[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalld-users
Subject: Re: differences between various --direct commands
From: alen.alen () powdermail ! com
Date: 2018-04-18 19:29:44
Message-ID: 20180418192944.Horde.2sKySsc4lpK5Cq3KySuA3AZ () vfemail ! net
[Download RAW message or body]
Quoting Eric Garver <egarver@redhat.com>:
> Hello,
>
> On Fri, Apr 13, 2018 at 06:44:15PM +0000, alen.alen@powdermail.com wrote:
>> For adding a custom iptables rule using firewall-cmd, I'm having a difficult
>> time understanding the difference between these:
>
> firewalld has three levels of custom rules. The offer different levels
> of control. In descending order (high level --> low level):
>
> 1) rich rules
> - abstraction over iptables. This small language is defined by
> firewalld and is guaranteed to work between firewalld release
> and iptables versions.
>
> 2) direct rules
> - passes rules directly to iptables. firewalld makes no attempt
> to verify the arguments that are sent to iptables.
> - usually used to insert rules into the pre-created
> <zone>_direct chains.
>
> 3) direct passthrough rules
> - similar #2 above, but allows you to insert into _any_ chain.
> Even the top-level chains of iptables.
> - used as a last resort
>
>>
>> --direct --add-rule
>
> As described in #2 above.
>
>> --direct --passthrough
>
> Allows passing a command to iptables, but it will be untracked. This
> means once the command has executed firewalld has no further knowledge
> about it's execution. It does not keep runtime state that may have
> occurred and it does not cause any configuration changes.
>
> This is almost certainly not what you want. I'm not even sure why it
> exists.
>
>> --direct --add-passthrough
>
> As described in #3 above.
>
>>
>> The manual explanation sounds the same for all three. There must be a reason
>> to have each one, they have to be different, can you help me know which I am
>> to use?
>
> If you can use rich rules, then definitely use them over the others.
> They're portable even if the firewall backend changes (i.e. when we
> switch to nftables).
>
> Hope that helps.
Yes it does very much!!
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic