On Thu, 31 Jan 2019 at 13:13, mark m.roth@5-cent.us wrote:
Gordon Messmer wrote:
On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
Did you look at Shorewall? IMHO that's what is best used in such situations and it works since many years now.
shorewall doesn't support nftables, which is largely the point of firewalld: The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should remain stable during the migration process. As far as I know, there are no plans to support nftables under shorewall, so new users will most likely throw away any investment they make in learning and implementing shorewall.
I seem to have missed a few posts in my thread. Let me note that a) I'm at work. I have to do what is required. b) we are moving from iptables to firewalld. No other options.
Since the firewall system is moving from iptables to firewalld, WHY IS THERE NOT A PROGRAM INCLUDED with the firewalld package to convert EXISTING rules?
Each firewall will have its own set of rules. We have three? four? internal firewalls, *each* with its own rules. Since that's us, I assume there are tens, if not hundreds of thousands just like us, many with more firewalls.
Why would *ANYONE* think that everyone should just start from scratch, taking all the time in the world to get it converted?
You answered your own question. Because a lot of different places set up their firewalls their own way and parsing all the different ones/ways seems to break over and over again? Firewalld is still outputting text in iptables format.. and will output it in nftables later when it is done. It is just a program which tries to make decisions which certain classes of systems need to be done automagically.
For most RHEL-7 systems which have custom iptables rules.. I thought the package iptables-services.x86_64 sets up everything to keep that going. If you need to move to firewalld because it should support future formats ( nftables, plughtables, xyzzytables, etc.) you are going to need to learn the tool just like you had to from ipchains to iptables days. [Pretty much every conversion tool from ipchains to iptables worked only on the simplest but anyone with a custom firewall ended up having to learn the syntax.]
mark, still looking for a script
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos