Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running
mark
On 24/10/18 00:35, Gordon Messmer wrote:
On 10/23/18 11:45 AM, Phil Perry wrote:
Yes, the same as for any other service: systemctl status ip6tables.service
That will not provide useful information if the system is using firewalld, as is the default configuration.
Thanks. I have firewalld disabled and just run the old school ip[6]tables services directly.
On 10/23/18 14:45, Phil Perry wrote:
On 23/10/18 19:05, mark wrote:
Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running
Yes, the same as for any other service:
systemctl status ip6tables.service
Um, no. I've discovered that on our boxen we have ip6tables running - I can do ip6tables-save and see them, but ip6tables.service, which comes, I find, as part of iptables-services, is *not* installed.
Working around it.
mark
On a similar note, Is there any reason to use Firewalld over IPTables?
I'm incredibly new to Linux administration, and would like to your guys' opinions on it.
Many thanks, Joel.
On Wed, 24 Oct 2018 at 12:23, mark m.roth@5-cent.us wrote:
On 10/23/18 14:45, Phil Perry wrote:
On 23/10/18 19:05, mark wrote:
Been looking, and haven't found the answer: in c7, is there a
firewall-cmd
command, or a systemctl cmd, to check whether ip6tables firewall is running
Yes, the same as for any other service:
systemctl status ip6tables.service
Um, no. I've discovered that on our boxen we have ip6tables running - I can do ip6tables-save and see them, but ip6tables.service, which comes, I find, as part of iptables-services, is *not* installed.
Working around it.
mark
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Oct 24, 2018, at 8:06 PM, Joel Freeman joel@joelazot.xyz wrote:
Is there any reason to use Firewalld over IPTables?
Lots: https://firewalld.org/
I'm incredibly new to Linux administration
Given that, which would you rather type:
$ sudo firewall-cmd --add-service=ftp
or whatever that does under the hood, which probably resembles the 7 commands given here:
https://unix.stackexchange.com/a/93555/138
The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax.
Contrast FirewallD, where you just re-issue the command above with a single additional flag:
$ sudo firewall-cmd --add-service=ftp --permanent
FTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case.
FirewallD doesn’t require that you use predefined services, either. It works just fine with raw port numbers:
$ sudo firewall-cmd --add-port=50000/tcp
Contrast the equivalent iptables command:
$ sudo iptables -A INPUT -p tcp --dport 50000 -j ACCEPT
…and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you’d have to understand in order to get the expected behavior.
Why not let FirewallD handle all of that for you?
I don’t miss direct iptables manipulation.
On 10/25/18 2:41 AM, Warren Young wrote:
On Oct 24, 2018, at 8:06 PM, Joel Freeman joel@joelazot.xyz wrote:
Is there any reason to use Firewalld over IPTables?
Lots: https://firewalld.org/
I'm incredibly new to Linux administration
Given that, which would you rather type:
$ sudo firewall-cmd --add-service=ftpor whatever that does under the hood, which probably resembles the 7 commands given here:
https://unix.stackexchange.com/a/93555/138The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax.
Contrast FirewallD, where you just re-issue the command above with a single additional flag:
$ sudo firewall-cmd --add-service=ftp --permanentFTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case.
FirewallD doesn’t require that you use predefined services, either. It works just fine with raw port numbers:
$ sudo firewall-cmd --add-port=50000/tcpContrast the equivalent iptables command:
$ sudo iptables -A INPUT -p tcp --dport 50000 -j ACCEPT…and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you’d have to understand in order to get the expected behavior.
Why not let FirewallD handle all of that for you?
I don’t miss direct iptables manipulation.
Thanks Warren for nice quick start covering everything one needs to configure firewalld. There is one thing I am related to "direct iptables manipulation" which is: suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines?
Thanks again!
Valeri
PS Your quick startup reminds me how we were introducing UNIX (shell) to new users: basically we were showing them a handful of commands (5-10) with which person can start, and knowing which person can start doing what one needs. Bottom line: it takes 5-10 minutes to start using UNIX, no need to read 1000 page book before starting. I have exactly the same feeling after your introduction into firewalld - (except kickstart missing for me).
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Oct 25, 2018, at 9:04 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines?
We use shell scripts here to bring new machines up, not kickstart, but my first result in a web search looks useful:
https://firewalld.org/documentation/man-pages/firewall-offline-cmd.html
On Thu, 25 Oct 2018, Valeri Galtsev wrote:
Thanks Warren for nice quick start covering everything one needs to configure firewalld. There is one thing I am related to "direct iptables manipulation" which is: suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines?
We stopped using kickstart and switched to ansible but the process is basically the same. Simply copy the appropriate files in /etc/firewalld. For me that means the files in the zones directory and in the services directory.
Any changes you have made to the default configurations will be stored under /etc/firewalld. If the directories are empty, then you are running defaults.
Because we run configuration management, I mostly just edit the files with an editor. The format is generally very simple to understand. The defaults are stored in /usr/lib/firewalld/. You can use the files there as examples by copying them to the correct directory in /etc/firewalld and making the necessary modifications. Don't forget to reload firewalld after any changes.
Regards,
On 10/25/2018 12:41 AM, Warren Young wrote:
to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax.
Or use "service iptables save". On systems where I use raw iptables, I set the thing up with the command line tools and then use that command to snapshot the running firewall to the sysconfig file.
I'm using firewalld now, but I still inspect the resulting iptables to see what it does. You can do this with "iptables-save > /tmp/iptables.txt". (That's the command that the initscript uses under the hood to save the boot-time sysconfig file.)
Joel Freeman wrote on 10/24/2018 9:06 PM:
On a similar note, Is there any reason to use Firewalld over IPTables?
I'm incredibly new to Linux administration, and would like to your guys' opinions on it.
Many thanks, Joel.
My first impression was that firewalld and NetworkManager had a more desktop oriented/plug-n-play type feel compared to traditional tools like network and iptables so I chose to stick with the latter on my servers (manual IP4/IP6 configuration and a handful of services, some open to the public internet while others open only to certain sources). For a laptop or desktop (which probably uses DHCP and has few, if any, publicly accessible services) I'd probably stick with the former. I have no idea how well tools like fail2ban or logwatch integrate with firewalld, but if they work as well or better than iptables that would be great. Warren is correct that the firewall-cmd interface is probably more intuitive for most folks (especially those not familiar with managing iptables).
On Thu, Oct 25, 2018 at 09:53:13AM -0500, Blake Hudson wrote:
My first impression was that firewalld and NetworkManager had a more desktop oriented/plug-n-play type feel compared to traditional tools like network and iptables so I chose to stick with the latter on my servers (manual IP4/IP6 configuration and a handful of services, some open to the public internet while others open only to certain sources).
I use NetworkManager and firewalld on my servers. NM (particularly, the more modern one on EL7) is great for servers, because they'll bring the network interface up and down based on the status of the line, not just at boot. In one of our datacenters, our faster booting servers often start up faster than the network infrastructure after an emergency power cut. Without NM in place, they'd have tried to start networking on boot, detect that the network device was down, and give up. I'd have to reboot them at the console (or remotely through a serial console) to get them back online. With NM, they start up, network is down but they still come up, and the network is activated a few minutes later when the switch becomes active.
You can also set up NetworkManager dispatcher actions for when the network goes up or down. This way, after the network comes up, for example, you could have it reset the clock through chrony.
I like firewalld for a different reason. You can parcel out configuration files related to configuration management roles, and that's easier done with firewalld than the monolithic /etc/sysconfig/iptables file. I still have to use a template for some files, but it's not a huge mess like the template I use for the iptables file.
For a laptop or desktop (which probably uses DHCP and has few, if any, publicly accessible services) I'd probably stick with the former. I have no idea how well tools like fail2ban or logwatch integrate with firewalld, but if they work as well or better than iptables that would be great. Warren is correct that the firewall-cmd interface is probably more intuitive for most folks (especially those not familiar with managing iptables).
fail2ban works fine with firewalld. You just install the fail2ban-firewalld subpackage and it sets up the right firwalld configuration. (banaction = firewallcmd-ipset) It's nice, it uses ipsets instead of the iptables-multiport action, which I think is faster.
On 10/23/18 11:05 AM, mark wrote:
Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running
"firewall-cmd --state" will tell you if the daemon is running. If it is, then there should be both IPv4 and IPv6 rules.
You can use "ip6tables -L" to view the active rule set that firewalld has built.
-
Blake Hudson -
Gordon Messmer -
Joel Freeman -
Jonathan Billings -
Kenneth Porter -
mark -
me@tdiehl.org -
Phil Perry -
Valeri Galtsev -
Warren Young