Michael Scherer m...@zarb.org writes:
- a script with lots of iptables calls ( quite awful, slow and
unauditable in practice as Reindl explained in another mail, and as I
too often seen at customers deployment )
- a script that run 1 command, iptables-restore file. Which is
equally as
Le jeudi 15 novembre 2012 à 09:06 -0800, Adam Williamson a écrit :
On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
Am 15.11.2012 13:33, schrieb Michael Scherer:
Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
iptables rules are a long-established cross-
On Thu, Nov 15, 2012 at 3:23 AM, Kevin Kofler kevin.kof...@chello.at wrote:
And what about the many system administrators using handwritten
rules (see Harald Reindl's reply)?
There is a --direct option that is supposed to provide a
compatibility/escape mechanism with full iptables functionality
Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
iptables rules are a long-established cross-
distribution interface
Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
offered several frontend, but IIRC, didn't use one by default.
And I have worked as
Am 15.11.2012 13:33, schrieb Michael Scherer:
Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
iptables rules are a long-established cross-
distribution interface
Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
offered several frontend, but IIRC,
On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
Am 15.11.2012 13:33, schrieb Michael Scherer:
Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
iptables rules are a long-established cross-
distribution interface
Not really. For example, ubuntu use ufw, mandriva
Am 15.11.2012 18:06, schrieb Adam Williamson:
On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
Am 15.11.2012 13:33, schrieb Michael Scherer:
Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
offered several frontend, but IIRC, didn't use one by default
and
On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 15.11.2012 18:06, schrieb Adam Williamson:
Right. I hate to say it, but Harald is correct here: AFAIK, all those
and other firewall configuration mechanisms were ultimately just
UI/abstraction layers wrapped around
On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote:
On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 15.11.2012 18:06, schrieb Adam Williamson:
Right. I hate to say it, but Harald is correct here: AFAIK, all those
and other firewall configuration
On Thu, Nov 15, 2012 at 7:10 PM, Adam Williamson awill...@redhat.com wrote:
On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote:
On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net
wrote:
Am 15.11.2012 18:06, schrieb Adam Williamson:
Right. I hate to say it, but
On Thu, Nov 15, 2012 at 10:10:43AM -0800, Adam Williamson wrote:
Sure, but the background here was the 'replace vs. augment' question -
is firewalld actually planned to replace iptables in the long run, or
are we committed to maintaining iptables as an alternative mechanism? It
sounds like
Am 15.11.2012 19:02, schrieb Miloslav Trmač:
On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 15.11.2012 18:06, schrieb Adam Williamson:
Right. I hate to say it, but Harald is correct here: AFAIK, all those
and other firewall configuration mechanisms were
Am 15.11.2012 19:16, schrieb Miloslav Trmač:
(as far as I understand the situation:) iptables as a kernel
interface and a low-level command will exist, but applications will
expect the existence of the firewalld D-Bus service (as opposed to the
system-config-firewall D-Bus service, at
On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 15.11.2012 19:02, schrieb Miloslav Trmač:
It would be very helpful for judging the maturity/suitability of
firewalld if you could try converting your iptables script to
firewall-cmd --direct (which, at least I
Am 15.11.2012 19:27, schrieb Miloslav Trmač:
On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 15.11.2012 19:02, schrieb Miloslav Trmač:
It would be very helpful for judging the maturity/suitability of
firewalld if you could try converting your iptables script
On Thu, 15 Nov 2012 19:30:27 +0100
Reindl Harald h.rei...@thelounge.net wrote:
Am 15.11.2012 19:27, schrieb Miloslav Trmač:
On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald
h.rei...@thelounge.net wrote:
Am 15.11.2012 19:02, schrieb Miloslav Trmač:
It would be very helpful for judging the
Am 15.11.2012 19:37, schrieb Kevin Fenzi:
Have you actually _tried_? It's supposed to be as easy as
s/iptables/firewall-cmd --direct --passthrough ipv4/
I don't know for a fact whether it is good enough. You seem to
have a script that could tell us.
i posted a script realier this day as
On Thu, 2012-11-15 at 19:46 +0100, Reindl Harald wrote:
Am 15.11.2012 19:37, schrieb Kevin Fenzi:
Have you actually _tried_? It's supposed to be as easy as
s/iptables/firewall-cmd --direct --passthrough ipv4/
I don't know for a fact whether it is good enough. You seem to
have a
Am 15.11.2012 19:58, schrieb Adam Williamson:
I don't think anyone asked you to do any of those things. Fedora
obviously does not have the power to replace iptables with firewalld on
your router, so the question is not 'can you replace iptables with
firewalld on everything in your network
On Wed, Nov 14, 2012 at 2:35 AM, Matthew Miller
mat...@fedoraproject.org wrote:
Well. I may be a little bit cynical on this, but I think the unsteered drift
of this kind of thing goes like this:
1. Shiny new feature covers the desktop case, so let's make it the default
in Fedora.
2. Don't
On Wed, Nov 14, 2012 at 11:34:56AM +0100, Miloslav Trmač wrote:
AFAIK the major things for our usual use cases are covered, at least
going by the F17 criteria. Sure, there may be more things missing.
Adam asked to keep those other things to the other thread, so I'll just
touch on the
Am 14.11.2012 01:52, schrieb Adam Williamson:
I don't think that maintaining iptables/s-c-f forever as a 'lightweight
alternative' to firewalld is the way to go
IT IS the way to go!
not as default, not supported via GUI is OK
but iptables.service and configuration with shellscripts is what
Miloslav Trmač wrote:
Looking at hour original warning flag: Squeezing every last megabyte
out of the running system for cloud is a really new thing that we
haven't historically required. Sure, it would be great to make
firewalld smaller (and rewriting firewalld to C is one of those things
On Sat, 2012-11-10 at 14:40 -0500, Matthew Miller wrote:
On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote:
is entirely irrelevant. To achieve the above, we don't need to make sure
that the default configuration leaves port 22 open when firewalld is
installed, but that
On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
Well with firewalld not installed and no iptables configs.. I would
believe that the default would be everything open... unless some other
This is indeed the case.
And that's clearly not what we want. I thought it kind of
On Tue, 2012-11-13 at 19:44 -0500, Matthew Miller wrote:
On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
Well with firewalld not installed and no iptables configs.. I would
believe that the default would be everything open... unless some other
This is indeed the case.
On Tue, Nov 13, 2012 at 04:52:47PM -0800, Adam Williamson wrote:
Well, sure, but you seem to be drifting the discussion a bit (or I did,
I've been out of town for the weekend, it gets confusing). As I recall
things, the basic goal we were working towards in this thread was the
reduction of the
On Tue, 2012-11-13 at 20:35 -0500, Matthew Miller wrote:
like that. Someone else might want to advocate that, but I'm not. Since
I now figured out to my own satisfaction that we can't just ditch
firewalld from the minimal install, the focus in the context of this
goal should be on
On 9 November 2012 18:46, Adam Williamson awill...@redhat.com wrote:
On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote:
On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
it maybe doesn't actually need to be). So perhaps we should change
firewalld to default to opening
On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote:
is entirely irrelevant. To achieve the above, we don't need to make sure
that the default configuration leaves port 22 open when firewalld is
installed, but that the default configuration leaves port 22 open when
On Fri, 2012-11-09 at 15:06 -0800, Adam Williamson wrote:
Right now it seems like anaconda actually just throws firewalld into the
target package set in absolutely all cases, like it does with
authconfig, which I think is wrong. As the above makes clear, it only
really makes sense to use
On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
it maybe doesn't actually need to be). So perhaps we should change
firewalld to default to opening port 22.
+1, even having read the rest of this message.
Same with iptables if firewalld is not installed by default.
--
On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote:
On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
it maybe doesn't actually need to be). So perhaps we should change
firewalld to default to opening port 22.
+1, even having read the rest of this message.
Same
33 matches
Mail list logo