De: Strahil Nikolov <hunter86_bg@yahoo.com>
Enviado: quarta-feira, 22 de abril de 2020 15:45
Para: users@ovirt.org <users@ovirt.org>; Edson Richter <edsonrichter@hotmail.com>; eevans@digitaldatatechs.com <eevans@digitaldatatechs.com>; francesco@shellrent.com <francesco@shellrent.com>
Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
 
On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter <edsonrichter@hotmail.com> wrote:
>I'm in no way a ovirt expert. But as Linux administrator, I would say
>that firewalld and iptables are "front-end" to kernel internal security
>tables, so, in the final of the day, will provide *almost* same
>functionality.
>
>Seems that firewalld is able to activate modules without restarting
>entire firewall infra-structure, which iptables is not capable of. This
>leverage an advantage for firewalld, specially where you would not have
>interruptions in existing stateful connections.
>
>I've used iptables *always* as replacement for firewalld because of
>almost 20 yrs using iptables - this is the first step in all about
>hundred Centos7 installations I've done past few years. I just can't
>throw away all my scripts that block hackers, provide 2 and 3 way
>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
>all, everytime a new "firewall" front end appears. I've seen at least
>two or three "iptables killers tech" in the past, and iptables still is
>the king - at least for me.
>
>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
>admin which will not jump from iptables train yet.
>
>Perhaps, I would not reccomend to completely deactivate all firewall in
>any server! If it is the case, I would instead to advice to just
>replace firewalld with iptables-service (at least, in Centos7) - but
>only in case you have too much to loose without iptables (as am I).
>
>Regards,
>
>Edson
>
>
>________________________________
>De: eevans@digitaldatatechs.com <eevans@digitaldatatechs.com>
>Enviado: quarta-feira, 22 de abril de 2020 12:18
>Para: francesco@shellrent.com <francesco@shellrent.com>;
>users@ovirt.org <users@ovirt.org>
>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>
>If you log in to the cockpit, you can add services or custom ports
>easily. I would not disable the firewall.
><hostname:9090> for the cockpit.
>
>Eric Evans
>Digital Data Services LLC.
>304.660.9080
>
>
>-----Original Message-----
>From: francesco@shellrent.com <francesco@shellrent.com>
>Sent: Tuesday, April 21, 2020 12:54 PM
>To: users@ovirt.org
>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
>
>Hi all,
>
>I was wondering if it's "safe" disabling entirely the firewalld service
>and manage the firewall only via iptables, on the host and on the
>hosted engine (a self-hosted engine). It would make a lot easier the
>managing the firewall rules for me because of many automatisms I
>created based on iptables. Did anyone manage to do this? Any
>contraindication for doing this or precaution that I have to take care
>of?
>
>Thanks for your time and help,
>Francesco
>_______________________________________________
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-leave@ovirt.org Privacy
>Statement:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&amp;data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078297638&amp;sdata=vqS7cjtftiP1F%2Bv1akulAA0KqCLTh4In2pltWIdJBd0%3D&amp;reserved=0
>oVirt Code of Conduct:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&amp;data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078297638&amp;sdata=EdDGteCs4vPuBkZvwU4f9JmSozZcSxdO9zL9qILnH68%3D&amp;reserved=0
>List Archives:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2F&amp;data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&amp;sdata=V0wxXmGJpwqbmToN4h9NOLQ1dd61nkWJ4fP3z%2Bq4njU%3D&amp;reserved=0
>_______________________________________________
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-leave@ovirt.org
>Privacy Statement:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&amp;data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&amp;sdata=L37Na1hFCWmjMbxeXLxk4A%2B9qVDNj24xrHKsqeVUYjk%3D&amp;reserved=0
>oVirt Code of Conduct:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&amp;data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&amp;sdata=YmbRQIouTnJPYOW4EKC%2F8iyrpzzmdfN%2F%2FMi5b1guiUE%3D&amp;reserved=0
>List Archives:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2F&amp;data=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637231779078307635&amp;sdata=edpMNR73QTQDZ6WH6fwNm2CPMUNZwq2AglDckVrgz0k%3D&amp;reserved=0

Keep in mind that I had some issues with oVirt (was  more than a year ago - so don't ask for details) when either firewalld or SELINUX were down.

With so much experience in IPTABLES - it's understandable, but keep in mind that in CentOS/RHEL 8  iptables command  is just a translator to nftables -  with limited capability and I don't think that it was a  coincidence  . With firewalld you can still achive 90-95%  of what you could do in IPTABLES  while the rules are  quite clear even for a new admin.

What I really like is that you can predefine the ports  and protos  for a specific service and easily deploy it via salt or ansible.

Best Regards,
Strahil Nikolov


Good to know!
When I have time to return to my oVirt tests, I"ll take a careull look at it.
I'll also add a note into our Centos 8 migration plans that all iptables scripts will have to be rewriten.

Thanks,

Edson Richter