Announcement

Collapse
No announcement yet.

Firewalld 1.0 Released With Big Improvements

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #51
    Being used to application firewalls like simplewall and Glasswire on Windows, AFWall+ on Android, OpenSnitch on Linux, nobody could convince me to waste my time with a port based firewall.
    I just don't have the time to search all the used ports for the programs that I need.
    Plus some programs like bittorrent clients can have option to use a random port, I wonder how would I creat a rule for that in a port-based firewall.

    Comment


    • #52
      I understand that Firewalld is also used by openSUSE with the Yast interface ... I personally found myself very well and rarely had to deal with it, but when it happened it was simple and intuitive.








      Comment


      • #53
        Originally posted by Danny3 View Post
        Plus some programs like bittorrent clients can have option to use a random port, I wonder how would I creat a rule for that in a port-based firewall.
        It is not all port-based of course. I have not done any nftables rules for a single process ID myself, but I used cgroups instead where I grouped several processes into a cgroup for the same purpose. The filter rules then apply for all the processes within the cgroup. It is also possible to use user and group IDs and create filter rules for users and groups of users. For individual processes will it work likely similar in that one has to mark a process and then add filter rules based on the mark.

        Comment


        • #54
          Originally posted by sdack View Post
          Of course, I think we both can agree on this.

          But do know that you can use nftables to fully automate your setup so that you no longer need to switch manually. You can filter traffic based on the MAC addresses of the access points and only when you are at home allow for all sorts of traffic to pass, and be more restrictive everywhere else. You should be able to do this with firewalld, too.
          If you are looking for a trick to achieve that at least partly using nftables alone, yes of course you will find it. But that doesn't mean that it makes sense or that it's a solution one should recommend to anyone unless it's someone who has a particular interest in firewalls and the way they operate. A normal user can easily understand the notions "I'm at home, I'm at work, I'm at a friend's house where I can kind of trust some stuff, I'm at the airport where I don't trust anything" and a good solution is one that presents them with exactly those options that map to their view of the world. Expecting the user to start worrying about which device has which MAC address (which can also change, by the way) and deal with the minutiae of nftables syntax to filter packets based on MAC addresses is plain absurd. Most computer users are gamers, graphic artists, scientists, software developers, social media fans etc. whose interest in, and enjoyment of OS administration is exactly zero.

          Comment


          • #55
            Originally posted by sdack View Post
            When you are using a GUI or another app then you are not really using firewalld. Or, when you do want to say so, then you also have to say you are using nftables, because firewalld is based on nftables. You cannot ride half a horse and pretend the other half had nothing to do with you.
            So when using GNOME you are not really using Linux? Using Linux means only invoking kernel syscalls in assembly? You really sound like some l33t kid to me.

            Comment


            • #56
              Originally posted by jacob View Post
              So when using GNOME you are not really using Linux? Using Linux means only invoking kernel syscalls in assembly? You really sound like some l33t kid to me.
              I am saying he cannot claim to be using firewalld without using nfttables, all while he claims to be using firewalld by using a GUI to firewalld. You want to read my comment again and wait a little for it to sink in.

              And what does a l33t kid sound like? I do not know. If they sound like 50-year olds on the Internet then perhaps I do sound like one.
              sdack
              Senior Member
              Last edited by sdack; 23 July 2021, 07:13 PM.

              Comment


              • #57
                Originally posted by jacob View Post
                If you are looking for a trick to achieve that at least partly using nftables alone, yes of course you will find it. But that doesn't mean that it makes sense or that it's a solution one should recommend to anyone unless it's someone who has a particular interest in firewalls and the way they operate. A normal user can easily understand the notions "I'm at home, I'm at work, I'm at a friend's house where I can kind of trust some stuff, I'm at the airport where I don't trust anything" and a good solution is one that presents them with exactly those options that map to their view of the world. Expecting the user to start worrying about which device has which MAC address (which can also change, by the way) and deal with the minutiae of nftables syntax to filter packets based on MAC addresses is plain absurd. Most computer users are gamers, graphic artists, scientists, software developers, social media fans etc. whose interest in, and enjoyment of OS administration is exactly zero.
                Manual switching is great, until you forget to switch. But do not get hung up on it. It was merely a suggestion of what you can do, and I was not saying you would have to do it.

                Comment


                • #58
                  Originally posted by pal666 View Post
                  nobody uses assembly to implement algorithms. std::sort is an agorithm and it's implemented in c++ templates because that's the only way which can be optimized by compiler on the scale of full application. what you are thinking about is using special assembly instructions for codecs, it's tiny niche
                  Actually codecs are mostly implemented using the compiler's SIMD intrinsics. Ok, technically they are basically assembly instructions.

                  Comment


                  • #59
                    Originally posted by sdack View Post
                    I am saying he cannot claim to be using firewalld without using nfttables, all while he claims to be using firewalld by using a GUI to firewalld. You want to read my comment again and wait a little for it to sink in.
                    Mate, before you lecture someone about what needs to "sink in" you really should make an effort to understand what many people have been trying to explain to you in this thread - apparently unsuccessfully so far. Firewalld uses nftables internally just like nftables use the Linux kernel which uses the CPU which uses etc... That's irrelevant. The point is that nftables bring a low level of abstraction that's not pertinent nor useful for the use cases that we are discussing here. Firewalld is designed to provide precisely that level of abstraction. Whether someone uses it through the GUI or through the CLI is irrelevant. Besides AFAIK you are wrong because the firewall-cmd command talks to firewalld through DBUS exactly the same way as the firewall-config GUI, so they are on the same level of the software stack and are both equally "native".

                    Comment


                    • #60
                      Originally posted by sdack View Post
                      Manual switching is great, until you forget to switch. But do not get hung up on it. It was merely a suggestion of what you can do, and I was not saying you would have to do it.
                      One of the main advantages of firewalld is that the switching is automatic. You select a zone the first time you connect somewhere, then it remembers it and will switch to it next time and every time you go there, so you don't forget. For me personally that alone is 90% of the reasons I use firewalld.

                      Comment

                      Working...
                      X