On Tue, 2015-01-20 at 11:47 +0100, Arturo Borrero Gonzalez wrote: > As I said before, the intended behaviour of stopping the firewall > service is firewalling happening no longer in the machine. Well as I've explained before, that should conceptually mean that there is no longer networking at all. I've used the example of having a hardware firewall.
> From my point of view, after several years of dealing with firewalls > as a system administrators, after knowing how other distributions do > the thing (centos, rhel), after two or three years being an upstream > netfilter developer, I feel confident enough to say: this is not a > bug, is a feature. Actually there are several security bugs open in RHEL, that it opens up all gates everytime the firewall is restarted (via the init scrip) > To give some perspective: we are talking about a by-default-disabled > service in a still-in-development optional package in a distribution > which doesn't ship a firewall by default. Apart from this bug, the best way to handle rules loading in nftables would probably to use netfilter-persistent. It's "plugin-based" nowadays, so netfilter-persistent itself doesn't really know about iptables, for that there is the iptables-persistent package. IOW, there should be a nftables-persistent package, doing basically the same. This would also allow to better handle the open question what happens if rules for both are present. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
