6

I am new to firewallD and have been going through the documentation but I thought maybe I can discuss some things here with everyone. So I see that firewalld has now replaced the iptables service as default firewall from fedora 18 and its based on services and zones rather than dealing with ports directly.

I am particularly interested in configuring the firewall to prevent some common attacks e.g Port scanning, Ping Flood etc and previously have been using iptables to define rules.My idea is to do same with this new firewall.

I have seen this direct command which will allow to pass rules directly to firewall and we can give it iptables argument but at the same time wiki says any rules set using **direct ** are temporary and are flashed when firewall is reloaded/system restarts. Can someone help me how to go about it ? Because I will need this protection from common attacks to be a part of permanent rules.

Edit: More specifically I want to know, Is using direct command the right way to add rules to prevent common attacks?

Thanks in advance

David
  • 163
  • 3
  • What is your exact answerable question? Server Fault is [not a discussion forum](http://serverfault.com/help). Please edit your question to be more concise and logical. – Deer Hunter Jul 17 '13 at 21:53
  • Note: I downvoted your question because it is unclear. After you edit it I'll be able to remove my downvote. – Deer Hunter Jul 17 '13 at 21:56
  • Hi Deer Hunter, Yes I realized that too. Could have worded it better. I have added a small edit to my post – David Jul 17 '13 at 22:07
  • 1
    The problem is that few of us have any experience with FirewallD, and likely won't until RHEL7 hits beta with it. For myself, I disabled it and went back to the previous `iptables-scripts` for the time being. – Michael Hampton Jul 18 '13 at 01:28

1 Answers1

4

Just being pedantic, but FirewallD does not replace iptables, as a matter of fact, it uses iptables extensively.

Also, note that FirewallD is still under development, and arguably not production-ready yet. Use at your own risk.

That said, it is true that you could use the --direct interface to provide commands as you'd usually do with plain iptables, with the inconvenience of those rules not being permanent, instead, take a look at the rich language interface, which provides a persistent, more expressive way of adding custom rules. It has CLI interface and you can also use XML configuration file

If I recall correctly, the --direct interface was planned to be obsoleted in favor of the rich language interface and the DBus interface, but don't take my word for it.

This video from a recent Red Hat conference can give you insights on the future of FirewallD.

dawud
  • 15,096
  • 3
  • 42
  • 61
  • I have looked into Rich language and it def is very interesting however it lacks the tools to write complex rules as of yet. Like having an ability to create rule based on tcp flags and states, however I think its pretty much a work under progress. Have you used Rich Language for writing rules much ? – David Jul 22 '13 at 22:28