That's sad (I can't find a good synonym, sorry)
Firewalld can't compete with shorewall but shw disappear from lot of major Linux
distribution...
Shw is a much better tool, can't understand which program May replace it...
--
Jérôme Avond - aka jadjay
Agitateur chez Alolise depuis avril 2005
... et président depuis 2014
mail/xmpp : jerome.avond(a)alolise.org
mobile : 0661469785
Alolise est membre du collectif C.H.A.T.O.N.S
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Le 8 juin 2018 14:36:03 GMT+02:00, Eric Garver <egarver(a)redhat.com> a écrit :
On Thu, Jun 07, 2018 at 04:38:16PM -0500, Michael Crider - HOEC
wrote:
> I am trying to recreate an existing firewall configuration created in
> Firewall Builder using Firewalld. It runs on a router that controls
traffic
> in and out of our company network. The existing configuration has
rules that
> permit traffic to be relayed out on specified ports for specified
addresses
> on the internal network. For example: a list of addresses are allowed
to get
> out on ports 80 and 443 for http and https traffic, any other
internal
> machines are denied. I currently have the external interface in the
external
> zone, and the internal interface in the public zone, with the
following
> configuration:
> external (active)
> target: DROP
> icmp-block-inversion: no
> interfaces: ens2f1
> sources:
> services:
> ports:
> protocols:
> masquerade: yes
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> public (active)
> target: %%REJECT%%
> icmp-block-inversion: no
> interfaces: ens2f0
> sources:
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> I have found examples of direct interface rules for allowing traffic
out,
> but is there any other way (rich rule or something else I'm
overlooking) to
> unblock traffic like the log excerpt below? As far as I can tell a
rich rule
> with an element of service and an action of accept only allows
traffic to
> the router, not passing through the router.
No. Currently, firewalld is more of an end-station firewall. There are
RFEs to implement OUTPUT [0] and FORWARD [1] filtering. I suspect these
will
be implemented via rich rules.
Right now the only option is to use direct rules.
[0]
https://github.com/firewalld/firewalld/issues/32
[1]
https://github.com/firewalld/firewalld/issues/2
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to
firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/firewalld-users@lists.fedor...