Eric Garver
Eric Garver
That's a distribution decision. The firewalld project does not have any influence over what distributions enable by default.
Closing since this question was answered.
It generates a very dumb list of rules. Largely to deal with unwritten rules in zone/policy dispatch, e.g. sources before interfaces, sources sorted by zone name. The rule generation needs...
> which seems to flip the input interface name and the output interface name. That was fixed in #1406.
> Any news on rule generation optimization? No.
I did verify that this is due to the massive amount of rules being generated. Fixing this means having to change how zone/policy dispatch works. As such, it will take...
There is no status. Firewalld has to generate a lot of rules to do the policy/zone dispatch. Improving this will likely require features in nftables to allow firewalld to do...
This is specifically a non-goal for firewalld. As you've discovered, the workaround is to mark packets as `NOTRACK`.
It's unclear to me why conntrack considers these packets `INVALID`. Do you have anymore insight as to why? The workaround would be to mark them `NOTRACK` as @uebian suggested.
> If I add this interface to the TRUST zone, while the service is open to internal IP addresses, they will also be open to all public IP addresses. You...