From: Joe C. <jo...@vi...> - 2015-04-02 20:57:44
|
Yes, iptables is available and switching to it is documented in CentOS 7. It is not weird or going outside the box to do so (and it's among the first things I do on my servers). For servers, I find FirewallD almost toxic in how limited it is (bridge-related stuff wasn't even possible last time I looked at it). You don't need FirewallD for "zones"; iptables supports as many tables as you want, for specifying how to behave based on as many interfaces as you have. I actually feel angry whenever I have to work with FirewallD, as it's quite obtuse and clearly designed with laptop systems in mind (which is fine, for laptops). If your system changes networks regularly, i.e. wifi at home, to plugged in at the office, to different wifi at the coffee shop, and then back home again, FirewallD is just the ticket. But, if you aren't changing networks regularly, and need the firewall to behave appropriately based on those changes, you don't need FirewallD and you don't actually gain anything by using FirewallD (you actually lose many, many, features of iptables, because they haven't added options for them yet). That's not to say it wouldn't be nice to have a FirewallD module. But, you probably should rethink whether you should be using it on a server. In this case the hot new thing is not superior to the old thing. The old thing is vastly more capable, and the hot new thing is only hot because it solves some specific problems for devices that move around and change network states frequently. (Which is something that servers just don't do.) Maybe eventually FirewallD will have reasonable bridge, NAT, and routing features...but, for now, it's almost exclusively useful for laptops. It is not the right tool for the job for servers. On 04/02/2015 11:58 AM, Kimberly wrote: > Who said anything about modifying distribution packages; many don't > want or need firewalld; many want iptables; that is what is nice about > running your own dedi, you decide what is or is not. > > On 4/1/2015 9:39 PM, Paul Hancock wrote: >> In this case the server box in question has multiple access addresses, among server and database isolation and the future potential of VPN linkage to other boxes. >> >> So yes, definitely a need for zones, and nor do I recommend modifying distribution set packages. >> >> - Paul >> >> Date: Wed, 1 Apr 2015 21:28:30 -0400 >> From:kim...@gm... >> To:web...@li... >> Subject: Re: [webmin-l] FirewallD module >> >> >> >> >> >> >> Or do as I did, ditch Firewalld and >> install iptables; Do we really need zones on a server? If it is >> an internet server, it only needs one zone, "Connected to the >> Internet so lock it down tight" zone. >> >> >> >> On 4/1/2015 8:19 PM, Paul Hancock wrote: >> >> >> >> how are we at with said module? anyone got something working? >> asking because a server group I'm in need to use Cent7 as 6 is incompatible with the new server managers they need to use, a working module to assist in firewalld configuration would help them a lot. >> >> - Paul >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now.http://goparallel.sourceforge.net/ >> >> >> >> >> >> - >> Forwarded by the Webmin mailing list atw...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now.http://goparallel.sourceforge.net/ >> - >> Forwarded by the Webmin mailing list atw...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now.http://goparallel.sourceforge.net/ >> >> >> - >> Forwarded by the Webmin mailing list atw...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > > > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |