On Thu, Sep 26, 2013 at 10:12:00AM -0400, Eric H. Christensen wrote:
On Wed, Sep 25, 2013 at 01:07:59PM -0500, Lance Lassetter wrote:
> Firewalld is just not workable enough for me. For instance I need to have quirky
netfilter rules to make my squid proxy setup to work properly. There is no easy way to do
this with firewalld. Also I set up an iptables queue so that netfilter supports suricata
ips mode. This also, no easy way...
>
> Netfilter is just so diverse and firewalld seems to strip a lot of that diversity
away.
>
> What about the idea that people who want to write their own iptables custom scripts
that can be, after wiriting the script and implementening it, a smart way for the script
to be imported...the whole script, into firewalld. Last I tried, my nat rules weren't
compatible with firewalld. Like maybe a simpe iptables-save then a firewalld-save or the
like. Then maybe ask if to import it into firewalld's 'home', 'work',
'public', etc.
It sounds a bit like you are trying to use firewalld on a server. I would not recommend
using firewalld for anything but client boxes and, specifically, client boxes with simple
rules. If you are using this on a server I would uninstall firewalld and not use the
complexity that it adds to iptables but rather just use iptables (and ip6tables). There
is nothing wrong with using your scripts on iptables and not using firewalld. You seem to
know how to configure iptables which is what firewalld aims to fix for people that
don't.
-- Eric
--------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security Team
sparks(a)redhat.com - sparks(a)fedoraproject.org
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
--------------------------------------------------
I thought in the Fedora world firewalld was supposed to replace iptables completely? So
firewalld is just for cliet machines? Then IMHO this needs to be stated explicitley, say,
upon launch of firewalld? Or something.... I saw a lot of confusion at the first launch
of firewalld because of the complete replacement factor and "How am I going to do
this on a server?" If it is to be a complete replacement (which maybe it should be
for the simplification of Netfilter tobl the end user), what about a wizard upon launch as
well as the flexibility of importing complex rulesets into firewalld no matter what?
Lance