On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter <edsonrichter(a)hotmail.com>
wrote:
I'm in no way a ovirt expert. But as Linux administrator, I would
say
that firewalld and iptables are "front-end" to kernel internal security
tables, so, in the final of the day, will provide *almost* same
functionality.
Seems that firewalld is able to activate modules without restarting
entire firewall infra-structure, which iptables is not capable of. This
leverage an advantage for firewalld, specially where you would not have
interruptions in existing stateful connections.
I've used iptables *always* as replacement for firewalld because of
almost 20 yrs using iptables - this is the first step in all about
hundred Centos7 installations I've done past few years. I just can't
throw away all my scripts that block hackers, provide 2 and 3 way
"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
all, everytime a new "firewall" front end appears. I've seen at least
two or three "iptables killers tech" in the past, and iptables still is
the king - at least for me.
Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
admin which will not jump from iptables train yet.
Perhaps, I would not reccomend to completely deactivate all firewall in
any server! If it is the case, I would instead to advice to just
replace firewalld with iptables-service (at least, in Centos7) - but
only in case you have too much to loose without iptables (as am I).
Regards,
Edson
________________________________
De: eevans(a)digitaldatatechs.com <eevans(a)digitaldatatechs.com>
Enviado: quarta-feira, 22 de abril de 2020 12:18
Para: francesco(a)shellrent.com <francesco(a)shellrent.com>;
users(a)ovirt.org <users(a)ovirt.org>
Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
If you log in to the cockpit, you can add services or custom ports
easily. I would not disable the firewall.
<hostname:9090> for the cockpit.
Eric Evans
Digital Data Services LLC.
304.660.9080
-----Original Message-----
From: francesco(a)shellrent.com <francesco(a)shellrent.com>
Sent: Tuesday, April 21, 2020 12:54 PM
To: users(a)ovirt.org
Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
Hi all,
I was wondering if it's "safe" disabling entirely the firewalld service
and manage the firewall only via iptables, on the host and on the
hosted engine (a self-hosted engine). It would make a lot easier the
managing the firewall rules for me because of many automatisms I
created based on iptables. Did anyone manage to do this? Any
contraindication for doing this or precaution that I have to take care
of?
Thanks for your time and help,
Francesco
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org Privacy
Statement:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
oVirt Code of Conduct:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
List Archives:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
oVirt Code of Conduct:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
List Archives:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
Keep in mind that I had some issues with oVirt (was more than a year ago - so don't
ask for details) when either firewalld or SELINUX were down.
With so much experience in IPTABLES - it's understandable, but keep in mind that in
CentOS/RHEL 8 iptables command is just a translator to nftables - with limited
capability and I don't think that it was a coincidence . With firewalld you can
still achive 90-95% of what you could do in IPTABLES while the rules are quite clear
even for a new admin.
What I really like is that you can predefine the ports and protos for a specific service
and easily deploy it via salt or ansible.
Best Regards,
Strahil Nikolov