Comments (10)
At first please open a new issue for point number 2.
One major point of firewalld was not to replicate the whole complexity of iptables and chains in a higher level. The direct interface has been created to be able to provide a simple migration path for services and applications and to be able to do things in the firewall that firewalld is not able to do, yet. firewalld is creating a chain tree internally to be able to simplify the addition and removal of services, ports etc. internally in a more predictable way.
Creating data structures for a chain tree in the direct interface could become very complex, which would then contradict the wish to keep firewalld simple to use and understand. I do not see a way to provide this in a simple to use and simple to understand way, that will not break other use cases, but if you have an idea how to achieve this, then please share it with me.
from firewalld.
I'm seeing the same thing with ICMP packets in the Drop zone. When we put our NIC in the Drop but have a subnet on that NIC in the Public zone using source, TCP and UDP packets are allowed according the rules of the Public zone. ICMP is not - it's blocked as though it's still going through the Drop zone.
from firewalld.
@t-woerner please read this: https://www.jethrocarr.com/2013/02/09/ip6tables-ipv6-icmp-vs-icmp/ and see if this can be added, if I'm not mistaken it will make issue 2 go away.
from firewalld.
I am having lots of trouble with firewalld just like everyone else, but I think it is because of lack of interest of people who are supposed to provide support. I am quite new to linux and am already installing latest versions of mailman, sympa, python, firewalld, perl, etc and seems that just have to wait that everyone else catches up.
from firewalld.
On 05/27/2016 06:14 PM, Rubén Rivero Capriles wrote:
I am having lots of trouble with firewalld just like everyone else, but
I think it is because of lack of interest of people who are supposed to
provide support. I am quite new to linux and am already installing
latest versions of mailman, sympa, python, firewalld, perl, etc and
seems that just have to wait that everyone elese catches up.
It's not 'lack of interest of people who are supposed to provide
support'. Technically, as an open source product, support is provided by
the community at large. I am one of the few 'end users' that hang out in
the #firewalld channel on freenode to offer what assistance I can, and
also monitor this list to provide solutions. Thomas is busy as the sole
developer, if there are issues with the program itself, tickets need to
be filed.
This is something I try to do - if I work with a user having an issue,
and it comes down to it being a bug or missing feature, I will file the
issue on behalf of the user if they are unable or unwilling.
So, if you've got a problem, please ask - some of us are willing to
help. Like I'm constantly telling my children, I can't fix what I don't
know is broken.
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Ambassador | Fedora CommOps
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
from firewalld.
I needed to reinstall my system this morning because of so many dependencies conflicts yesterday, and was able to reinstall apache, firewalld and bind in only six hours because of the experiences learned from yesterday's errors. Someone later showed an iptables alternative and it seemed awkward to me just because got used to firewalld. So Dan and Thomas keep up the good work because there are people around who value your effort.
from firewalld.
The ICMP packets are handled in the zone with version 0.4.2. There is additionally also the new icmp-block-inversion flag in the zone. With this the enabled ICMP blocks are accepted and there is a final reject rule in the zone for the other ICMP types.
from firewalld.
@aboe76 With version 0.4.2 the ICMP filter was made zone specific. Also there is a new flag to invert the ICMP filter.
The protocol icmpv6 was used for IPv6. This is working, but needed an additional getprotobyname call. This has been fixed with 846f5e7 already with 0.4.1 and ipv6-icmp is used.
from firewalld.
@gustopn I do not see a way to add chain structure handling in firewalld without also adding a lot of complexity.
from firewalld.
@t-woerner thanks for the feedback,
from firewalld.
Related Issues (20)
- Various test suite failure on Debian sid HOT 5
- Firewalld is blocking Network/Samba Client in KDE/Dolphin HOT 4
- Firewalld 2.0: Error from removeSource Call HOT 9
- Doc: Include better explainations of the effects various configurations (i.e. what does the setting do?)
- ipset: config checks should verify that the number of elements does not exceed ipset size
- firewall-config doesn't show policy objects
- Render, but don't apply, rules - for debugging
- In rocky8, I have a question about firewall. Can't iptables command see firewall rules? HOT 4
- Preserve source IP when using masquerade + rich-rule port-forwading
- Policy and IPv6 HOT 3
- Add port forwarding to firewalld doesn't take effect actually HOT 5
- Applet icon missing in the tray but randomly appears after relog HOT 3
- Add SCTP for DLM
- --runtime-to-permanent removing public zone from active zones HOT 2
- Should `https.xml` include `http3.xml`? HOT 1
- Bug in `wrong_args_for_callable()` causes firewall-applet to crash (regression introduced in 2.1.0) HOT 1
- rework D-Bus bindings and move away from deprecated python-dbus
- Disruptive remnants of firewalld.service remain after removal HOT 3
- Non compacted IPv6 address conflict after reload HOT 1
- Unfriendly error message with `firewall-cmd --load-zone-defaults` without customization.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firewalld.