[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
On Thu, Apr 23, 2020 at 12:21 AM Strahil Nikolov wrote: > > On April 22, 2020 10:45:49 PM GMT+03:00, Edson Richter > wrote: > >De: Strahil Nikolov > >Enviado: quarta-feira, 22 de abril de 2020 15:45 > >Para: users@ovirt.org ; Edson Richter > >; eev...@digitaldatatechs.com > >; france...@shellrent.com > > > >Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] > > > >On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter > > wrote: > >>I'm in no way a ovirt expert. But as Linux administrator, I would say > >>that firewalld and iptables are "front-end" to kernel internal > >security > >>tables, so, in the final of the day, will provide *almost* same > >>functionality. > >> > >>Seems that firewalld is able to activate modules without restarting > >>entire firewall infra-structure, which iptables is not capable of. > >This > >>leverage an advantage for firewalld, specially where you would not > >have > >>interruptions in existing stateful connections. > >> > >>I've used iptables *always* as replacement for firewalld because of > >>almost 20 yrs using iptables - this is the first step in all about > >>hundred Centos7 installations I've done past few years. I just can't > >>throw away all my scripts that block hackers, provide 2 and 3 way > >>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and > >>all, everytime a new "firewall" front end appears. I've seen at least > >>two or three "iptables killers tech" in the past, and iptables still > >is > >>the king - at least for me. > >> > >>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux > >>admin which will not jump from iptables train yet. > >> > >>Perhaps, I would not reccomend to completely deactivate all firewall > >in > >>any server! If it is the case, I would instead to advice to just > >>replace firewalld with iptables-service (at least, in Centos7) - but > >>only in case you have too much to loose without iptables (as am I). (A long and non-important reply follows. Feel free to ignore...) I'd like to add to the other answers given (which I agree with): I too, when I was a sysadmin, had colleagues that insisted on long shell scripts with iptables commands. I also started that way myself, but at some point realized I actually don't like all these long lists of iptables commands, and that I start using control structures around them (loops, conditionals, etc.), and eventually that likely other people were in my position and probably some of them created wrappers that I might like. So I searched a bit, and eventually settled on firehol, which served me very well for quite many years. I admit I didn't check it much since I started working for Red Hat, but I did see it eventually added support of IPv6 (which is very nice, IMO, and does save you from lots of duplication in your custom script), as well as some other additions. Most of these wrappers, though, have a single kind of audience in mind - the sysadmin. Some are for people that prefer GUIs, some, like firehol, are for those that want to be expressive but concise, there are quite many - I heartily recommend to go and have a look, if you didn't yet. firewalld arrived rather later in the game, and I think it did/does serve a specific niche quite well, in addition to sysadmins (which IMO it also serves reasonably well, but that's a matter of taste, obviously. It's definitely quite different from e.g. firehol). It serves well the audience of 3rd-party developers. Both those that want to define a specific service, so that sysadmins can allow/deny/etc it for some zone etc. without having to deal with the specifics (which in some cases are somewhat more complex than a single tcp port, although that's the common case), and those that want to create wrappers above firewalld itself. Going back to the list's topic, for oVirt, it's much much easier and less risky to add or remove firewalld services than to try and insert rules inside your custom iptables setup. iptables is simply meant to be general purpose - programmatically updating one's arbitrary configuration is similar in complexity to programmatically editing source code of some program to make it do something. Even if your script has no flow control, just a long stream of iptables commands, or alternatively if the tool tries to edit the output of 'iptables-save' rather than your "source" script, you can still have custom tables, conditional terminals (REJECT if $something), etc. - and a tool simply can't know what to do. I guess at least in some cases even you have to think carefully before updating your scripts :-). firewal
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
On April 22, 2020 10:45:49 PM GMT+03:00, Edson Richter wrote: >De: Strahil Nikolov >Enviado: quarta-feira, 22 de abril de 2020 15:45 >Para: users@ovirt.org ; Edson Richter >; eev...@digitaldatatechs.com >; france...@shellrent.com > >Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] > >On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter > wrote: >>I'm in no way a ovirt expert. But as Linux administrator, I would say >>that firewalld and iptables are "front-end" to kernel internal >security >>tables, so, in the final of the day, will provide *almost* same >>functionality. >> >>Seems that firewalld is able to activate modules without restarting >>entire firewall infra-structure, which iptables is not capable of. >This >>leverage an advantage for firewalld, specially where you would not >have >>interruptions in existing stateful connections. >> >>I've used iptables *always* as replacement for firewalld because of >>almost 20 yrs using iptables - this is the first step in all about >>hundred Centos7 installations I've done past few years. I just can't >>throw away all my scripts that block hackers, provide 2 and 3 way >>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and >>all, everytime a new "firewall" front end appears. I've seen at least >>two or three "iptables killers tech" in the past, and iptables still >is >>the king - at least for me. >> >>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux >>admin which will not jump from iptables train yet. >> >>Perhaps, I would not reccomend to completely deactivate all firewall >in >>any server! If it is the case, I would instead to advice to just >>replace firewalld with iptables-service (at least, in Centos7) - but >>only in case you have too much to loose without iptables (as am I). >> >>Regards, >> >>Edson >> >> >> >>De: eev...@digitaldatatechs.com >>Enviado: quarta-feira, 22 de abril de 2020 12:18 >>Para: france...@shellrent.com ; >>users@ovirt.org >>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] >> >>If you log in to the cockpit, you can add services or custom ports >>easily. I would not disable the firewall. >> for the cockpit. >> >>Eric Evans >>Digital Data Services LLC. >>304.660.9080 >> >> >>-Original Message- >>From: france...@shellrent.com >>Sent: Tuesday, April 21, 2020 12:54 PM >>To: users@ovirt.org >>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] >> >>Hi all, >> >>I was wondering if it's "safe" disabling entirely the firewalld >service >>and manage the firewall only via iptables, on the host and on the >>hosted engine (a self-hosted engine). It would make a lot easier the >>managing the firewall rules for me because of many automatisms I >>created based on iptables. Did anyone manage to do this? Any >>contraindication for doing this or precaution that I have to take care >>of? >> >>Thanks for your time and help, >>Francesco >>___ >>Users mailing list -- users@ovirt.org >>To unsubscribe send an email to users-le...@ovirt.org Privacy >>Statement: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=vqS7cjtftiP1F%2Bv1akulAA0KqCLTh4In2pltWIdJBd0%3Dreserved=0 >>oVirt Code of Conduct: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=EdDGteCs4vPuBkZvwU4f9JmSozZcSxdO9zL9qILnH68%3Dreserved=0 >>List Archives: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=V0wxXmGJpwqbmToN4h9NOLQ1dd61nkWJ4fP3z%2Bq4njU%3Dreserved=0 >>___ >>Users mailing list -- users@ovirt.org >>To unsubscribe send an email to users-le...@ovirt.org >>Privacy Statement: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40a
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
De: Strahil Nikolov Enviado: quarta-feira, 22 de abril de 2020 15:45 Para: users@ovirt.org ; Edson Richter ; eev...@digitaldatatechs.com ; france...@shellrent.com Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter wrote: >I'm in no way a ovirt expert. But as Linux administrator, I would say >that firewalld and iptables are "front-end" to kernel internal security >tables, so, in the final of the day, will provide *almost* same >functionality. > >Seems that firewalld is able to activate modules without restarting >entire firewall infra-structure, which iptables is not capable of. This >leverage an advantage for firewalld, specially where you would not have >interruptions in existing stateful connections. > >I've used iptables *always* as replacement for firewalld because of >almost 20 yrs using iptables - this is the first step in all about >hundred Centos7 installations I've done past few years. I just can't >throw away all my scripts that block hackers, provide 2 and 3 way >"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and >all, everytime a new "firewall" front end appears. I've seen at least >two or three "iptables killers tech" in the past, and iptables still is >the king - at least for me. > >Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux >admin which will not jump from iptables train yet. > >Perhaps, I would not reccomend to completely deactivate all firewall in >any server! If it is the case, I would instead to advice to just >replace firewalld with iptables-service (at least, in Centos7) - but >only in case you have too much to loose without iptables (as am I). > >Regards, > >Edson > > > >De: eev...@digitaldatatechs.com >Enviado: quarta-feira, 22 de abril de 2020 12:18 >Para: france...@shellrent.com ; >users@ovirt.org >Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] > >If you log in to the cockpit, you can add services or custom ports >easily. I would not disable the firewall. > for the cockpit. > >Eric Evans >Digital Data Services LLC. >304.660.9080 > > >-Original Message- >From: france...@shellrent.com >Sent: Tuesday, April 21, 2020 12:54 PM >To: users@ovirt.org >Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] > >Hi all, > >I was wondering if it's "safe" disabling entirely the firewalld service >and manage the firewall only via iptables, on the host and on the >hosted engine (a self-hosted engine). It would make a lot easier the >managing the firewall rules for me because of many automatisms I >created based on iptables. Did anyone manage to do this? Any >contraindication for doing this or precaution that I have to take care >of? > >Thanks for your time and help, >Francesco >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org Privacy >Statement: >https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=vqS7cjtftiP1F%2Bv1akulAA0KqCLTh4In2pltWIdJBd0%3Dreserved=0 >oVirt Code of Conduct: >https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=EdDGteCs4vPuBkZvwU4f9JmSozZcSxdO9zL9qILnH68%3Dreserved=0 >List Archives: >https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=V0wxXmGJpwqbmToN4h9NOLQ1dd61nkWJ4fP3z%2Bq4njU%3Dreserved=0 >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org >Privacy Statement: >https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=L37Na1hFCWmjMbxeXLxk4A%2B9qVDNj24xrHKsqeVUYjk%3Dreserved=0 >oVirt Code of Conduct: >https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=Y
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter wrote: >I'm in no way a ovirt expert. But as Linux administrator, I would say >that firewalld and iptables are "front-end" to kernel internal security >tables, so, in the final of the day, will provide *almost* same >functionality. > >Seems that firewalld is able to activate modules without restarting >entire firewall infra-structure, which iptables is not capable of. This >leverage an advantage for firewalld, specially where you would not have >interruptions in existing stateful connections. > >I've used iptables *always* as replacement for firewalld because of >almost 20 yrs using iptables - this is the first step in all about >hundred Centos7 installations I've done past few years. I just can't >throw away all my scripts that block hackers, provide 2 and 3 way >"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and >all, everytime a new "firewall" front end appears. I've seen at least >two or three "iptables killers tech" in the past, and iptables still is >the king - at least for me. > >Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux >admin which will not jump from iptables train yet. > >Perhaps, I would not reccomend to completely deactivate all firewall in >any server! If it is the case, I would instead to advice to just >replace firewalld with iptables-service (at least, in Centos7) - but >only in case you have too much to loose without iptables (as am I). > >Regards, > >Edson > > > >De: eev...@digitaldatatechs.com >Enviado: quarta-feira, 22 de abril de 2020 12:18 >Para: france...@shellrent.com ; >users@ovirt.org >Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] > >If you log in to the cockpit, you can add services or custom ports >easily. I would not disable the firewall. > for the cockpit. > >Eric Evans >Digital Data Services LLC. >304.660.9080 > > >-Original Message- >From: france...@shellrent.com >Sent: Tuesday, April 21, 2020 12:54 PM >To: users@ovirt.org >Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] > >Hi all, > >I was wondering if it's "safe" disabling entirely the firewalld service >and manage the firewall only via iptables, on the host and on the >hosted engine (a self-hosted engine). It would make a lot easier the >managing the firewall rules for me because of many automatisms I >created based on iptables. Did anyone manage to do this? Any >contraindication for doing this or precaution that I have to take care >of? > >Thanks for your time and help, >Francesco >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org Privacy >Statement: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590584674sdata=EDp9IGQkVISq0Fh3zXQUXKN1RZGx0Ji30eXiFu597f8%3Dreserved=0 >oVirt Code of Conduct: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0 >List Archives: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=40H%2B8wdVVTAITN3DKhXrd3bdim8l8N7ycNhQJ3%2F51F0%3Dreserved=0 >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org >Privacy Statement: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=AEp0cL8tH4YuO6%2BufhI%2BG8%2Bd5rDXhj8OhhQLoVPdhJ0%3Dreserved=0 >oVirt Code of Conduct: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0 >List Archives: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2Fdata=02%7C01%
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
I'm in no way a ovirt expert. But as Linux administrator, I would say that firewalld and iptables are "front-end" to kernel internal security tables, so, in the final of the day, will provide *almost* same functionality. Seems that firewalld is able to activate modules without restarting entire firewall infra-structure, which iptables is not capable of. This leverage an advantage for firewalld, specially where you would not have interruptions in existing stateful connections. I've used iptables *always* as replacement for firewalld because of almost 20 yrs using iptables - this is the first step in all about hundred Centos7 installations I've done past few years. I just can't throw away all my scripts that block hackers, provide 2 and 3 way "knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and all, everytime a new "firewall" front end appears. I've seen at least two or three "iptables killers tech" in the past, and iptables still is the king - at least for me. Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux admin which will not jump from iptables train yet. Perhaps, I would not reccomend to completely deactivate all firewall in any server! If it is the case, I would instead to advice to just replace firewalld with iptables-service (at least, in Centos7) - but only in case you have too much to loose without iptables (as am I). Regards, Edson De: eev...@digitaldatatechs.com Enviado: quarta-feira, 22 de abril de 2020 12:18 Para: france...@shellrent.com ; users@ovirt.org Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] If you log in to the cockpit, you can add services or custom ports easily. I would not disable the firewall. for the cockpit. Eric Evans Digital Data Services LLC. 304.660.9080 -Original Message- From: france...@shellrent.com Sent: Tuesday, April 21, 2020 12:54 PM To: users@ovirt.org Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] Hi all, I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of? Thanks for your time and help, Francesco ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590584674sdata=EDp9IGQkVISq0Fh3zXQUXKN1RZGx0Ji30eXiFu597f8%3Dreserved=0 oVirt Code of Conduct: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0 List Archives: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=40H%2B8wdVVTAITN3DKhXrd3bdim8l8N7ycNhQJ3%2F51F0%3Dreserved=0 ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=AEp0cL8tH4YuO6%2BufhI%2BG8%2Bd5rDXhj8OhhQLoVPdhJ0%3Dreserved=0 oVirt Code of Conduct: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0 List Archives: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=iOrDXFsvJ%2BZtJjFJAq7JRVS2y5rORfwnL3oCkoOxJTw%3Dreserved=0 ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
If you log in to the cockpit, you can add services or custom ports easily. I would not disable the firewall. for the cockpit. Eric Evans Digital Data Services LLC. 304.660.9080 -Original Message- From: france...@shellrent.com Sent: Tuesday, April 21, 2020 12:54 PM To: users@ovirt.org Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] Hi all, I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of? Thanks for your time and help, Francesco ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ/
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
On Wed, Apr 22, 2020 at 11:24 AM Michaël Couren wrote: > > > > > Also, please note that in el8 (which will be the only supported OS for > > oVirt 4.4), if you do not want to use firewalld, might have to > > convert/amend your scripts/conf to use nftables. > > > > Best regards, > > -- > > Didi > > Hi, I'm still using iptables on CentOS8-stream but not sure if it uses > nftables or the "old" good netfilter > in the backend. > This could be useful: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalls-using-firewalld_configuring-and-managing-networking https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking and also this: https://www.redhat.com/en/blog/using-nftables-red-hat-enterprise-linux-8 ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CDQEXHCSF75KW4LTHGKQAFUNCNHVKR3M/
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
On Wed, Apr 22, 2020 at 12:23 PM Michaël Couren wrote: > > > > > > Also, please note that in el8 (which will be the only supported OS for > > oVirt 4.4), if you do not want to use firewalld, might have to > > convert/amend your scripts/conf to use nftables. > > > > Best regards, > > -- > > Didi > > Hi, I'm still using iptables on CentOS8-stream but not sure if it uses > nftables or the "old" good netfilter > in the backend. Didn't play yet at all with either nftables or EL8's iptables. Only recently realized it's indeed included: https://gerrit.ovirt.org/108265 > (Debian 10 documentation seems more precise on this point) > By the way I don't use it on oVirt nodes just on VMs... Just saying it is > possible. Yes, saw that too. Also that on a firewalld managed EL8 machine, 'iptables-save' says: # Generated by xtables-save v1.8.2 on Wed Apr 22 12:50:13 2020 ... # Completed on Wed Apr 22 12:50:13 2020 # Table `firewalld' is incompatible, use 'nft' tool. So this tells me, without learning nft, to be careful... Thanks! -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UPFY3VNNDN2ABFXOV5F6MULAKCWP6MAE/
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
> > Also, please note that in el8 (which will be the only supported OS for > oVirt 4.4), if you do not want to use firewalld, might have to > convert/amend your scripts/conf to use nftables. > > Best regards, > -- > Didi Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend. (Debian 10 documentation seems more precise on this point) By the way I don't use it on oVirt nodes just on VMs... Just saying it is possible. -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AOYYPYSRZK2KKID5TW5ZGYDJ6RZ357OW/
[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
On Wed, Apr 22, 2020 at 9:21 AM wrote: > > Hi all, > > I was wondering if it's "safe" disabling entirely the firewalld service and > manage the firewall only via iptables, on the host and on the hosted engine > (a self-hosted engine). It would make a lot easier the managing the firewall > rules for me because of many automatisms I created based on iptables. Did > anyone manage to do this? Any contraindication for doing this or precaution > that I have to take care of? I didn't try this myself, but last time this was discussed Simone said that it's mandatory to have firewalld enabled and active during the hosted-engine deploy, but that it should be safe to stop/disable after that, as well as add new hosts without firewall. Also, please note that in el8 (which will be the only supported OS for oVirt 4.4), if you do not want to use firewalld, might have to convert/amend your scripts/conf to use nftables. Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7QEUKHNG7LIUWKAOZ4NMIGEOCREGEOJH/
