iptables not showing a udp port allowance that is set in firewall-cmd and yast firewall settings?
Support, 15.5, simple. one ethernet card, being set to external network zone. firewall-cmd lists one extra udp entry that I have set via the yast firewall settings. I wonder why or how I find it in raw iptables command? iptables -S nor iptables-save shows no such udp port definition. ------------------ # sudo firewall-cmd --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh ports: 12345//udp protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: ------------- sudo iptables -S [sudo] password for root: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N f2b-sshd -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A f2b-sshd -j RETURN ---------------------------------- very simple setup. anyone know what the heck is happening? external zone allows tcp/ssh for external access as a simple rule. that is being shown in all of these commands. the additional one single udp port is not being shown :( anyone? TY.
On 02.01.2024 00:20, cagsm wrote:
Support,
15.5, simple. one ethernet card, being set to external network zone.
firewall-cmd lists one extra udp entry that I have set via the yast firewall settings.
I wonder why or how I find it in raw iptables command?
firewalld defaults to nftables
On Tue, Jan 2, 2024 at 8:31 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
firewalld defaults to nftables
thanks for this information, actually with nft I do see the tcp ssh rule and the udp rule as well.
sudo /usr/sbin/nft list ruleset .... chain filter_IN_external_allow { tcp dport 22 ct state { new, untracked } accept udp dport 12345 ct state { new, untracked } accept ....
nftables is some newer layer to me, I am not yet familiar if iptables (as it shows also the tcp/ssh rule there) is still valid in some way, some kernel module? additional or double layer of networking and packeting rules and filters and all, or is that just some fallback or fail safe basic rule or how do nftables and iptables build on top of another or exist in parallel? not very clear to me just yet. ty
On 03.01.2024 01:54, cagsm wrote:
On Tue, Jan 2, 2024 at 8:31 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
firewalld defaults to nftables
thanks for this information, actually with nft I do see the tcp ssh rule and the udp rule as well.
sudo /usr/sbin/nft list ruleset .... chain filter_IN_external_allow { tcp dport 22 ct state { new, untracked } accept udp dport 12345 ct state { new, untracked } accept ....
nftables is some newer layer to me, I am not yet familiar if iptables (as it shows also the tcp/ssh rule there) is still valid in some way, some kernel module? additional or double layer of networking and packeting rules and filters and all, or is that just some fallback or fail safe basic rule or how do nftables and iptables build on top of another or exist in parallel?
They exist in parallel.
not very clear to me just yet. ty
On Wed, Jan 3, 2024 at 7:19 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
On 03.01.2024 01:54, cagsm wrote:
On Tue, Jan 2, 2024 at 8:31 AM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
firewalld defaults to nftables
fail safe basic rule or how do nftables and iptables build on top of another or exist in parallel? They exist in parallel.
thanks for your help. I also found this insight:
participants (2)
-
Andrei Borzenkov -
cagsm