On 2/24/20 4:28 AM, Pierre Labastie via blfs-dev wrote:
Le 19/02/2020 à 09:59, Pierre Labastie via blfs-dev a écrit :
Le 19/02/2020 à 00:11, Bruce Dubbs via blfs-dev a écrit :
postlfs/security/firewalld.xml: &lfs90_checked;
postlfs/security/nftables.xml: &lfs90_checked;
I think DJ (or somebody more clever than I am) needs to have a look at this
before release: there seem to be problems with dependencies [1], and I have
not been able to have firewalld work OK (just did systemctl disable firewalld
(*)). Maybe, it needs some more guidance for noob users as I am?
As a follow-up on [1], note that I have been able to build everything with the
book instructions, by building first nftables, then iptables, then nftables
again, then firewalld.
I mean that I build iptables without the option --disable-nftables...
I've now tried harder to make this stuff work, using two VM's connected to the
same network through the "socket" interface, but no much progress...
First, here is the "hardware" virtual setup:
host <-user interface-> VM1 <-socket interface-> VM2
By using the iptables "Masquerading router" from the book on VM1, VM2 is able
to access the internet, so I think the hardware setup is correct.
But if I disable iptables and start nftables with the config file given in the
book, VM2 does not access the internet, and not even the host. That may be
something in the config file, but I'd rather not put too much time in this
just for tagging the book (I trust the firewall of my internet router,
provided by my ISP).
Now, the worst is firewalld: I disable nftables, and I enable firewalld. Then
the CPU consumption goes to ~40 % (on one core), and the daemon seems
unresponsive ((no way to connect through firewall-config, nor by using direct
access to the D-Bus interface).
Note that somebody having the same kind of problems in 2014 as I have now, was
told to use ipsets, which we do not have in the book.
And, still, there is this "ebtables" problem for building firewalld.
So, unless DJ can sort this out before the release, I propose to:
- tag nftables with &lfs91_built;
- remove firewalld (comment out the xinclude)
Thoughts?
I appreciate your work on this. I've asked DJ to look at it, but he is
evidently not available since I've not received a response. My
conclusion is that without further input we should comment out both
nftables and firewalld and remove the references in Setting Up a Network
Firewall and iptables.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
