Hi, again, folks,
I'm trying to convert a number of iptables rules to firewalld rich
rules. I need to do this, because this is, in fact, a firewall, to
protect access to servers with sensitive data. It will limit access to
the servers behind it to a specific network, and nobody else, and allow
On 1/30/19 12:40 PM, mark wrote:
What I've been trying to find is a script/program that converts the
output of iptables-save to something I can feed to firewall-cmd.
Anyone have a link to such?
None that I know of. It might be easier for you to convert existing
rules to "direct" rules th
> Hi, again, folks,
>
>I'm trying to convert a number of iptables rules to firewalld rich
> rules. I need to do this, because this is, in fact, a firewall, to
> protect access to servers with sensitive data. It will limit access to
> the servers behind it to a specific network, and nobody else,
On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
Did you look at Shorewall? IMHO that's what is best used in such
situations and it works since many years now.
shorewall doesn't support nftables, which is largely the point of
firewalld: The Linux firewall system is currently undergoing ye
> On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
>> Did you look at Shorewall? IMHO that's what is best used in such
>> situations and it works since many years now.
>
>
> shorewall doesn't support nftables, which is largely the point of
> firewalld: The Linux firewall system is currently und
Gordon Messmer wrote:
> On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
>
>> Did you look at Shorewall? IMHO that's what is best used in such
>> situations and it works since many years now.
>
> shorewall doesn't support nftables, which is largely the point of
> firewalld: The Linux firewall s
On Thu, 31 Jan 2019 at 13:13, mark wrote:
> Gordon Messmer wrote:
> > On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
> >
> >> Did you look at Shorewall? IMHO that's what is best used in such
> >> situations and it works since many years now.
> >
> > shorewall doesn't support nftables, which
On Jan 31, 2019, at 11:12 AM, mark wrote:
>
> Why would *ANYONE* think that everyone should just start from scratch,
> taking all the time in the world to get it converted?
If the conversion were simple enough to be easily automated, the new system is
probably no more than just a syntactic diff
Ok, I've found something that will work - adding --direct rules. That, I
can do via iptables-save | a 10-line awk script.
A question, though: in iptables, we've got INPUT and FORWARD defined as
using the same chain. Is there a way to do that with firewalld - it's not
clear from what I'm reading.
Warren Young wrote:
> On Jan 31, 2019, at 11:12 AM, mark wrote:
>>
>> Why would *ANYONE* think that everyone should just start from scratch,
>> taking all the time in the world to get it converted?
>
> If the conversion were simple enough to be easily automated, the new
> system is probably no mor
On Thu, 31 Jan 2019 at 17:43, mark wrote:
> Warren Young wrote:
>
> > It’s much the same as asking why there aren’t automatic programming
> > language conversion tools: we wouldn’t need more than one programming
> > language if they all mapped 1:1 to each other, short of going down to the
> > mac
On Jan 31, 2019, at 3:25 PM, mark wrote:
>
> Warren Young wrote:
>>
>> ...there aren’t automatic programming
>> language conversion tools...
>
> You mean like the one I meant to use 25 or so years ago, basic2c?
All right, so it’s a bad example, but it’s bad both directions.
The problem of fir
12 matches
Mail list logo
