Linux Iptables Firewall Automation

wirestyle22

@scottalanmiller said in Linux Iptables Firewall Automation:

@wirestyle22 said in Linux Iptables Firewall Automation:

@scottalanmiller said in Linux Iptables Firewall Automation:

@coliver said in Linux Iptables Firewall Automation:

@travisdh1 said in Linux Iptables Firewall Automation:

@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.

Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.

Firewall-cmd I think.

That's the command, but where is the text file it is altering?

/etc/sysconfig/iptables right?

That's the one we were saying was so easy, the IPTables one. What one is FirewallD using, though?

/usr/lib/firewalld/ or /etc/firewalld are the only things I know of.

coliver

I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.

wirestyle22

@coliver said in Linux Iptables Firewall Automation:

I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.

I've read that but have never done it myself.

coliver

@wirestyle22 said in Linux Iptables Firewall Automation:

@coliver said in Linux Iptables Firewall Automation:

I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.

I've read that but have never done it myself.

I did when I was configuring a Mangos server. It's pretty easy and it, to me, was easier then editing IPTables commands. Although that's just because I'm not used to IPTables.

scottalanmiller

@coliver said in Linux Iptables Firewall Automation:

I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.

yeah, that's nice and I've tried that a little. It's a neat idea but... really, IPTables is so easy, this adds so much complication.

dafyre

I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.

coliver

@dafyre said in Linux Iptables Firewall Automation:

I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.

The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.

wirestyle22

@dafyre said in Linux Iptables Firewall Automation:

I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.

This is why im so excited for my incoming server (tomorrow fyi). I get to play with whatever I want. Super excited.

travisdh1

@wirestyle22 said in Linux Iptables Firewall Automation:

@scottalanmiller said in Linux Iptables Firewall Automation:

@wirestyle22 said in Linux Iptables Firewall Automation:

@scottalanmiller said in Linux Iptables Firewall Automation:

@coliver said in Linux Iptables Firewall Automation:

@travisdh1 said in Linux Iptables Firewall Automation:

@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.

Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.

Firewall-cmd I think.

That's the command, but where is the text file it is altering?

/etc/sysconfig/iptables right?

That's the one we were saying was so easy, the IPTables one. What one is FirewallD using, though?

/usr/lib/firewalld/ or /etc/firewalld are the only things I know of.

Found my current config in /etc/firewalld/zones/public.xml. If you have any sort of complex firewall, you'd need to move the entirety of /etc/firewalld

travisdh1

@coliver said in Linux Iptables Firewall Automation:

@dafyre said in Linux Iptables Firewall Automation:

I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.

The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.

I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.

coliver

@travisdh1 said in Linux Iptables Firewall Automation:

@coliver said in Linux Iptables Firewall Automation:

@dafyre said in Linux Iptables Firewall Automation:

I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.

The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.

I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.

You can do zones with FirewallD pretty easily. When typing in your command just use --zone=zone to tell it what zone to work with.

scottalanmiller

@travisdh1 said in Linux Iptables Firewall Automation:

@coliver said in Linux Iptables Firewall Automation:

@dafyre said in Linux Iptables Firewall Automation:

I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.

The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.

I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.

I can get it to work, but commands instead of just editing the config file.... how barbaric. That's way too wanna be PowerShell cmdlet for me.

scottalanmiller

Even the VyOS firewall I edit by hand!

travisdh1

@scottalanmiller said in Linux Iptables Firewall Automation:

Even the VyOS firewall I edit by hand!

It's just that much easier. No hassle to fix something if you screw it up (copy the .bak you made before starting), normally all the examples you could possibly want right by what you're working on. Should I go on?

JulianJulian

Having a firewall manager to automate policies can save you a lot of time and nerves. When it comes to automation tools, the spectrum can be fairly wide, but having a firewall manager is always a good idea.
I’m using Elastic Firewall https://www.efw.io/firewall/manager …worked like a breeze so far!

dafyre

I think somebody mentioned this already... but why not use a GitLab repo and set up a cron job to pull down the file every xx minutes.

scottalanmiller

@JulianJulian have not seen that before, thanks.

JaredBusch

@dafyre said in Linux Iptables Firewall Automation:

I think somebody mentioned this already... but why not use a GitLab repo and set up a cron job to pull down the file every xx minutes.

The discussion moved on to firewalld which is different than iptables

dafyre

@JaredBusch As usual, I'm behind the times, ha ha.

RobLewisss

@JulianJulian Thanks mate! I just downloaded the agent. I'll let you guys know how it works.