On Tue, Jan 3, 2017 at 3:11 PM, jdow <[email protected]> wrote: > On 2017-01-03 09:56, David Sommerseth wrote: >> >> Remember that firewalld provides an API over D-Bus for dynamic >> firewall updates, so this is kind of to "seal" the configuration >> without breaking any component depending on manipulating the firewall >> as the system is running. NetworkManager and libvirt are two >> components which adjusts the firewall on-the-fly, depending on which >> network you're connected to or which VMs have been started, and so on. > > That still leaves me mumbling and led me down a midget rabbit hole. > The "iptables" command is 777 root root system_u:object_r:bin_t:s0; > but, that's OK. It's a link - to xtables-multi, which is rwxr-xr-x. > root root system_u:object_r:iptables_exec_t:s0. Waitaminit says I to > meself. (or is it me to iself? Whatever) Let's give that a try.... The > results are reassuring: > ===8<--- > [jdow@whereever ~]$ xtables-multi iptables -L -v > iptables v1.4.21: can't initialize iptables table `filter': Permission > denied (you must be root) > Perhaps iptables or your kernel needs to be upgraded. > ===8<--- > I guess the ancient philosophy of one task one command is passe' and > now a monstrosity like xtables-multi finds itself masquerading as > iptables and about a dozen other things.
/usr/sbin/iptables-restore /usr/sbin/iptables-save /usr/sbin/iptables /usr/sbin/ip6tables-restore /usr/sbin/ip6tables-save /usr/sbin/ip6tables are symlinks to "/usr/sbin/xtables-multi" because it's a multi-call binary, like busybox. There are others. Off the top of my head, dnsdomainname, domainname, nisdomainname, ypdomainname are symlinks to hostname; halt, poweroff, reboot, shutdown are symlinks to systemctl; view is a symlink to vi; etc. It's normal for "iptables" to fail if you call it as jdow; but if you have polkit installed, "pkexec iptables" might work (depending on your polkit policies; "sudo ..." and "su -c ..." will work if you're authorized).
