[ale] Firewalld is incomplete

Solomon Peachy pizza at shaftnet.org
Sun Jan 27 12:47:22 EST 2019


On Sun, Jan 27, 2019 at 09:18:28AM -0800, Alex Carver via Ale wrote:
> Perhaps but it seems like overkill to have a Python script (at the
> moment I'm overlooking the imposed need to run an interpreter on your
> firewall) managing iptables when, according to the documentation, any
> rule that isn't a very simple one has to use what firewalld calls "rich
> rules" which look exactly like a more verbose version of an iptables
> command.  It seems if you're going to have to issue a command that looks
> just like an iptables command then why not cut the middleman and run
> iptables?  It already shows in the flow chart that it's just a wrapper
> to iptables anyway (no direct access to the kernel).

The purpose of firewalld is to abstract away the specific network 
interfaces, operational modes, and firewall implementation from 
applications (&| services) that only care about firewalling enough to 
say "allow in the packets I care about" or "set my laptop up to be a 
hotspot using my tethered cell phone"

For "workstation" or "server" systems, it's quite useful.  It's also 
good enough for a typical home gateway user, who only cares about 
automatically NATting the system's internet connection.  Beyond that, ie 
for "router" systems, it's not so terribly useful.

(firewalld is inadequate to replace what I'm using for my home 
 gateway, but couple of years back it gained sufficient utility to 
 automagically power my camper trailer's hotspot, including 
 properly interacting with the VPN back to home...)

It's different from UPnP in that there's deliberately no *remote* 
interface that allows arbitrary ports opened in the firewall.  All 
command and configuration is localhost (via dbus) only.

(If the local system is sufficiently compromised to allow twiddlling of 
 firewalld, then it's sufficiently compromised to twiddle iptables/etc 
 directly..)

 - Solomon
-- 
Solomon Peachy			       pizza at shaftnet dot org
Coconut Creek, FL                          ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum videtur.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20190127/02ce1de8/attachment.sig>


More information about the Ale mailing list