On Oct 24, 2018, at 8:06 PM, Joel Freeman <joel at joelazot.xyz> wrote:> > Is there any reason to use Firewalld over IPTables?Lots: https://firewalld.org/> I'm incredibly new to Linux administrationGiven that, which would you rather type: $ sudo firewall-cmd --add-service=ftp or whatever that does under the hood, which probably resembles the 7 commands given here: https://unix.stackexchange.com/a/93555/138 The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax. Contrast FirewallD, where you just re-issue the command above with a single additional flag: $ sudo firewall-cmd --add-service=ftp --permanent FTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case. FirewallD doesn?t require that you use predefined services, either. It works just fine with raw port numbers: $ sudo firewall-cmd --add-port=50000/tcp Contrast the equivalent iptables command: $ sudo iptables -A INPUT -p tcp --dport 50000 -j ACCEPT ?and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you?d have to understand in order to get the expected behavior. Why not let FirewallD handle all of that for you? I don?t miss direct iptables manipulation.
On 10/25/18 2:41 AM, Warren Young wrote:> On Oct 24, 2018, at 8:06 PM, Joel Freeman <joel at joelazot.xyz> wrote: >> >> Is there any reason to use Firewalld over IPTables? > > Lots: https://firewalld.org/ > >> I'm incredibly new to Linux administration > > Given that, which would you rather type: > > $ sudo firewall-cmd --add-service=ftp > > or whatever that does under the hood, which probably resembles the 7 commands given here: > > https://unix.stackexchange.com/a/93555/138 > > The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax. > > Contrast FirewallD, where you just re-issue the command above with a single additional flag: > > $ sudo firewall-cmd --add-service=ftp --permanent > > FTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case. > > FirewallD doesn?t require that you use predefined services, either. It works just fine with raw port numbers: > > $ sudo firewall-cmd --add-port=50000/tcp > > Contrast the equivalent iptables command: > > $ sudo iptables -A INPUT -p tcp --dport 50000 -j ACCEPT > > ?and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you?d have to understand in order to get the expected behavior. > > Why not let FirewallD handle all of that for you? > > I don?t miss direct iptables manipulation.Thanks Warren for nice quick start covering everything one needs to configure firewalld. There is one thing I am related to "direct iptables manipulation" which is: suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines? Thanks again! Valeri PS Your quick startup reminds me how we were introducing UNIX (shell) to new users: basically we were showing them a handful of commands (5-10) with which person can start, and knowing which person can start doing what one needs. Bottom line: it takes 5-10 minutes to start using UNIX, no need to read 1000 page book before starting. I have exactly the same feeling after your introduction into firewalld - (except kickstart missing for me).> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Oct 25, 2018, at 9:04 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines?We use shell scripts here to bring new machines up, not kickstart, but my first result in a web search looks useful: https://firewalld.org/documentation/man-pages/firewall-offline-cmd.html
On 10/25/2018 12:41 AM, Warren Young wrote:> to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax.Or use "service iptables save". On systems where I use raw iptables, I set the thing up with the command line tools and then use that command to snapshot the running firewall to the sysconfig file. I'm using firewalld now, but I still inspect the resulting iptables to see what it does. You can do this with "iptables-save > /tmp/iptables.txt". (That's the command that the initscript uses under the hood to save the boot-time sysconfig file.)
On Thu, 25 Oct 2018, Valeri Galtsev wrote:> Thanks Warren for nice quick start covering everything one needs to configure > firewalld. There is one thing I am related to "direct iptables manipulation" > which is: suppose I made configuration of some machine, which then I am going > to replicate just by using kickstart when building new machines. What should > I add to kickstart configuration file to make my configured firewalld part > reproduced on all newly built machines?We stopped using kickstart and switched to ansible but the process is basically the same. Simply copy the appropriate files in /etc/firewalld. For me that means the files in the zones directory and in the services directory. Any changes you have made to the default configurations will be stored under /etc/firewalld. If the directories are empty, then you are running defaults. Because we run configuration management, I mostly just edit the files with an editor. The format is generally very simple to understand. The defaults are stored in /usr/lib/firewalld/. You can use the files there as examples by copying them to the correct directory in /etc/firewalld and making the necessary modifications. Don't forget to reload firewalld after any changes. Regards, -- Tom me at tdiehl.org