[ale] Firewalld is incomplete
Alex Carver
agcarver+ale at acarver.net
Sun Jan 27 11:48:36 EST 2019
What is the purpose of firewalld? I tried reading the documentation and
it seems it tries to abstract the firewall rules and expose a D-bus
interface to the firewall. Maybe abstracting is useful if firewall
rules need to be portable across different implementations (iptables,
ip6tables, etc.) but having D-bus access to the firewall disturbs me.
That seems to get perilously close to a clone of UPnP and all of the
risks associated.
On 2019-01-27 07:06, Phil Turmel via Ale wrote:
> Geez! I guess I won't be switching away from manual iptables rules
> anytime soon.
>
> On 1/26/19 9:17 PM, Jim Kinney via Ale wrote:
>> The firewall was overdue for replacement. So when it died today,
>> rebuilding it with all firewalld seemed to be acceptable.
>>
>> The setup has a single network line to the upstream router. That line
>> has 5 IP addresses. Those are nat'ed into the lan to various lan
>> addresses. This is done with several iptables entries for nat and port
>> forwarding.
>>
>> But firewalld has no rule set to handle destination IP! Um. Yeah.
>> Source IP but not destination. So how to direct packets?
>>
>> Ah! Could put each ip in a zone and redirect a zone. But that doesn't
>> work as zones are defined by interface or source IP.
>>
>> :-(
>>
>> It's possible to do direct rules into firewalld but those are not
>> available to save and rerun (outside of a bash script) at
>> boot/firewall restart.
>>
>> W. T. F. ??
>>
>> Rich rules don't support destination IP either.
>>
>> W.
>> T.
>> F.
>> !?!?
>>
>> So manual iptables it is with a bug notice going to firewalld devs.
>>
>> Maybe there's a way to do it but 7+ hours into docs and attempts, I
>> pulled the plug and went for what works.
More information about the Ale
mailing list