tcpdump shows at all the traffic to server xxx.xxx.xxx.xxx is via UDP. I added a counter to the rull and it stays all zeros. Bunch of questions?
Why does this not work?
Is it a problem that it put the rule in this table/chain?
Why did firewall-cmd put it there?
BTW, if i put the above iptables rule in on the same system using the iptables cmd the traffic goes to TCP, it’s just that I need to move on from iptables and don’t know a lot about it. I need this rule to work in order to move on, chicken/egg.
But… we need someone with expertise, because such rule is only visible with sudo iptables -L -n, and not in the nftables.
So, are we in a transition phase where iptables and nftables are both in use?
This is at the heart of my question. The rule neglects to declare an “OUTPUT” table, it is filtering on input (I guess, IDK for sure). I’ll try it the other way and with a counter. Then I’ll delete my iptables rule.
Yes, iptables is running also. I didn’t start it, this is a fresh Fedora 32 install. It came that way, but rules are not persistent by default.
Thank you. I’ll give them a read shortly. I really need to gain perspective,
This transition from iptables is confusing. So, nft is underneath firewalld. I’m curious what the firewalld layer provides? It’s confusing because it seems writing rules for one is not the same as writing for the other. The syntax is not the same, so I have to learn two packages to get a fw running?
nft add rule ip filter OUTPUT ip daddr xxx.xxx.xxx.xxx udp dport 4500 counter reject
So, I really did get off track by trying to construct my own firewalld with firewall-cmd and doing that incorrectly, forgetting OUTPUT.
After I added this rule to the correct table/filter (and stopping the iptables rules) the counters on nft rule started to increment.
So, I really think the important thing now is for me to grok what’s firewalld provides to this picture. Maybe your suggested reading will turn on a light. Thanks you.
I have my nft rules added and they function well. However, they do not persist over a reboot. I thought this would handle that:
# firewall-cmd --runtime-to-permanent
success
Success here would be if I rebooted and the nft added rules were active, not the case.
So, if I add rules and firewalld is aware of them, how do you make them persist across reboot? Perhaps this is a hapless venture and I have to either dump firewalld or learn to write my rules in firewall-cmd syntax.
Thank you for all your comments. I don’t understand half of them, dbus integration, flush ruleset and others. I really have a ton of reading to do to get off the ground, but that’s really the problem. You have to set up a firewall in order to use a system and you have to have system to use to do the reading. Chicken/egg. I got off track and have something working, but it’s probably not “right.” Now that I have something working and I go back try to understand and clean up the mess I made.
Your comments have been helpful, very helpful as I didn’t really know these were questions at all.
“Flush ruleset” is fairly simple. When you are starting nftables, if any rules are in place from a prior session, it removes them. Thus, when the new rules are loaded, they are not stacked on top of the old rules; the mix could cause unintended consequences.
).
)