Safely disable firewalld [Ovirt 4.3]
Hi all, I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of? Thanks for your time and help, Francesco
On Wed, Apr 22, 2020 at 9:21 AM <francesco@shellrent.com> wrote:
Hi all,
I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of?
I didn't try this myself, but last time this was discussed Simone said that it's mandatory to have firewalld enabled and active during the hosted-engine deploy, but that it should be safe to stop/disable after that, as well as add new hosts without firewall. Also, please note that in el8 (which will be the only supported OS for oVirt 4.4), if you do not want to use firewalld, might have to convert/amend your scripts/conf to use nftables. Best regards, -- Didi
Also, please note that in el8 (which will be the only supported OS for oVirt 4.4), if you do not want to use firewalld, might have to convert/amend your scripts/conf to use nftables.
Best regards, -- Didi
Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend. (Debian 10 documentation seems more precise on this point) By the way I don't use it on oVirt nodes just on VMs... Just saying it is possible. -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France.
On Wed, Apr 22, 2020 at 12:23 PM Michaël Couren <couren@abes.fr> wrote:
Also, please note that in el8 (which will be the only supported OS for oVirt 4.4), if you do not want to use firewalld, might have to convert/amend your scripts/conf to use nftables.
Best regards, -- Didi
Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend.
Didn't play yet at all with either nftables or EL8's iptables. Only recently realized it's indeed included: https://gerrit.ovirt.org/108265
(Debian 10 documentation seems more precise on this point) By the way I don't use it on oVirt nodes just on VMs... Just saying it is possible.
Yes, saw that too. Also that on a firewalld managed EL8 machine, 'iptables-save' says: # Generated by xtables-save v1.8.2 on Wed Apr 22 12:50:13 2020 ... # Completed on Wed Apr 22 12:50:13 2020 # Table `firewalld' is incompatible, use 'nft' tool. So this tells me, without learning nft, to be careful... Thanks! -- Didi
On Wed, Apr 22, 2020 at 11:24 AM Michaël Couren <couren@abes.fr> wrote:
Also, please note that in el8 (which will be the only supported OS for oVirt 4.4), if you do not want to use firewalld, might have to convert/amend your scripts/conf to use nftables.
Best regards, -- Didi
Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend.
This could be useful: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... and also this: https://www.redhat.com/en/blog/using-nftables-red-hat-enterprise-linux-8
If you log in to the cockpit, you can add services or custom ports easily. I would not disable the firewall. <hostname:9090> for the cockpit. Eric Evans Digital Data Services LLC. 304.660.9080 -----Original Message----- From: francesco@shellrent.com <francesco@shellrent.com> Sent: Tuesday, April 21, 2020 12:54 PM To: users@ovirt.org Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] Hi all, I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of? Thanks for your time and help, Francesco _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PNKTCSWLJXKK6F...
I'm in no way a ovirt expert. But as Linux administrator, I would say that firewalld and iptables are "front-end" to kernel internal security tables, so, in the final of the day, will provide *almost* same functionality. Seems that firewalld is able to activate modules without restarting entire firewall infra-structure, which iptables is not capable of. This leverage an advantage for firewalld, specially where you would not have interruptions in existing stateful connections. I've used iptables *always* as replacement for firewalld because of almost 20 yrs using iptables - this is the first step in all about hundred Centos7 installations I've done past few years. I just can't throw away all my scripts that block hackers, provide 2 and 3 way "knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and all, everytime a new "firewall" front end appears. I've seen at least two or three "iptables killers tech" in the past, and iptables still is the king - at least for me. Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux admin which will not jump from iptables train yet. Perhaps, I would not reccomend to completely deactivate all firewall in any server! If it is the case, I would instead to advice to just replace firewalld with iptables-service (at least, in Centos7) - but only in case you have too much to loose without iptables (as am I). Regards, Edson ________________________________ De: eevans@digitaldatatechs.com <eevans@digitaldatatechs.com> Enviado: quarta-feira, 22 de abril de 2020 12:18 Para: francesco@shellrent.com <francesco@shellrent.com>; users@ovirt.org <users@ovirt.org> Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] If you log in to the cockpit, you can add services or custom ports easily. I would not disable the firewall. <hostname:9090> for the cockpit. Eric Evans Digital Data Services LLC. 304.660.9080 -----Original Message----- From: francesco@shellrent.com <francesco@shellrent.com> Sent: Tuesday, April 21, 2020 12:54 PM To: users@ovirt.org Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] Hi all, I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of? Thanks for your time and help, Francesco _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.... oVirt Code of Conduct: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.... List Archives: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovir... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.... oVirt Code of Conduct: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.... List Archives: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovir...
participants (6)
-
Edson Richter -
eevans@digitaldatatechs.com -
francesco@shellrent.com -
Gianluca Cecchi -
Michaël Couren -
Yedidyah Bar David