That's sad (I can't find a good synonym, sorry)

Firewalld can't compete with shorewall but shw disappear from lot of major Linux distribution...

Shw is a much better tool, can't understand which program May replace it...
--
Jérôme Avond - aka jadjay
Agitateur chez Alolise depuis avril 2005
... et président depuis 2014

mail/xmpp : jerome.avond@alolise.org
mobile : 0661469785

Alolise est membre du collectif C.H.A.T.O.N.S

Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

Le 8 juin 2018 14:36:03 GMT+02:00, Eric Garver <egarver@redhat.com> a écrit :
On Thu, Jun 07, 2018 at 04:38:16PM -0500, Michael Crider - HOEC wrote:
 I am trying to recreate an existing firewall configuration created in
 Firewall Builder using Firewalld. It runs on a router that controls traffic
 in and out of our company network. The existing configuration has rules that
 permit traffic to be relayed out on specified ports for specified addresses
 on the internal network. For example: a list of addresses are allowed to get
 out on ports 80 and 443 for http and https traffic, any other internal
 machines are denied. I currently have the external interface in the external
 zone, and the internal interface in the public zone, with the following
 configuration:
 external (active)
   target: DROP
   icmp-block-inversion: no
   interfaces: ens2f1
   sources:
   services:
   ports:
   protocols:
   masquerade: yes
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
 public (active)
   target: %%REJECT%%
   icmp-block-inversion: no
   interfaces: ens2f0
   sources:
   services:
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
 
 I have found examples of direct interface rules for allowing traffic out,
 but is there any other way (rich rule or something else I'm overlooking) to
 unblock traffic like the log excerpt below? As far as I can tell a rich rule
 with an element of service and an action of accept only allows traffic to
 the router, not passing through the router.

No. Currently, firewalld is more of an end-station firewall. There are
RFEs to implement OUTPUT [0] and FORWARD [1] filtering. I suspect these will
be implemented via rich rules.

Right now the only option is to use direct rules.

[0] https://github.com/firewalld/firewalld/issues/32
[1] https://github.com/firewalld/firewalld/issues/2

firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/firewalld-users@lists.fedorahosted.org/message/UEURMB3UBZTBXQJPCMGO2UY4O3WD3ICW/