I tried to install CentOS 7 on a new system. It works.
However, I'm noticing small things: 1. system-config-network-tui is not installed and yum cannot find it. I realized for this -- nmtui
What about firewall? I can't seem to understand the replacement from system-config-firewall-tui
Jason
On Wed, 29 Oct 2014 17:50:54 -0700 "Jason T. Slack-Moehrle" slackmoehrle@gmail.com wrote:
I tried to install CentOS 7 on a new system. It works.
However, I'm noticing small things:
- system-config-network-tui is not installed and yum cannot find it.
I realized for this -- nmtui
What about firewall? I can't seem to understand the replacement from system-config-firewall-tui
man firewall-cmd
HTH, :-) Marko
Thanks Marko for the reply.
Soo I changed my ssh port in sshd_config and did: systemctl restart sshd.service. I then did:
firewall-cmd --add-port=port/tcp firewall-cmd --permanent --add-port=port/tcp firewall-cmd --reload and for safety: systemctl restart firewalld
and I get a connection:refused.
so I decided to do systemctl stop firewalld
and try again, still connection refused.
Commented out the port line in sshd_config (so back to 22) and restart, works.
so I am confused as to what is happening. I have done this 100 times in CentOS 6.x
On Wed, Oct 29, 2014 at 7:13 PM, Marko Vojinovic vvmarko@gmail.com wrote:
On Wed, 29 Oct 2014 17:50:54 -0700 "Jason T. Slack-Moehrle" slackmoehrle@gmail.com wrote:
I tried to install CentOS 7 on a new system. It works.
However, I'm noticing small things:
- system-config-network-tui is not installed and yum cannot find it.
I realized for this -- nmtui
What about firewall? I can't seem to understand the replacement from system-config-firewall-tui
man firewall-cmd
HTH, :-) Marko
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 10/30/2014 03:41 PM, Jason T. Slack-Moehrle wrote:
Soo I changed my ssh port in sshd_config and did: systemctl restart sshd.service.
...
and I get a connection:refused.
selinux is set to only allow sshd to listen on port 22, you need to do something like: semanage port -a -t ssh_port_t -p tcp 2222
Peter
yes, so I just figured out. Thank you so much. Where does `semanage` come from? I tried policycoreutils-python but it cannot be found.
On Wed, Oct 29, 2014 at 8:10 PM, Peter peter@pajamian.dhs.org wrote:
On 10/30/2014 03:41 PM, Jason T. Slack-Moehrle wrote:
Soo I changed my ssh port in sshd_config and did: systemctl restart sshd.service.
...
and I get a connection:refused.
selinux is set to only allow sshd to listen on port 22, you need to do something like: semanage port -a -t ssh_port_t -p tcp 2222
Peter _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 30 Oct 2014 16:24:02 +1300 Peter peter@pajamian.dhs.org wrote:
On 10/30/2014 04:16 PM, Jason T. Slack-Moehrle wrote:
yes, so I just figured out. Thank you so much. Where does `semanage` come from? I tried policycoreutils-python but it cannot be found.
It should be in policycoreutils-python. Try: yum provides *bin/semanage
Yes, it is there:
policycoreutils-python-2.2.5-11.el7_0.1.x86_64 : SELinux policy core python utilities Repo : @updates Matched from: Filename : /sbin/semanage
HTH, :-) Marko
so I figured this out, I think:
firewall-cmd --zone=public --add-port=2888/tcp --permanent
but if is a known service, you can use:
firewall-cmd --zone=public --add-service=http --permanent
and then reload the firewall
firewall-cmd --reload
On Wed, Oct 29, 2014 at 5:50 PM, Jason T. Slack-Moehrle < slackmoehrle@gmail.com> wrote:
I tried to install CentOS 7 on a new system. It works.
However, I'm noticing small things:
- system-config-network-tui is not installed and yum cannot find it. I
realized for this -- nmtui
What about firewall? I can't seem to understand the replacement from system-config-firewall-tui
Jason
On Wed, 2014-10-29 at 19:14 -0700, Jason T. Slack-Moehrle wrote:
so I figured this out, I think:
firewall-cmd --zone=public --add-port=2888/tcp --permanent
but if is a known service, you can use:
firewall-cmd --zone=public --add-service=http --permanent
and then reload the firewall
firewall-cmd --reload
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
On Thu, Oct 30, 2014 at 03:56:58AM +0000, Always Learning wrote:
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
If this is done on a box with firewalld enabled it will be overwritten as firewalld knows nothing about it.
John
On 10/29/2014 11:01 PM, John R. Dennison wrote:
On Thu, Oct 30, 2014 at 03:56:58AM +0000, Always Learning wrote:
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
If this is done on a box with firewalld enabled it will be overwritten as firewalld knows nothing about it.
You can turn off firewalld and use iptables if that is the desire. That is what I have done on my test machines.
Some of us old farts don't do well with change :D
On Thu, October 30, 2014 6:54 am, Johnny Hughes wrote:
On 10/29/2014 11:01 PM, John R. Dennison wrote:
On Thu, Oct 30, 2014 at 03:56:58AM +0000, Always Learning wrote:
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
If this is done on a box with firewalld enabled it will be overwritten as firewalld knows nothing about it.
You can turn off firewalld and use iptables if that is the desire. That is what I have done on my test machines.
At the moment this can be a solution. But one day this option will be gone, so at your leisure try to accommodate to new reality... whatever you think about it.
Valeri
Some of us old farts don't do well with change :D
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, 2014-10-30 at 09:27 -0500, Valeri Galtsev wrote:
On Thu, October 30, 2014 6:54 am, Johnny Hughes wrote:
You can turn off firewalld and use iptables if that is the desire. That is what I have done on my test machines.
At the moment this can be a solution. But one day this option will be gone, so at your leisure try to accommodate to new reality... whatever you think about it.
But only if one uses C7 at the point IPtables is dropped. Possibly a repo will supply it. Centos users seem to like, if not adore, stability, persistence and as few changes as possible.
On Thu, 30 Oct 2014 03:56:58 +0000 Always Learning centos@u62.u22.net wrote:
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
If you compare the syntax of the two equivalent commands,
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
and
firewall-cmd --add-service=http
I'd say that the second one appears simpler, more readable, more intuitive, and less sensitive to typos. No reboot is required for either. I fail to see what is so unappealing to a user in the second one. I don't know who is a "normal firewall user". Finally, I don't see any Windows-like syntax in the second one (AFAIK, Windows doesn't have any syntax, you need to click your way through menus and checkboxes and stuff to tweak the firewall in Windows).
Incidentally, since I started using Linux I have always found iptables to have a very user-unfriendly syntax. Whenever I needed to tweak the firewall, I had to look up the man page for iptables, in order to make sure I don't screw myself over between -A and -I, -N and -n, -P and -p, etc. It was a royal pain having to pay attention to the order of the rules in the table. It was stupid having to look up explicit port numbers for common services. Various GUIs and TUIs of the time only added a whole new level of obscurity.
So I find the firewall-cmd syntax to be a major step forward wrt to iptables. At least for the vast majority of common usecases.
And no, I am not a novice user from Windowsland --- I've been Linux-only since RedHat 6.2 (Zoot), back in the previous millennium... ;-)
Best, :-) Marko
On 10/30/2014 8:38 AM, Marko Vojinovic wrote:
On Thu, 30 Oct 2014 03:56:58 +0000 Always Learning centos@u62.u22.net wrote:
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
If you compare the syntax of the two equivalent commands,
iptables -I INPUT -p tcp --dport 80 -j ACCEPTand
firewall-cmd --add-service=httpI'd say that the second one appears simpler, more readable, more intuitive, and less sensitive to typos. No reboot is required for either. I fail to see what is so unappealing to a user in the second one. I don't know who is a "normal firewall user". Finally, I don't see any Windows-like syntax in the second one (AFAIK, Windows doesn't have any syntax, you need to click your way through menus and checkboxes and stuff to tweak the firewall in Windows).
To do this in cmd line on Windows:
netsh advfirewall firewall add rule name=httpd dir=in \ localport=80 protocol=tcp enable=yes \ profile=private,domain \ remoteip=192.168.1.1,192.168.2.1 action=allow
On Thu, 2014-10-30 at 10:01 -0400, Toby Bluhm wrote:
On 10/30/2014 8:38 AM, Marko Vojinovic wrote:
iptables -I INPUT -p tcp --dport 80 -j ACCEPTand
firewall-cmd --add-service=http
To do this in cmd line on Windows:
netsh advfirewall firewall add rule name=httpd dir=in \ localport=80 protocol=tcp enable=yes \ profile=private,domain \ remoteip=192.168.1.1,192.168.2.1 action=allow
Ugh. Very unappealing. I am so happy to be on Centos 5 and 6. :-)
How does one modify that Windoze rule ? In IPtables,
-R 4web 5 -p tcp --dport 888 -s 192.168.2.1/23 -j ACCEPT
On 10/31/2014 01:20 AM, Always Learning wrote:
-R 4web 5 -p tcp --dport 888 -s 192.168.2.1/23 -j ACCEPT
That will only work if you want to permit from source addresses in the 192.168.2.1 and 192.168.3.1 netblocks. I think you want a -s 192.168.1.1/23
<anecdote> When I was first starting out in IT, I was transitioning from Comms Engineering, where I was mentored by one of the guy who helped build the PSTN telephone network in AU. The two things he hammered home to me where;
* Always check the lines you're working on, and then checking the numbers again.
and
* Always know how to use a different set of tools, because your preferred one may not be available when you need it the most. </anecdote>
On Fri, 2014-10-31 at 01:25 +1100, Steve Walsh wrote:
On 10/31/2014 01:20 AM, Always Learning wrote:
-R 4web 5 -p tcp --dport 888 -s 192.168.2.1/23 -j ACCEPT
That will only work if you want to permit from source addresses in the 192.168.2.1 and 192.168.3.1 netblocks. I think you want a -s 192.168.1.1/23
That was merely an idle example.
<anecdote> When I was first starting out in IT, I was transitioning from Comms Engineering, where I was mentored by one of the guy who helped build the PSTN telephone network in AU. The two things he hammered home to me where;
- Always check the lines you're working on, and then checking the
numbers again.
and
- Always know how to use a different set of tools, because your
preferred one may not be available when you need it the most.
</anecdote>
Agree about getting it correct the first time, because corrections can be time consuming burdens.
The more one knows technically, the easier it is to devise an alternative solution.
On 10/30/2014 10:20 AM, Always Learning wrote:
On Thu, 2014-10-30 at 10:01 -0400, Toby Bluhm wrote:
On 10/30/2014 8:38 AM, Marko Vojinovic wrote:
iptables -I INPUT -p tcp --dport 80 -j ACCEPTand
firewall-cmd --add-service=httpTo do this in cmd line on Windows:
netsh advfirewall firewall add rule name=httpd dir=in \ localport=80 protocol=tcp enable=yes \ profile=private,domain \ remoteip=192.168.1.1,192.168.2.1 action=allow
Ugh. Very unappealing. I am so happy to be on Centos 5 and 6. :-)
How does one modify that Windoze rule ? In IPtables,
-R 4web 5 -p tcp --dport 888 -s 192.168.2.1/23 -j ACCEPT
netsh advfirewall firewall set rule name="sshd" \ new remoteip=192.168.1.1/23
Different? - Yes Difficult? - No more than anything else I'm unfamiliar with
On Thu, 2014-10-30 at 10:34 -0400, Toby Bluhm wrote:
On 10/30/2014 10:20 AM, Always Learning wrote:
On Thu, 2014-10-30 at 10:01 -0400, Toby Bluhm wrote:
On 10/30/2014 8:38 AM, Marko Vojinovic wrote:
iptables -I INPUT -p tcp --dport 80 -j ACCEPTand
firewall-cmd --add-service=httpTo do this in cmd line on Windows:
netsh advfirewall firewall add rule name=httpd dir=in \ localport=80 protocol=tcp enable=yes \ profile=private,domain \ remoteip=192.168.1.1,192.168.2.1 action=allow
Ugh. Very unappealing. I am so happy to be on Centos 5 and 6. :-)
How does one modify that Windoze rule ? In IPtables,
-R 4web 5 -p tcp --dport 888 -s 192.168.2.1/23 -j ACCEPT
netsh advfirewall firewall set rule name="sshd" \ new remoteip=192.168.1.1/23
Different? - Yes Difficult? - No more than anything else I'm unfamiliar with
Thank you. I'm severely adverse to everything M$, so I am biased :-)
On Thu, 2014-10-30 at 12:38 +0000, Marko Vojinovic wrote:
Incidentally, since I started using Linux I have always found iptables to have a very user-unfriendly syntax. Whenever I needed to tweak the firewall, I had to look up the man page for iptables, in order to make sure I don't screw myself over between -A and -I, -N and -n, -P and -p, etc. It was a royal pain having to pay attention to the order of the rules in the table. It was stupid having to look up explicit port numbers for common services. Various GUIs and TUIs of the time only added a whole new level of obscurity.
And no, I am not a novice user from Windowsland --- I've been Linux-only since RedHat 6.2 (Zoot), back in the previous millennium... ;-)
Hi Marko,
I started a few years earlier about the time of Centos 5.3
The order of rules in any IPtables table is pure common sense and very logical. Essentially, the first rule is the first action. The second rule is the second action etc.
Generally, in simple terms, a rule can block, accept or permanently go to another table (go) or perform another table (jump).
-A = append at the end of a table -I = insert into a table at a specified line number (default line 1) -N = create new table -Z = zeroise a table's count (and in later editions the count on an individual table entry) -F = delete all a table's entries -p = tcp/icmp/udp etc.
I created helpful routines and abbreviations:
ipt = iptables
.i iptables -nvL $1 --line-numbers echo '----> '$1;
sv = service, used in 'sv ipt save'
Linux is extremely customisable.
The firewall-cmd syntax appears to me to be dumbing-down and de-skilling. It hides the technical information behind the command, to the detriment of the technical user.
In IPtables
-A 4web -p tcp --dport 81 -j ACCEPT
In firewall-cmd
firewall-cmd --add-service=http
but that refers to port 80. Hence IPtables is a lot more flexible. The contrast is like playing a piano without gloves and then wearing boxing gloves - the precision has vanished.
An informed user derives more from his computer system than someone who uses the 'dumb-down' simplified pre-packaged alternative - especially when there is a problem.
On Thu, 30 Oct 2014 14:04:32 +0000 Always Learning centos@u62.u22.net wrote:
The order of rules in any IPtables table is pure common sense and very logical. Essentially, the first rule is the first action. The second rule is the second action etc.
Sure, I do know how it works. :-) However, the iptables requires me to think about it when specifying -I or -A every time I modify the rules. My beef is that in most situations I don't really need to be bothered with that --- if I want to open a http port, the machine should be the one to figure out where to put the rule. I want to be bothered with rule order only when I am doing something complicated enough, not for every firewall modification.
The firewall-cmd syntax appears to me to be dumbing-down and de-skilling. It hides the technical information behind the command, to the detriment of the technical user.
I'd say that the vast majority of users never actually need to see that technical information. Most server deployments are standardized, and the user just wants to say "I have http, ssh, openvpn, dhcp... services running on this machine, open appropriate ports". Only the more intricate configurations should require a learning curve.
You seem to be pushing the argument that we should give up Office suites and force the user to write everything in TeX, since it is more powerful and exposes a lot more technical details to the user. But TeX comes with a steep learning curve, and the vast majority of people don't really need it. Similarly, C is far more powerful then, say, Phyton or a bash script, so should we do all our scripting in C?
I have a feeling that RedHat has some internal statistics coming from customer support channels, and that in 99% of the cases the question is "how do I open a firewall port for httpd", while only in 1% of the cases the question is "I'm masquerading a subnet from one LAN, while I want trusted access for three machines from another LAN, but only through a customized sshd port, while everything else should go as usual, except for mail originating from a local server...". So the idea is to adapt the firewall-cmd tool for the most common usecases, and not requre them to touch stuff "under the hood" for simple tasks.
People who need complicated setups can either learn how to achieve that using firewall-cmd itself, or shut down firewalld and configure iptables manually. But this should be an exception, rather than a rule, IMHO.
In IPtables
-A 4web -p tcp --dport 81 -j ACCEPT
In firewall-cmd
firewall-cmd --add-service=http
but that refers to port 80.
firewall-cmd --add-port=81/tcp
Look at the examples section of "man firewall-cmd". :-)
Hence IPtables is a lot more flexible. The contrast is like playing a piano without gloves and then wearing boxing gloves - the precision has vanished.
Running httpd on port 81 is not really common, since all real-world clients are expecting it on to be on port 80. Besides, I haven't came across a configuration which can be achieved via iptables but not via firewall-cmd (though that doesn't mean that such a config doesn't exist). IMO firewall-cmd and iptables are fairly equivalent in expressive power, while the former is easier to use in most common situations. So precision is not lost, should you require it. But in most cases you don't really need it.
An informed user derives more from his computer system than someone who uses the 'dumb-down' simplified pre-packaged alternative - especially when there is a problem.
I have a feeling that it's just the case of lazy sysadmins who don't want to bother reading the man page for firewall-cmd. They seem to be the ones who are not informed. Moreover, the lockdown and panic options seem to be an improvement in functionality, which does not exist if you only use iptables. There might also be other functionality upgrades, I haven't studied firewalld in detail yet.
Best, :-) Marko
While I'm a long-time iptables user I will be the first to admit it is terribly difficult to work with. If you are starting from scratch firewall-cmd makes a lot of sense, just like realmd greatly simplifies the bind process to Active Directory.
It's good to know the underpinnings, but the bottom line is I need to get stuff done fast. To be honest, I very rarely dumping in iptables commands directly these days. It's almost always done through puppet or copy/pasting to /etc/sysconfig/iptables for one-off's pre RHEL 7. I've been using it for years but I doubt I could crank out a good webserver firewall config with appropriate logging/rate-limiting without looking up most of it. Almost everything is abstracted into syntax for config management engines like puppet now.
I'm a fan of progress even if it's a bit of a headache at first. But the most frustrating part of RHEL 7 has been the dramatic changes in syntax for pretty much every core process I do on a daily basis (systemd, firewalld, etc). For better or worse they are here to stay.
-Iain
On Thu, Oct 30, 2014 at 9:14 AM, Marko Vojinovic vvmarko@gmail.com wrote:
On Thu, 30 Oct 2014 14:04:32 +0000 Always Learning centos@u62.u22.net wrote:
The order of rules in any IPtables table is pure common sense and very logical. Essentially, the first rule is the first action. The second rule is the second action etc.
Sure, I do know how it works. :-) However, the iptables requires me to think about it when specifying -I or -A every time I modify the rules. My beef is that in most situations I don't really need to be bothered with that --- if I want to open a http port, the machine should be the one to figure out where to put the rule. I want to be bothered with rule order only when I am doing something complicated enough, not for every firewall modification.
The firewall-cmd syntax appears to me to be dumbing-down and de-skilling. It hides the technical information behind the command, to the detriment of the technical user.
I'd say that the vast majority of users never actually need to see that technical information. Most server deployments are standardized, and the user just wants to say "I have http, ssh, openvpn, dhcp... services running on this machine, open appropriate ports". Only the more intricate configurations should require a learning curve.
You seem to be pushing the argument that we should give up Office suites and force the user to write everything in TeX, since it is more powerful and exposes a lot more technical details to the user. But TeX comes with a steep learning curve, and the vast majority of people don't really need it. Similarly, C is far more powerful then, say, Phyton or a bash script, so should we do all our scripting in C?
I have a feeling that RedHat has some internal statistics coming from customer support channels, and that in 99% of the cases the question is "how do I open a firewall port for httpd", while only in 1% of the cases the question is "I'm masquerading a subnet from one LAN, while I want trusted access for three machines from another LAN, but only through a customized sshd port, while everything else should go as usual, except for mail originating from a local server...". So the idea is to adapt the firewall-cmd tool for the most common usecases, and not requre them to touch stuff "under the hood" for simple tasks.
People who need complicated setups can either learn how to achieve that using firewall-cmd itself, or shut down firewalld and configure iptables manually. But this should be an exception, rather than a rule, IMHO.
In IPtables
-A 4web -p tcp --dport 81 -j ACCEPTIn firewall-cmd
firewall-cmd --add-service=httpbut that refers to port 80.
firewall-cmd --add-port=81/tcp
Look at the examples section of "man firewall-cmd". :-)
Hence IPtables is a lot more flexible. The contrast is like playing a piano without gloves and then wearing boxing gloves - the precision has vanished.
Running httpd on port 81 is not really common, since all real-world clients are expecting it on to be on port 80. Besides, I haven't came across a configuration which can be achieved via iptables but not via firewall-cmd (though that doesn't mean that such a config doesn't exist). IMO firewall-cmd and iptables are fairly equivalent in expressive power, while the former is easier to use in most common situations. So precision is not lost, should you require it. But in most cases you don't really need it.
An informed user derives more from his computer system than someone who uses the 'dumb-down' simplified pre-packaged alternative - especially when there is a problem.
I have a feeling that it's just the case of lazy sysadmins who don't want to bother reading the man page for firewall-cmd. They seem to be the ones who are not informed. Moreover, the lockdown and panic options seem to be an improvement in functionality, which does not exist if you only use iptables. There might also be other functionality upgrades, I haven't studied firewalld in detail yet.
Best, :-) Marko
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2014-10-30 at 16:14 +0000, Marko Vojinovic wrote:
Sure, I do know how it works. :-) However, the iptables requires me to think about it when specifying -I or -A every time I modify the rules.
When I set-up a server, I devise the rules and the sub-systems that interface with IPtables and rarely change anything, except to empty (flush) the blocked IPs in the monthly banned table.
Adding an extra facility is usually quick and easy. I know what I want and I instinctively know where I want the -I. Rarely do I use -A on an established table.
IPtables is flexible, efficient and effective.
My beef is that in most situations I don't really need to be bothered with that --- if I want to open a http port, the machine should be the one to figure out where to put the rule.
Assuming the IPtables firewall is logically designed, it is very easy to see exactly where you need to place the command. Your wish to delegate a simple placement to the software suggests you are not well familiar with the design and construction of your IPtables firewall. firewalld is probably ideal for you, but I perfect the precision and flexibility of IPtables (perhaps because I am an assembler programmer at heart)
You seem to be pushing the argument that we should give up Office suites and force the user to write everything in TeX, since it is more powerful and exposes a lot more technical details to the user.
No. Writing letters and playing with spreadsheets should be done with Libre Office.
But TeX comes with a steep learning curve, and the vast majority of people don't really need it. Similarly, C is far more powerful then, say, Phyton or a bash script, so should we do all our scripting in C?
Use the best and most convenient tools relevant to the task. I use PHP for most programming work.
Running httpd on port 81 is not really common, since all real-world clients are expecting it on to be on port 80.
It was an illustration of using http on a non-standard port. Very easy to do in IPtables. I have nothing running on 81.
Time is finite. Having leant much, but not all, about IPtables I am reluctant to learn firewalld just to do what I can already do, elegantly, in IPtables.
I have a feeling that it's just the case of lazy sysadmins who don't want to bother reading the man page for firewall-cmd.
Why waste time and energy learning a different and unappealing method to do exactly what I can do already in IPtables ?
Best wishes.
An IPtables Fan :-)
On 10/30/2014 7:42 PM, Always Learning wrote:
Your wish to delegate a simple placement to the software suggests you are not well familiar with the design and construction of your IPtables firewall.
get off your soapbox, its not becoming.
On Thu, October 30, 2014 9:42 pm, Always Learning wrote:
On Thu, 2014-10-30 at 16:14 +0000, Marko Vojinovic wrote:
Sure, I do know how it works. :-) However, the iptables requires me to think about it when specifying -I or -A every time I modify the rules.
When I set-up a server, I devise the rules and the sub-systems that interface with IPtables and rarely change anything, except to empty (flush) the blocked IPs in the monthly banned table.
Adding an extra facility is usually quick and easy. I know what I want and I instinctively know where I want the -I. Rarely do I use -A on an established table.
IPtables is flexible, efficient and effective.
My beef is that in most situations I don't really need to be bothered with that --- if I want to open a http port, the machine should be the one to figure out where to put the rule.
Assuming the IPtables firewall is logically designed, it is very easy to see exactly where you need to place the command. Your wish to delegate a simple placement to the software suggests you are not well familiar with the design and construction of your IPtables firewall. firewalld is probably ideal for you, but I perfect the precision and flexibility of IPtables (perhaps because I am an assembler programmer at heart)
You seem to be pushing the argument that we should give up Office suites and force the user to write everything in TeX, since it is more powerful and exposes a lot more technical details to the user.
No. Writing letters and playing with spreadsheets should be done with Libre Office.
But TeX comes with a steep learning curve, and the vast majority of people don't really need it. Similarly, C is far more powerful then, say, Phyton or a bash script, so should we do all our scripting in C?
Use the best and most convenient tools relevant to the task. I use PHP for most programming work.
Running httpd on port 81 is not really common, since all real-world clients are expecting it on to be on port 80.
It was an illustration of using http on a non-standard port. Very easy to do in IPtables. I have nothing running on 81.
Time is finite. Having leant much, but not all, about IPtables I am reluctant to learn firewalld just to do what I can already do, elegantly, in IPtables.
I have a feeling that it's just the case of lazy sysadmins who don't want to bother reading the man page for firewall-cmd.
Why waste time and energy learning a different and unappealing method to do exactly what I can do already in IPtables ?
Yes, and after all they both are the front end to the same kernel module...
Valeri
Best wishes.
An IPtables Fan :-)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, Oct 31, 2014 at 02:42:03AM +0000, Always Learning wrote:
Assuming the IPtables firewall is logically designed, it is very easy to see exactly where you need to place the command. Your wish to delegate a simple placement to the software suggests you are not well familiar with the design and construction of your IPtables firewall. firewalld is probably ideal for you, but I perfect the precision and flexibility of IPtables (perhaps because I am an assembler programmer at heart)
If you manage your systems through a configuration manage system like puppet, chef or bcfg2, managing the monolithic /etc/sysconfig/iptables is a pain. I ended up templating it, and having various group memberships define how the file is created from the template.
One of the features firewalld brings is being able to place different configuration parts into separate files, to be incorporated into the firewall dynamically. This is a dev web host? It gets a zone letting only the developers access httpd. This other system is a production mysql server? Define the zone allowing the production application servers access to the mysql port. Have each configuration bundle that defines a service drop in a service definition.
-
Always Learning -
Iain Morris -
Jason T. Slack-Moehrle -
John R Pierce -
John R. Dennison -
Johnny Hughes -
Jonathan Billings -
Marko Vojinovic -
Peter -
Steve Walsh -
Toby Bluhm -
Valeri Galtsev