10:54 a.m.
this is probably a silly question, but I haven't been able to find a very good
comparison outlining the advantages of firewalld over iptables -- what are they?
1:16 p.m.
Patrick, why must i root login, to block all ports,in Panic Mode?, which
should be done as fast as possible, don't you think? the microsecond a hack
attempt ocurrs on any port? Why take valuable seconds, to root login, since
i have already logged in, on the desktop,It must be me?, i must then be
root to block ports in the Panic mode,that's overkill don't you think? and
to fricken slow. Panic mode should be automatically tripped, by any port
connection attempt. on port 80 when a connection already exists.I have
issues with neighbors using my wi fi via hacking the wep security key,
which is a useless easily cracked security device. They are cloning/clone
the router profiles, and the IP has no idea there spoofing the router
profile from a different device/computer/handheld.Since the software an IP
uses,to identify it's customers, does not do a registration on the local
machine hardware,which Microsoft does when you install there OS,they always
have done a registration, and registers the Chipset ID # numbers, and the
BIOS # Number, and the OS # Number,and the Browser #Number the GUI the
Global unique Identification number,of your browser, as it's known, and the
CPU ID # Number ECT... and then it should do a Captcha code,simpl;y to get
the keyboards processor number, after it has my (Keyboard Chipset #
number). Then we would know with absolute certainty this connection is the
proper customers Local machine,and not a cracker hacker, stealing my
internet service,all which could be done using the Registration that
Microsoft, and Linux already gather at install,and could not be
spoofed,because it would do a realtime check against the existing
registration,every time, we connect, and the registration file, would not
be on our local machine,to get hacked/cracked please think hard about this
wifi security issue, drug dealers are the main offenders here,they hide
behind our IP's, using our cracked wep keys, and the firewalld app, could
include my suggestion, and you could make your self a hell of lot of money,
once you wrote this program, and got it working good.Then you should
include me, in the royalties.Thank you, Randy Fitzgerald.
On Wed, Aug 19, 2015 at 8:54 AM, Patrick Hinkley <
patrickrhinkley(a)outlook.com> wrote:
this is probably a silly question, but I haven't been able to
find a very
good comparison outlining the advantages of firewalld over iptables -- what
are they?
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
6:07 p.m.
On Wed, Aug 19, 2015 at 11:54:54AM -0400, Patrick Hinkley wrote:
this is probably a silly question, but I haven't been able to
find a
very good comparison outlining the advantages of firewalld over
iptables -- what are they?
There are two big ones:
- higher-level API programs can use
- keeping track of state
The classic example for the last one is that with firewalld, you can
restart iptables without breaking all of your virtual machines.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
9:19 p.m.
Date: Wed, 19 Aug 2015 19:07:11 -0400
From: mattdm(a)fedoraproject.org
To: firewalld-users(a)lists.fedorahosted.org
Subject: Re: what are the advantages of firewalld over iptables?
On Wed, Aug 19, 2015 at 11:54:54AM -0400, Patrick Hinkley wrote:
> this is probably a silly question, but I haven't been able to find a
> very good comparison outlining the advantages of firewalld over
> iptables -- what are they?
There are two big ones:
- higher-level API programs can use
- keeping track of state
The classic example for the last one is that with firewalld, you can
restart iptables without breaking all of your virtual machines.
Do I understand correctly that the state issue (failure to maintain established
connections) is only relevant when restarting iptables (service iptables restart), not
when e.g. adding/deleting a rule (iptables -A / iptables -D) or restoring
(iptables-restore < /etc/sysconfig/iptables)?
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
1:50 p.m.
I believe I've found an explanation regarding the VM issue you mention:
http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your...
If I understand correctly, the issue is that temporary rules inserted into iptables by
other applications are lost when any of the following are called:
service iptables stop; service iptables start;
service iptables restart;
iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by such as:
iptables -A
The issue would also not apply when making your temporary rules permanent via:
service iptables save
Is my understanding correct?
From: patrickrhinkley(a)outlook.com
To: firewalld-users(a)lists.fedorahosted.org
Subject: RE: what are the advantages of firewalld over iptables?
Date: Thu, 20 Aug 2015 22:19:12 -0400
Date: Wed, 19 Aug 2015 19:07:11 -0400
From: mattdm(a)fedoraproject.org
To: firewalld-users(a)lists.fedorahosted.org
Subject: Re: what are the advantages of firewalld over iptables?
On Wed, Aug 19, 2015 at 11:54:54AM -0400, Patrick Hinkley wrote:
> this is probably a silly question, but I haven't been able to find a
> very good comparison outlining the advantages of firewalld over
> iptables -- what are they?
There are two big ones:
- higher-level API programs can use
- keeping track of state
The classic example for the last one is that with firewalld, you can
restart iptables without breaking all of your virtual machines.
Do I understand correctly that the state issue (failure to maintain established
connections) is only relevant when restarting iptables (service iptables restart), not
when e.g. adding/deleting a rule (iptables -A / iptables -D) or restoring
(iptables-restore < /etc/sysconfig/iptables)?
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
4:57 p.m.
On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
I believe I've found an explanation regarding the VM issue you
mention:
http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your...
If I understand correctly, the issue is that temporary rules inserted
into iptables by other applications are lost when any of the following
are called:
It's more than that. new rules inserted with iptables -I will override
the rules aded by libvirt, often causing trafic to miss libvirt's rules.
service iptables stop; service iptables start;
service iptables restart;
iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by
such as:
iptables -A
The issue would also not apply when making your temporary rules
permanent via:
service iptables save
"service iptables save" has its own problems. For starters, it will save
*everything* that is currently in the in-memory rules, not just "what
was previously saved + the rules you want saved". This could mean that
some of the previous rules would be removed from the configuration (it
something had for some reason temporarily removed them) or it could mean
some extra rules that were intended to only be there temporarily would
be permanently added (for example, if a libvirt virtual network is taken
down, libvirt removes the iptables rules that it had previously added,
but if you have saved those rules as you suggest above, then the next
time your iptables service i restarted, all of those rules would be
re-added, even though they are no longer applicable.
What it all comes down to is that without firewalld, there is no central
controlling authority, so everybody steps all over everybody else. If
all applications that need to modify the iptables rules go through
firewalld, it is in a good position to assure that the various
applications don't interfere with each others' rules.
(BTW, libvirt looks for the firewalld service, and always uses it if it
is active).
7:25 p.m.
Thank you both for your very informative replies. I just wish there was a clear outline of
these issues somewhere to make it easier to understand what differentiates firewalld from
iptables....
In my case, since I control the firewalls on my computers and servers directly, without
interference from other applications, there is not currently a compelling reason I can see
to make the switch from iptables to firewalld. I'd make the switch for the sake of
"future-proofing", but for firewalld's inability to control outbound
connections.
Subject: Re: what are the advantages of firewalld over iptables?
To: firewalld-users(a)lists.fedorahosted.org
From: laine(a)redhat.com
Date: Fri, 21 Aug 2015 14:57:26 -0700
On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
> I believe I've found an explanation regarding the VM issue you mention:
>
http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your...
>
> If I understand correctly, the issue is that temporary rules inserted
> into iptables by other applications are lost when any of the following
> are called:
It's more than that. new rules inserted with iptables -I will override
the rules aded by libvirt, often causing trafic to miss libvirt's rules.
> service iptables stop; service iptables start;
> service iptables restart;
> iptables-restore < /etc/sysconfig/iptables;
>
> This issue would not apply when inserting your own temporary rules by
> such as:
> iptables -A
>
> The issue would also not apply when making your temporary rules
> permanent via:
> service iptables save
"service iptables save" has its own problems. For starters, it will save
*everything* that is currently in the in-memory rules, not just "what
was previously saved + the rules you want saved". This could mean that
some of the previous rules would be removed from the configuration (it
something had for some reason temporarily removed them) or it could mean
some extra rules that were intended to only be there temporarily would
be permanently added (for example, if a libvirt virtual network is taken
down, libvirt removes the iptables rules that it had previously added,
but if you have saved those rules as you suggest above, then the next
time your iptables service i restarted, all of those rules would be
re-added, even though they are no longer applicable.
What it all comes down to is that without firewalld, there is no central
controlling authority, so everybody steps all over everybody else. If
all applications that need to modify the iptables rules go through
firewalld, it is in a good position to assure that the various
applications don't interfere with each others' rules.
(BTW, libvirt looks for the firewalld service, and always uses it if it
is active).
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
8:50 a.m.
On 08/21/2015 08:50 PM, Patrick Hinkley wrote:
I believe I've found an explanation regarding the VM issue you
mention:
http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your...
If I understand correctly, the issue is that temporary rules inserted
into iptables by other applications are lost when any of the following
are called:
service iptables stop; service iptables start;
service iptables restart;
iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by
such as:
iptables -A
Yes, that is correct.
The issue would also not apply when making your temporary rules
permanent via:
service iptables save
Is my understanding correct?
With service iptables save you are also saving rules of the other
services, that could collide with new rules if the configuration of the
service changed and other rules need to be added instead.
3166
days inactive
3171
days old
firewalld-users@lists.fedorahosted.org
7 comments
5 participants
participants (5)
-
Laine Stump -
Matthew Miller -
Patrick Hinkley -
Randy Fitzgerald -
Thomas Woerner