Eric Garver
Eric Garver
This as per documentation.. man firewall-cmd ``` --set-log-denied=value Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default are: all, unicast,...
> Thank you for the info But shouldn't it work without reloading the firewall and let the user do the reloading? Or is there something I'm missing here? IMO, it's...
Can you share the firewalld logs, `/var/log/firewalld`? I see firewalld is running using python2. It's hasn't default to python2 in some time. What version and OS are you using?
Also reported in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2361082
Maybe fixed by #1440?
Agree. This has been requested a few time. I think it's a needed feature that's still missing.
I would merge a change that adds generic SNAT support; assuming the implementation/PR is quality.
> is there any progress or work being done on a native SNAT implementation in firewalld? I am currently not working on it.
As of commits becd083fc2905921651af73cb15ce8c9aba9203b and 9c6cb982981ad0aee5b85773823614ca7fd69073 (v2.2.0 or later), the systemd firewalld and nftables services can co-exist without wiping out each other's rules. Perhaps that can meet your needs. IMO,...
A better alternative to adding a lot of `sources` to a zone is to use an `ipset` as the zone source. Both rule application and execution should be faster.