infix icon indicating copy to clipboard operation
infix copied to clipboard
verified publisher icon kernelkit

Advanced Firewall Support

Open troglobit opened this issue 3 months ago • 0 comments

Description

Umbrella task and brainstorming topic for advanced firewall features, including outstanding TODO's from #448

  • [ ] Support ipsets, with RPC support for dynamic blocking/allowing IPs in an ipset

  • [ ] Integrate fail2ban

  • [ ] Investigate fail2ban integration with firewalld, for more info, see: https://github.com/firewalld/firewalld/issues/1466#issuecomment-2773130569

  • [ ] firewalld helpers -- possibly for conntrack, e.g., ftp

  • [ ] With =modprobe br_netfilter= firewalld would see all traffic, but there are issues, https://github.com/firewalld/firewalld/issues/1236, and limits to what seem to be possible atm. You may also need to enable these callbacks:

    echo 1 | sudo tee /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 | sudo tee /proc/sys/net/bridge/bridge-nf-call-ip6tables
echo 1 | sudo tee /proc/sys/net/bridge/bridge-nf-call-arptables

  • [ ] Investigate filtering out firewall log messages from other log files

  • [ ] Podman published ports, https://firewalld.org/2024/11/strict-forward-ports

  • [ ] Software fastpath https://firewalld.org/2023/05/nftables-flowtable

Additional Information

No response

General Information

Anyone can help out by sponsoring development of new features or contributing pull requests. Please use this issue for discussions related to the feature.

troglobit avatar Oct 06 '25 11:10 troglobit