Thanks, Ed and Eric, for your help.
| From: Eric Garver <egarver(a)redhat.com>
| On Thu, Sep 24, 2020 at 05:47:26PM -0400, D. Hugh Redelmeier wrote:
| > Is there a reasonable way to get firewalld-0.9 for Fedora 32?
I've decided that it isn't reasonable. Updating my system from F32 to
F33 might get messy. F33 appears not to include firewalld-0.9. That
seems to be scheduled for F34.
| > I don't wish to compile my own and fight with Fedora's package management.
It's not that I fear building packages. I fear contradicting Fedora's
choice of package version.
| > Alternatively, is it reasonable to run the nftable service as well as
| > firewalld?
|
| The services explicitly Conflict. This is mostly because the nftables
| service will flush _all_ the rules.
Very useful to know.
| > Alternatively, is --direct able to add nftable rules?
|
| No. This is by design. If something you need is not supported by
| firewalld's rich rules please file an RFE.
Ahh. I asked the wrong question. I could use --direct to add an
iptables rule, and that should be good enough.
I just thought iptables was a step backward from nftables (itself a
step backwards from firewalld).
I think that the rule will look something like this.
The table is "filter", the chain is FORWARD and the priority is 0.
Am I correct in assuming that since the table and chain ought to
already exist, all I have to do is add the rule?
The purpose is to drop all packets from the internet that have an
explicit destination within MYSUBNET.
sudo firewall-cmd \
--direct --add-rule ipv4 filter FORWARD 0 \
--in-interface=EXTERNAL_INTERFACE \
--source MYSUBNET \
DROP
Questions:
- should I be using chain FORWARD_direct instead of FORWARD?
firewall-cmd(1) gives the example of INPUT_direct but does
not specify which other chains are automatically created.
(That seems like a documentation bug.)
- can I use the long form of the iptables flags or do I have to use
the single-letter version? firewall-cmd(1) only uses the
single-letter versions.
Answer: yes, long forms are accepted.
| Alternatively, you can create your own nftables rules. firewalld only
| uses/touches/flushes rules/chains in the "firewalld" tables. It will not
| touch nftables rules created out-of-band of firewalld.
This seems too fragile and complex for the tiny hack I need.