values (inclusive)

       --ctdir {ORIGINAL|REPLY}
              Match packets that are flowing in the specified direction. If this flag is not specified at all, matches packets in both directions.

       States for --ctstate:

       INVALID
              The packet is associated with no known connection.

       NEW    The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.

       ESTABLISHED
              The packet is associated with a connection which has seen packets in both directions.

       RELATED
              The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

       UNTRACKED
              The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.

       SNAT   A virtual state, matching if the original source address differs from the reply destination.

       DNAT   A virtual state, matching if the original destination differs from the reply source.

       Statuses for --ctstatus:


Amicalement,
Dave
--
Maple Park Development
Linux Systems Integration
http://www.maplepark.com/

If IP addresses weighed one gram each:
 IPv4 = half the Empire State Building vs.  IPv6 = 56 billion earths

I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.

On Tue, Sep 27, 2016 at 7:41 AM, Dan White <d_e_white@icloud.com> wrote:
I see rules in my "iptables -S" dump like

-A IN_work_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

But how do I create one ?  I cannot find any documentation on "state" or "ctstate" setting.

Thanks.
Dan White | d_e_white@icloud.com
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)

_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org


_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org

_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org