[ale] Firewalld is incomplete
Solomon Peachy
pizza at shaftnet.org
Sun Jan 27 12:47:22 EST 2019
On Sun, Jan 27, 2019 at 09:18:28AM -0800, Alex Carver via Ale wrote:
> Perhaps but it seems like overkill to have a Python script (at the
> moment I'm overlooking the imposed need to run an interpreter on your
> firewall) managing iptables when, according to the documentation, any
> rule that isn't a very simple one has to use what firewalld calls "rich
> rules" which look exactly like a more verbose version of an iptables
> command. It seems if you're going to have to issue a command that looks
> just like an iptables command then why not cut the middleman and run
> iptables? It already shows in the flow chart that it's just a wrapper
> to iptables anyway (no direct access to the kernel).
The purpose of firewalld is to abstract away the specific network
interfaces, operational modes, and firewall implementation from
applications (&| services) that only care about firewalling enough to
say "allow in the packets I care about" or "set my laptop up to be a
hotspot using my tethered cell phone"
For "workstation" or "server" systems, it's quite useful. It's also
good enough for a typical home gateway user, who only cares about
automatically NATting the system's internet connection. Beyond that, ie
for "router" systems, it's not so terribly useful.
(firewalld is inadequate to replace what I'm using for my home
gateway, but couple of years back it gained sufficient utility to
automagically power my camper trailer's hotspot, including
properly interacting with the VPN back to home...)
It's different from UPnP in that there's deliberately no *remote*
interface that allows arbitrary ports opened in the firewall. All
command and configuration is localhost (via dbus) only.
(If the local system is sufficiently compromised to allow twiddlling of
firewalld, then it's sufficiently compromised to twiddle iptables/etc
directly..)
- Solomon
--
Solomon Peachy pizza at shaftnet dot org
Coconut Creek, FL ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum videtur.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20190127/02ce1de8/attachment.sig>
More information about the Ale
mailing list