On Fri, Sep 27, 2013 at 02:06:42PM +0200, Jiri Popelka wrote:
On 09/27/2013 06:29 AM, Lance Lassetter wrote:
>On Thu, Sep 26, 2013 at 10:12:00AM -0400, Eric H. Christensen wrote:
>>On Wed, Sep 25, 2013 at 01:07:59PM -0500, Lance Lassetter wrote:
>>>Firewalld is just not workable enough for me. For instance I need to have
quirky netfilter rules to make my squid proxy setup to work properly. There is no easy
way to do this with firewalld. Also I set up an iptables queue so that netfilter supports
suricata ips mode. This also, no easy way...
>>>
>>>Netfilter is just so diverse and firewalld seems to strip a lot of that
diversity away.
>>>
>>>What about the idea that people who want to write their own iptables custom
scripts that can be, after wiriting the script and implementening it, a smart way for the
script to be imported...the whole script, into firewalld. Last I tried, my nat rules
weren't compatible with firewalld. Like maybe a simpe iptables-save then a
firewalld-save or the like. Then maybe ask if to import it into firewalld's
'home', 'work', 'public', etc.
>>
>>It sounds a bit like you are trying to use firewalld on a server. I would not
recommend using firewalld for anything but client boxes and, specifically, client boxes
with simple rules. If you are using this on a server I would uninstall firewalld and not
use the complexity that it adds to iptables but rather just use iptables (and ip6tables).
There is nothing wrong with using your scripts on iptables and not using firewalld. You
seem to know how to configure iptables which is what firewalld aims to fix for people that
don't.
>>
>>-- Eric
>
>I thought in the Fedora world firewalld was supposed to replace iptables completely?
So firewalld is just for cliet machines? Then IMHO this needs to be stated explicitley,
say, upon launch of firewalld? Or something.... I saw a lot of confusion at the first
launch of firewalld because of the complete replacement factor and "How am I going to
do this on a server?" If it is to be a complete replacement (which maybe it should
be for the simplification of Netfilter tobl the end user), what about a wizard upon launch
as well as the flexibility of importing complex rulesets into firewalld no matter what?
FirewallD has never been intended only for clients. AFAIR it even
started as solution for servers. The aim of FirewallD has already
very nicely described Mirek in
https://lists.fedoraproject.org/pipermail/security/2013-September/001667....
https://lists.fedoraproject.org/pipermail/security/2013-September/001669....
--
Jiri
so i have two simple questions:
with firewalld can i import this rule:
/sbin/iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
and these rules:
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner squid -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:3129
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 3129 -m owner --uid-owner squid -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3129
hence, Netfilter rules by user/group and using NFQUEUE target.
because if firewalld alllows stuff like this, then problem solved. last checked, it does
not.
and, once again why not something simple like if 'execute some iptables script' ,
then 'iptables-save' , then 'firewalld-save' or even skip the middle
step!
if these type rules are not workable with firewalld, then it is fruitless at least for
me.
regards,
lance