'Re: differences between various --direct commands'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalld-users
Subject:    Re: differences between various --direct commands
From:       alen.alen () powdermail ! com
Date:       2018-04-18 19:29:44
Message-ID: 20180418192944.Horde.2sKySsc4lpK5Cq3KySuA3AZ () vfemail ! net
[Download RAW message or body]


Quoting Eric Garver <egarver@redhat.com>:

> Hello,
>
> On Fri, Apr 13, 2018 at 06:44:15PM +0000, alen.alen@powdermail.com wrote:
>> For adding a custom iptables rule using firewall-cmd, I'm having a difficult
>> time understanding the difference between these:
>
> firewalld has three levels of custom rules. The offer different levels
> of control. In descending order (high level --> low level):
>
>     1) rich rules
>         - abstraction over iptables. This small language is defined by
>           firewalld and is guaranteed to work between firewalld release
>           and iptables versions.
>
>     2) direct rules
>         - passes rules directly to iptables. firewalld makes no attempt
>           to verify the arguments that are sent to iptables.
>         - usually used to insert rules into the pre-created
>           <zone>_direct chains.
>
>     3) direct passthrough rules
>         - similar #2 above, but allows you to insert into _any_ chain.
>           Even the top-level chains of iptables.
>         - used as a last resort
>
>>
>> --direct --add-rule
>
> As described in #2 above.
>
>> --direct --passthrough
>
> Allows passing a command to iptables, but it will be untracked. This
> means once the command has executed firewalld has no further knowledge
> about it's execution. It does not keep runtime state that may have
> occurred and it does not cause any configuration changes.
>
> This is almost certainly not what you want. I'm not even sure why it
> exists.
>
>> --direct --add-passthrough
>
> As described in #3 above.
>
>>
>> The manual explanation sounds the same for all three. There must be a reason
>> to have each one, they have to be different, can you help me know which I am
>> to use?
>
> If you can use rich rules, then definitely use them over the others.
> They're portable even if the firewall backend changes (i.e. when we
> switch to nftables).
>
> Hope that helps.

Yes it does very much!!



-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic