I do use firewalld on this server although in reality I probably don't really need to. I have multiple VLANs and everything is behind a pfSense router NAT'd and blocked and passed as needed. This server is my postfix, imap and apache server so as such when I see hackers or script kitties trying to find vulnerabilities I block 'em. When creating this new server using Tumbleweed I looked into doing this blocking using firewalld instead of iptables. But it wasn't readily apparent to me how to get a list of rules listed out that I had put in to do the blocking. Putting the rules in command line seemed straight forward but not listing them out. And as mentioned I don't want the blocks to be --permanent so I saw that option but I failed to find the equivalent of "iptables -L -n" to get a human readable list of the actual active rules. These log & block rules are in the iptables INPUT table and are the only thing is all of iptables. My server hard failed and I was in a pinch to get its replacement online mainly for my email.
On Aug 9, 2024, at 02:41, Darryl Gregorash <raven@accesscomm.ca> wrote:
On 2024-08-08 23:13, Curtis J Blank wrote:
I said I had reasons. For one it be kind of difficult to have a program that runs in real time monitoring network hacking attempts use a GUI per your suggestion to add a rule to block the IP address of the perpetrator. This is a very dynamic application that responds and blocks these attempts typically within 2 seconds. I didn't say that firewalld runs inside a GUI, only that it is easier to set up the IPsets in the GUI. Firewalld itself runs as a systemd service. But from what you say now, it seems likely that you should stick with what you know, since it's working for you now. You should be aware that firewalld and iptables appear to work independently of each other; therefore, what is done when you add a new rule in iptables isn't even known to firewalld. At this point, I suggest you stick with what you know -- do everything in iptables, and leave firewalld alone until you have had a chance to study it and learn how to do what you want with it.
PS, it is not necessary to send me a personal copy of your replies. In fact, I would prefer if you do not send any to me.