Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewalld configuration should *not* rely on direct rules #324

Open
tblancher opened this issue Feb 12, 2021 · 0 comments
Open

firewalld configuration should *not* rely on direct rules #324

tblancher opened this issue Feb 12, 2021 · 0 comments

Comments

@tblancher
Copy link

From the firewalld.direct(5) man page:

Direct configuration should be used only as a last resort when it's not possible to use firewalld.zone(5)

I have a Debian 10 (buster) router, with firewalld 0.8.2 and kernel 5.9.15-1~bpo10+1 installed from buster-backports. I installed fwknop-server (fwknopd 2.6.10), which currently is only configured to use iptables. I rebuilt fwknopd using the Debian source package, and now fwknopd --version reports the following:

fwknopd server 2.6.10, compiled for firewall bin: /usr/bin/firewall-cmd

I've been trying to set up a port forward with a SPA, and the port never comes open. I've posted my fwknopd logs detailing my attempts. Down around 18:00 is when I tried these SPAs.

It doesn't appear to work, mainly because it's trying to use iptables syntax for its direct rules. According to the log output, the iptables syntax is incompatible with this kernel (probably because it uses the nftables framework instead to manage the netfilter subsystem). As mentioned from the firewalld.direct manual, direct rules should only be used as a last resort, when rich rules or some of the higher order features of firewalld cannot be used.

I don't know C very well, but my goal here is to fork fwknopd and replace the firewalld.h and firewalld.c with proper firewall-cmd commands, and not use direct rules. For most of it simple --add-port, --add-forward-port, with appropriate --timeout settings should be enough to get started. Let firewalld keep track of the timeouts, and everything else, and don't try to use the archaic iptables direct rules to manage the firewall.

Ideally I'd replace the firewall-cmd incantations with proper dbus calls (as mentioned in #165), but that's currently above my pay grade and skillset.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant