10:12 a.m.
I'm newly introduced to firewalld and I would like to make use of it to configure my
firewall.
In playing around with firewall-cmd to set up some forwarding rules (which were also maing
use of logging the rule executions), I found that rules were not being executed as I
expected.
Consequently, I tried to find a way to be able to generate either an nftables view or an
iptables view of the rules that are generated by a firewalld configuration so I can see
why my rules are not being executed. Running the iptables command would give me some
results, but they did not correspond to what I had set up in firewalld.
Add to this the fact that when I do a fresh install, the firewalld service is enabled and
active and the iptables and nftables services on my host/router are not active. This leads
me to believe that in order to use firewalld, neither iptables nor nftables should be
active. On the other hand, I have read that firewall-cmd is just a front end to nftables
(the subsystem) and so that might lead one to think that nftables service should be
enabled and active.
So, here are my questions:
1. When using firewalld, should the iptables and nftables services be inactive? If one or
more is active, what are the consequences?
2. How can I generate an iptables view or an nftables view of the rules in my firewalld
configuration in order to see which rules firewalld is really passing to nftables?
10:26 a.m.
Just saw this article about the nftables backend:
https://firewalld.org/2018/07/nftables-backend
Does this imply that if in the firewalld.conf we have a FirewallBackend specified (either
nftables or iptables), then the corresponding services should be active?
10:32 a.m.
New subject: Managing iptables, firewalld and nftables in a way that they
don't interfere with each other
On Sun, Sep 06, 2020 at 03:26:02PM -0000, Richard Achmatowicz wrote:
Just saw this article about the nftables backend:
https://firewalld.org/2018/07/nftables-backend
Does this imply that if in the firewalld.conf we have a
FirewallBackend specified (either nftables or iptables), then the
corresponding services should be active?
No. If firewalld service is active then iptables and nftables should be
inactive.
10:32 a.m.
New subject: Managing iptables, firewalld and nftables in a way that they
don't interfere with each other
On Sun, Sep 06, 2020 at 03:12:06PM -0000, Richard Achmatowicz wrote:
I'm newly introduced to firewalld and I would like to make use of
it
to configure my firewall.
In playing around with firewall-cmd to set up some forwarding rules
(which were also maing use of logging the rule executions), I found
that rules were not being executed as I expected.
The newest release, v0.9.0, has native support for forward filtering.
Before that you had to use --direct (iptables) rules.
Consequently, I tried to find a way to be able to generate either an
nftables view or an iptables view of the rules that are generated by a
firewalld configuration so I can see why my rules are not being
executed. Running the iptables command would give me some results, but
they did not correspond to what I had set up in firewalld.
It depends on what firewall backend you're using. See FirewallBackend in
the man page for firewalld.conf and it /etc/firewalld/firewalld.conf.
Add to this the fact that when I do a fresh install, the firewalld
service is enabled and active and the iptables and nftables services
on my host/router are not active. This leads me to believe that in
order to use firewalld, neither iptables nor nftables should be
active. On the other hand, I have read that firewall-cmd is just a
front end to nftables (the subsystem) and so that might lead one to
think that nftables service should be enabled and active.
It's accurate that firewalld is an abstraction over iptables and
nftables, but the services are mutually exclusive.
So, here are my questions:
1. When using firewalld, should the iptables and nftables services be inactive? If one or
more is active, what are the consequences?
Correct. The services are mutually exclusive. The firewalld.service
should be enforcing this. Recently a Conflicts for nftables was added.
2. How can I generate an iptables view or an nftables view of the
rules in my firewalld configuration in order to see which rules
firewalld is really passing to nftables?
# iptables-save
or
# nft list ruleset
4:33 p.m.
Thanks for the clarification, Eric.
I created a new RHEL 8 VM and installed firewalld into it.
I can see now that a command like:
# nft list ruleset
will print out *a lot* of tables and chains, most of which are empty, without the nftables
service being started.
I also noted that, of all the tables listed, the three tables:
table ip firewalld
table ip6 firewalld
table inet firewalld
are the tables used by firewalld to store its rules, IIUC.
I can also see that within those tables, there are chains corresponding to the active
zones in the firewalld configuration which have overloaded names so that tables, chains
and zones can all be represented together in the nftables configuration: e.g. for the
table of type inet (i.e. ipv4 + ipv6):
chain filter_INPUT {
// rules for the filter table and the INPUT chain (in iptables lingo)
chain filter_INPUT_ZONES_SOURCE
// associate sources with zones here
chain filter_INPUT_ZONES {
// associate interfaces with zones here
iifname "eth0" goto filter_IN_public
iifname "eth1" goto filter_IN_home
}
chain filter_IN_public {
// rules for the filter table, INPUT chain and "public" zone
}
chain filter_IN_home {
// rules for the filter table, INPUT chain and "home" zone
}
...
}
It takes a bit of time to get used to reading these nftables configurations, and
understanding the firewalld organization, but i'm starting to get the hang of it.
1337
days inactive
1338
days old
firewalld-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Eric Garver -
Richard Achmatowicz