All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Really starting to like firewalld
A new trick I found.
firewall-cmd --set-log-denied=all
That automatically inserts the log lines for you just before the DROP/REJECT statements in INPUT, FORWARD, OUTPUT chains, and any custom chains with DROP/REJECT statements. You could always add logging rules manually to bare iptables but with this command and firewalld it's automatic. They are also given unique prefixes so you can identify the chain it comes from.
There are a lot of things this can be used for. One of the more powerful uses is to search out blocked ports/services that need to be added. This allows you to do it from the outside in rather than having to search out all the ports/services you want to add and then figuring out what they listen on etc.
To have this write to log files uncomment $ModLoad imklog
in /etc/rsyslog.conf
and systemctl restart rsyslog
To watch from console (at least on CE7) just cat /proc/kmsg
To turn off, firewall-cmd --set-log-denied=off
This may seem like a little thing to some but I think it's a pretty nice feature.
Comments
i have a question.... how to remove all services at once? without prior service knowledge. for example
firewall-cmd --zone=public --permanent --remove-service={*}
didn't do the job, any tricks you came across such as my question?
Not aware of a command but that doesn't mean it's not there. You can just edit the config file directly in
/etc/firewalld
to remove multiple lines.I have no grudge against firewalld per se, but one of the first things I always do is to disable/remove it and use those plain old iptables &ipset I've given my blood to when I was learning the first bits
There's nothing more crystalline than performing some editing on /etc/sysconfig/iptables
@ehab how about
If you want to edit config files you can do the same sort of things in /etc/firewalld. Actually it's more well suited because it is designed to be edited directly. I don't think /etc/sysconfig/iptables is intended to. You can edit the standard files and you can create your own custom config files.
Only thing with firewalld config files is that they use xml.
So a custom config file might look like
cat /etc/firewalld/services/myspecialsnowflake.xml
Then just add that service as a firewalld rule.
firewall-cmd --new-service=myspecialsnowflake --permanent
thanks for the script, i'll checkit out.