tcpdump shows at all the traffic to server xxx.xxx.xxx.xxx is via UDP. I added a counter to the rull and it stays all zeros. Bunch of questions?
Why does this not work?
Is it a problem that it put the rule in this table/chain?
Why did firewall-cmd put it there?
BTW, if i put the above iptables rule in on the same system using the iptables cmd the traffic goes to TCP, it’s just that I need to move on from iptables and don’t know a lot about it. I need this rule to work in order to move on, chicken/egg.
This is at the heart of my question. The rule neglects to declare an “OUTPUT” table, it is filtering on input (I guess, IDK for sure). I’ll try it the other way and with a counter. Then I’ll delete my iptables rule.
Yes, iptables is running also. I didn’t start it, this is a fresh Fedora 32 install. It came that way, but rules are not persistent by default.
Thank you. I’ll give them a read shortly. I really need to gain perspective,
This transition from iptables is confusing. So, nft is underneath firewalld. I’m curious what the firewalld layer provides? It’s confusing because it seems writing rules for one is not the same as writing for the other. The syntax is not the same, so I have to learn two packages to get a fw running?
I have my nft rules added and they function well. However, they do not persist over a reboot. I thought this would handle that:
# firewall-cmd --runtime-to-permanent
Success here would be if I rebooted and the nft added rules were active, not the case.
So, if I add rules and firewalld is aware of them, how do you make them persist across reboot? Perhaps this is a hapless venture and I have to either dump firewalld or learn to write my rules in firewall-cmd syntax.
Thank you for all your comments. I don’t understand half of them, dbus integration, flush ruleset and others. I really have a ton of reading to do to get off the ground, but that’s really the problem. You have to set up a firewall in order to use a system and you have to have system to use to do the reading. Chicken/egg. I got off track and have something working, but it’s probably not “right.” Now that I have something working and I go back try to understand and clean up the mess I made.
Your comments have been helpful, very helpful as I didn’t really know these were questions at all.
“Flush ruleset” is fairly simple. When you are starting nftables, if any rules are in place from a prior session, it removes them. Thus, when the new rules are loaded, they are not stacked on top of the old rules; the mix could cause unintended consequences.