On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter <edsonrich...@hotmail.com> wrote: >I'm in no way a ovirt expert. But as Linux administrator, I would say >that firewalld and iptables are "front-end" to kernel internal security >tables, so, in the final of the day, will provide *almost* same >functionality. > >Seems that firewalld is able to activate modules without restarting >entire firewall infra-structure, which iptables is not capable of. This >leverage an advantage for firewalld, specially where you would not have >interruptions in existing stateful connections. > >I've used iptables *always* as replacement for firewalld because of >almost 20 yrs using iptables - this is the first step in all about >hundred Centos7 installations I've done past few years. I just can't >throw away all my scripts that block hackers, provide 2 and 3 way >"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and >all, everytime a new "firewall" front end appears. I've seen at least >two or three "iptables killers tech" in the past, and iptables still is >the king - at least for me. > >Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux >admin which will not jump from iptables train yet. > >Perhaps, I would not reccomend to completely deactivate all firewall in >any server! If it is the case, I would instead to advice to just >replace firewalld with iptables-service (at least, in Centos7) - but >only in case you have too much to loose without iptables (as am I). > >Regards, > >Edson > > >________________________________ >De: eev...@digitaldatatechs.com <eev...@digitaldatatechs.com> >Enviado: quarta-feira, 22 de abril de 2020 12:18 >Para: france...@shellrent.com <france...@shellrent.com>; >users@ovirt.org <users@ovirt.org> >Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] > >If you log in to the cockpit, you can add services or custom ports >easily. I would not disable the firewall. ><hostname:9090> for the cockpit. > >Eric Evans >Digital Data Services LLC. >304.660.9080 > > >-----Original Message----- >From: france...@shellrent.com <france...@shellrent.com> >Sent: Tuesday, April 21, 2020 12:54 PM >To: users@ovirt.org >Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] > >Hi all, > >I was wondering if it's "safe" disabling entirely the firewalld service >and manage the firewall only via iptables, on the host and on the >hosted engine (a self-hosted engine). It would make a lot easier the >managing the firewall rules for me because of many automatisms I >created based on iptables. Did anyone manage to do this? Any >contraindication for doing this or precaution that I have to take care >of? > >Thanks for your time and help, >Francesco >_______________________________________________ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org Privacy >Statement: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&data=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231655590584674&sdata=EDp9IGQkVISq0Fh3zXQUXKN1RZGx0Ji30eXiFu597f8%3D&reserved=0 >oVirt Code of Conduct: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&data=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231655590594669&sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3D&reserved=0 >List Archives: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2F&data=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231655590594669&sdata=40H%2B8wdVVTAITN3DKhXrd3bdim8l8N7ycNhQJ3%2F51F0%3D&reserved=0 >_______________________________________________ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org >Privacy Statement: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&data=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231655590594669&sdata=AEp0cL8tH4YuO6%2BufhI%2BG8%2Bd5rDXhj8OhhQLoVPdhJ0%3D&reserved=0 >oVirt Code of Conduct: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&data=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231655590594669&sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3D&reserved=0 >List Archives: >https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2F&data=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231655590594669&sdata=iOrDXFsvJ%2BZtJjFJAq7JRVS2y5rORfwnL3oCkoOxJTw%3D&reserved=0
Keep in mind that I had some issues with oVirt (was more than a year ago - so don't ask for details) when either firewalld or SELINUX were down. With so much experience in IPTABLES - it's understandable, but keep in mind that in CentOS/RHEL 8 iptables command is just a translator to nftables - with limited capability and I don't think that it was a coincidence . With firewalld you can still achive 90-95% of what you could do in IPTABLES while the rules are quite clear even for a new admin. What I really like is that you can predefine the ports and protos for a specific service and easily deploy it via salt or ansible. Best Regards, Strahil Nikolov _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DNTRCWKITDCVN5TJD6CUBJSWAIY2EPQ5/
