Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that?
I can't tell if firewalld is just really poorly documented or very limited. I am sorely tempted to disable it and just use good ol' iptables, but I don't like the kneejerk "Just disable it!" attitude, partly because one day there'll be something that you have to do "the new way", and you'll be far behind the curve.
If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules.
I've never used firewalld, but I have used the firewall script from the now-defunct Project Files project (he said redundantly).
Please don't take this the wrong way, but, given the multiple and diverse requirements you list, I suspect you would be in for a sea of rules regardless of the method you select for configuring iptables, as you seems to have a lake, if not a sea, of requirements.
Please don't take this the wrong way, but, given the multiple and diverse requirements you list, I suspect you would be in for a sea of rules regardless of the method you select for configuring iptables, as you seems to have a lake, if not a sea, of requirements.
Not really. It's pretty common to not want to expose management functions to clients. In my case, all clients should be able to hit LDAP and Kerberos, and one or two management stations should have access to the IdM GUI, and one or two to have shell access to the OS. Anyone who isn't breaking things out like that is begging for trouble.
It turns out you can point rich rules at a service instead of a port, so that helps to keep things manageable.
You might want to combined IPTABLES with IPSET. Or you could compartmentalize your rules. Without knowing how many IP Address you are talking about and what you want to allow where it's kind of hard give a good answer.
Not really. It's pretty common to not want to expose management functions to clients.
Agreed, and I understand the need for a complex ruleset in a business environement; the headlines every day point out that more businesses should give thought to this issue.
My only point was that it looked to be a relatively complex ruleset regardless of the means used to configure iptables.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.