On Tue, Oct 3, 2017 at 11:36 AM, Yedidyah Bar David <didi@redhat.com> wrote:
I think it should be safe to manually edit /etc/sysconfig/iptables in that case.
Of course, verify on a test system.
Also, you might be happy to know that in 4.2 we'll support firewalld, which is much nicer to work with than patching/generating /etc/sysconfig/iptables. See also:
OK, thanks. It worked. Nice to see the news about firewalld. And if I want to do the same for the engine, that indeed is configured with firewalld? Currently on it I see this kind of configuration: [root@ovmgr1 ~]# firewall-cmd --get-default-zone public [root@ovmgr1 ~]# [root@ovmgr1 ~]# firewall-cmd --get-active-zones public interfaces: ens192 [root@ovmgr1 ~]# It seems nrpe is already an usable predefined service: [root@ovmgr1 ~]# firewall-cmd --get-services | tr -s ' ' '\n' | grep nrpe nrpe [root@ovmgr1 ~]# So, based on current config, I can add it this way: firewall-cmd --permanent --add-service=nrpe firewall-cmd --reload This way it should survive an engine reboot, but will it survive an engine-setup command run when updating configuration or when upgrading between minor/major updates? Or should I manage also some oVirt managed files on engine? Thanks, Gianluca