Announcement
Collapse
No announcement yet.
Firewalld 1.3 Released With Easier Firewall Management For More Services
Collapse
X
-
I still use "plain" iptables in a firewall. It is a rather complex setup and there is no migration tool known to me that will do the conversion to firewalld.
Additionally, at least to my knowledge, firewalld also doesn't support nice things like "rule shadowing" so what is the benefit? The syntax? That is something you get used to eventually anyway.
- Likes 2
Comment
-
Originally posted by johncall View Post
Do you configure raw nftables commands
Originally posted by johncall View Post​could firewalld help you do that?
- Likes 1
Comment
-
Originally posted by partcyborg View Post
This is one area where the modern BSDs are way ahead of linux. OpenBSD's pf (FreeBSD uses it too now) is way better than iptables all around.
I have heard that there have been attempts to port pf to Linux but I suspect the profound differences between the bsd and linux networking make porting extremely difficult.
Comment
-
Originally posted by Britoid View Post
I'd be very in favour of systemd coming with a firewall...
firewalld is written in python and it's very easy to mess up a python install, imho it's not sensible to have such an important piece of software written in it.
- Likes 1
Comment
-
There's a lot to respect in the plain barebones utility of iptables but it's always seemed like a relic. Its syntax and usability are pretty poor when compared with even decades olds options (like Cisco ACLs) and it's missing rather useful features:- Filtering based on binary path
- Filtering based on encryption state (whether by DPI or enforcement of IPSec tunnels)
- filtering based on UID
Imagine if you could trivially create a rule that said "if traffic would be sent to host B, dynamically create a tunnel and send the traffic over that interface or else block the traffic". The utility of this is diminishing with the proliferation of LetsEncrypt / HTTPS everywhere but there are still protocols like NFS / iSCSI / SMB / SNMP / 9100 printing floating around that could do with a little security.
Comment
-
Originally posted by uid313 View PostCan it do application-based filtering? So that I can only whitelist Firefox.
- Use eBPF to install rules to archive this
- Install firejail and setup per-executable sandboxing
- Run apps inside containers, e.g. flatpat, snapd, docker
- Use distro such as Qubes OS, which provides out-of-the-box sandboxing support so that you can run every app sandboxed in a VM created from template and even the network stack, usb stack, storage stack is run inside a xen vm.Last edited by NobodyXu; 06 January 2023, 08:20 AM.
Comment
Comment