On April 22, 2020 10:45:49 PM GMT+03:00, Edson Richter <edsonrich...@hotmail.com> wrote: >De: Strahil Nikolov <hunter86...@yahoo.com> >Enviado: quarta-feira, 22 de abril de 2020 15:45 >Para: users@ovirt.org <users@ovirt.org>; Edson Richter ><edsonrich...@hotmail.com>; eev...@digitaldatatechs.com ><eev...@digitaldatatechs.com>; france...@shellrent.com ><france...@shellrent.com> >Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] > >On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter ><edsonrich...@hotmail.com> wrote: >>I'm in no way a ovirt expert. But as Linux administrator, I would say >>that firewalld and iptables are "front-end" to kernel internal >security >>tables, so, in the final of the day, will provide *almost* same >>functionality. >> >>Seems that firewalld is able to activate modules without restarting >>entire firewall infra-structure, which iptables is not capable of. >This >>leverage an advantage for firewalld, specially where you would not >have >>interruptions in existing stateful connections. >> >>I've used iptables *always* as replacement for firewalld because of >>almost 20 yrs using iptables - this is the first step in all about >>hundred Centos7 installations I've done past few years. I just can't >>throw away all my scripts that block hackers, provide 2 and 3 way >>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and >>all, everytime a new "firewall" front end appears. I've seen at least >>two or three "iptables killers tech" in the past, and iptables still >is >>the king - at least for me. >> >>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux >>admin which will not jump from iptables train yet. >> >>Perhaps, I would not reccomend to completely deactivate all firewall >in >>any server! If it is the case, I would instead to advice to just >>replace firewalld with iptables-service (at least, in Centos7) - but >>only in case you have too much to loose without iptables (as am I). >> >>Regards, >> >>Edson >> >> >>________________________________ >>De: eev...@digitaldatatechs.com <eev...@digitaldatatechs.com> >>Enviado: quarta-feira, 22 de abril de 2020 12:18 >>Para: france...@shellrent.com <france...@shellrent.com>; >>users@ovirt.org <users@ovirt.org> >>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] >> >>If you log in to the cockpit, you can add services or custom ports >>easily. I would not disable the firewall. >><hostname:9090> for the cockpit. >> >>Eric Evans >>Digital Data Services LLC. >>304.660.9080 >> >> >>-----Original Message----- >>From: france...@shellrent.com <france...@shellrent.com> >>Sent: Tuesday, April 21, 2020 12:54 PM >>To: users@ovirt.org >>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] >> >>Hi all, >> >>I was wondering if it's "safe" disabling entirely the firewalld >service >>and manage the firewall only via iptables, on the host and on the >>hosted engine (a self-hosted engine). It would make a lot easier the >>managing the firewall rules for me because of many automatisms I >>created based on iptables. Did anyone manage to do this? Any >>contraindication for doing this or precaution that I have to take care >>of? >> >>Thanks for your time and help, >>Francesco >>_______________________________________________ >>Users mailing list -- users@ovirt.org >>To unsubscribe send an email to users-le...@ovirt.org Privacy >>Statement: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078297638&sdata=vqS7cjtftiP1F%2Bv1akulAA0KqCLTh4In2pltWIdJBd0%3D&reserved=0 >>oVirt Code of Conduct: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078297638&sdata=EdDGteCs4vPuBkZvwU4f9JmSozZcSxdO9zL9qILnH68%3D&reserved=0 >>List Archives: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2F&data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&sdata=V0wxXmGJpwqbmToN4h9NOLQ1dd61nkWJ4fP3z%2Bq4njU%3D&reserved=0 >>_______________________________________________ >>Users mailing list -- users@ovirt.org >>To unsubscribe send an email to users-le...@ovirt.org >>Privacy Statement: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&sdata=L37Na1hFCWmjMbxeXLxk4A%2B9qVDNj24xrHKsqeVUYjk%3D&reserved=0 >>oVirt Code of Conduct: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&sdata=YmbRQIouTnJPYOW4EKC%2F8iyrpzzmdfN%2F%2FMi5b1guiUE%3D&reserved=0 >>List Archives: >>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2F&data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&sdata=edpMNR73QTQDZ6WH6fwNm2CPMUNZwq2AglDckVrgz0k%3D&reserved=0 > >Keep in mind that I had some issues with oVirt (was more than a year >ago - so don't ask for details) when either firewalld or SELINUX were >down. > >With so much experience in IPTABLES - it's understandable, but keep in >mind that in CentOS/RHEL 8 iptables command is just a translator to >nftables - with limited capability and I don't think that it was a >coincidence . With firewalld you can still achive 90-95% of what you >could do in IPTABLES while the rules are quite clear even for a new >admin. > >What I really like is that you can predefine the ports and protos for >a specific service and easily deploy it via salt or ansible. > >Best Regards, >Strahil Nikolov > > >Good to know! >When I have time to return to my oVirt tests, I"ll take a careull look >at it. >I'll also add a note into our Centos 8 migration plans that all >iptables scripts will have to be rewriten. > >Thanks, > >Edson Richter
As you are not the only one with zillions of iptables rules - check the CentOS mailing list. Maybe they got a way to keep you on iptables. Best Regards, Sttrahil Nikolov _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/LNS6S5JYWKI7GYJAHIN6UDBHL7DSWJTM/