my experiences with firewalld about firewalld HOT 10 CLOSED

At first please open a new issue for point number 2.

One major point of firewalld was not to replicate the whole complexity of iptables and chains in a higher level. The direct interface has been created to be able to provide a simple migration path for services and applications and to be able to do things in the firewall that firewalld is not able to do, yet. firewalld is creating a chain tree internally to be able to simplify the addition and removal of services, ports etc. internally in a more predictable way.

Creating data structures for a chain tree in the direct interface could become very complex, which would then contradict the wish to keep firewalld simple to use and understand. I do not see a way to provide this in a simple to use and simple to understand way, that will not break other use cases, but if you have an idea how to achieve this, then please share it with me.

from firewalld.

I'm seeing the same thing with ICMP packets in the Drop zone. When we put our NIC in the Drop but have a subnet on that NIC in the Public zone using source, TCP and UDP packets are allowed according the rules of the Public zone. ICMP is not - it's blocked as though it's still going through the Drop zone.

from firewalld.

@t-woerner please read this: https://www.jethrocarr.com/2013/02/09/ip6tables-ipv6-icmp-vs-icmp/ and see if this can be added, if I'm not mistaken it will make issue 2 go away.

from firewalld.

I am having lots of trouble with firewalld just like everyone else, but I think it is because of lack of interest of people who are supposed to provide support. I am quite new to linux and am already installing latest versions of mailman, sympa, python, firewalld, perl, etc and seems that just have to wait that everyone else catches up.

from firewalld.

On 05/27/2016 06:14 PM, Rubén Rivero Capriles wrote:

I am having lots of trouble with firewalld just like everyone else, but
I think it is because of lack of interest of people who are supposed to
provide support. I am quite new to linux and am already installing
latest versions of mailman, sympa, python, firewalld, perl, etc and
seems that just have to wait that everyone elese catches up.

It's not 'lack of interest of people who are supposed to provide
support'. Technically, as an open source product, support is provided by
the community at large. I am one of the few 'end users' that hang out in
the #firewalld channel on freenode to offer what assistance I can, and
also monitor this list to provide solutions. Thomas is busy as the sole
developer, if there are issues with the program itself, tickets need to
be filed.

This is something I try to do - if I work with a user having an issue,
and it comes down to it being a bug or missing feature, I will file the
issue on behalf of the user if they are unable or unwilling.

So, if you've got a problem, please ask - some of us are willing to
help. Like I'm constantly telling my children, I can't fix what I don't
know is broken.

Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Ambassador | Fedora CommOps
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

from firewalld.

I needed to reinstall my system this morning because of so many dependencies conflicts yesterday, and was able to reinstall apache, firewalld and bind in only six hours because of the experiences learned from yesterday's errors. Someone later showed an iptables alternative and it seemed awkward to me just because got used to firewalld. So Dan and Thomas keep up the good work because there are people around who value your effort.

from firewalld.

The ICMP packets are handled in the zone with version 0.4.2. There is additionally also the new icmp-block-inversion flag in the zone. With this the enabled ICMP blocks are accepted and there is a final reject rule in the zone for the other ICMP types.

from firewalld.

@aboe76 With version 0.4.2 the ICMP filter was made zone specific. Also there is a new flag to invert the ICMP filter.
The protocol icmpv6 was used for IPv6. This is working, but needed an additional getprotobyname call. This has been fixed with 846f5e7 already with 0.4.1 and ipv6-icmp is used.

from firewalld.

@gustopn I do not see a way to add chain structure handling in firewalld without also adding a lot of complexity.

from firewalld.

@t-woerner thanks for the feedback,

from firewalld.