Announcement

Collapse
No announcement yet.

Firewalld 1.2 Released With New Services Added

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Firewalld 1.2 Released With New Services Added

    Phoronix: Firewalld 1.2 Released With New Services Added

    Firewalld 1.2 was released on Friday as the newest feature release for this Linux firewall daemon. Bug fix releases for existing stable series were released with Firewalld 1.1.2, 1.0.5, and 0.9.9...

    https://www.phoronix.com/scan.php?pa...d-1.2-Released

  • #2
    Firewalld has a nice gui and an easy to understand services&ports system. It's simple and nice for both desktop and cli... until you try to manage it dynamically. Then it falls flat on its face, because of the terribly slow updates. I'd like to use it as a back-end to things like failtoban and forget about all the low level stuff, but it's just too heavy.
    Anybody knows if there's attention to this aspect or if it's out of scope for this project?

    Comment


    • #3
      I mostly use firewalld because of the NetworkManager integration. I don't know any other ready made way to have diffrent rules for diffrent SSIDs.

      Comment


      • #4
        Originally posted by _ReD_ View Post
        Firewalld has a nice gui and an easy to understand services&ports system. It's simple and nice for both desktop and cli... until you try to manage it dynamically. Then it falls flat on its face, because of the terribly slow updates. I'd like to use it as a back-end to things like failtoban and forget about all the low level stuff, but it's just too heavy.
        Anybody knows if there's attention to this aspect or if it's out of scope for this project?
        I'm not sure what you mean with "terribly slow", it's a couple of seconds at worst, that shouldn't be that much an issue. Detecting any kind of attack takes several seconds or minutes on its own.

        Anyway, what I'd like to see Firewalld do is port-knocking support at last.

        Comment


        • #5
          Originally posted by anarki2 View Post
          I'm not sure what you mean with "terribly slow", it's a couple of seconds at worst, that shouldn't be that much an issue. Detecting any kind of attack takes several seconds or minutes on its own.
          Well, on smaller servers in production I count a few—to a few tens—of bans *per* *second*. With firewalld -that- floors their perfectly good CPUs, while nftables don't even break a sweat with multiple hundreds. So, you know...

          Comment


          • #6
            Actually, I wish systemd had some basic firewall functionality. Not that I need it since I use opnsense, but I would still like to see this in systemd.

            http://www.dirtcellar.net

            Comment


            • #7
              Another fast and lightweight, but unusual option is to run OpenWrt in a container or VM. Pass it the NICs (works with WiFi too) and leave a veth/tap interface for the host. Then set up the networking, firewall, vpn, fail2ban and whatever else you like. This also works nicely on servers when you don't have a dedicated firewall box mn front and it supports more exotic networking protocols like vxlan.

              Comment

              Working...
              X