I am trying to get a command that gives a complete listing of the firewall state at a point in time.
something like `iptables -L -v -n`
I had started to write a script which loops over all the interfaces and then all the zones and all the other objects and I got to 5 while loops deep and thought that there must be a better way.
This is for 2 reasons. One to be able to create a diff of any changes and the other to be able to build a mental picture of the whole state for debugging.
Tim Hughes mailto:thughes@thegoldfish.org
On 1/31/21 6:51 PM, Tim Hughes wrote:
I am trying to get a command that gives a complete listing of the firewall state at a point in time.
something like `iptables -L -v -n`
I had started to write a script which loops over all the interfaces and then all the zones and all the other objects and I got to 5 while loops deep and thought that there must be a better way.
This is for 2 reasons. One to be able to create a diff of any changes and the other to be able to build a mental picture of the whole state for debugging.
firewall-cmd --list-all
??
Actually there are a whole bunch of --list... options available. As always there is man
Try “iptables -S”
—————————————————————————————————- "Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us." Bill Waterson (Calvin & Hobbes)
On Jan 31, 2021, at 7:15 PM, Robert Moskowitz rgm@htt-consult.com wrote:
On 1/31/21 6:51 PM, Tim Hughes wrote:
I am trying to get a command that gives a complete listing of the firewall state at a point in time.
something like `iptables -L -v -n`
I had started to write a script which loops over all the interfaces and then all the zones and all the other objects and I got to 5 while loops deep and thought that there must be a better way.
This is for 2 reasons. One to be able to create a diff of any changes and the other to be able to build a mental picture of the whole state for debugging.
firewall-cmd --list-all
??
Actually there are a whole bunch of --list... options available. As always there is man
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
On Sun, Jan 31, 2021 at 11:51:07PM +0000, Tim Hughes wrote:
I am trying to get a command that gives a complete listing of the firewall state at a point in time.
something like `iptables -L -v -n`
Newer firewalld uses nftables. So `nft list ruleset`.
I had started to write a script which loops over all the interfaces and then all the zones and all the other objects and I got to 5 while loops deep and thought that there must be a better way.
# firewall-cmd --list-all-zones # firewall-cmd --list-all-policies
In the basic use case the above will be sufficient. The latter only applies to v0.9.0 or later.
If you use ipsets or direct rules then you'll have to list those as well.
This is for 2 reasons. One to be able to create a diff of any changes and the other to be able to build a mental picture of the whole state for debugging.
Maybe it's better to diff the configuration files in `/etc/firewalld`.
On Mon, Feb 01, 2021 at 07:41:54AM -0500, Eric Garver wrote:
On Sun, Jan 31, 2021 at 11:51:07PM +0000, Tim Hughes wrote:
I am trying to get a command that gives a complete listing of the firewall state at a point in time.
something like `iptables -L -v -n`
Newer firewalld uses nftables. So `nft list ruleset`.
If you're using older firewalld or the iptables backend then you can use `iptables-save`.
firewalld-users@lists.stg.fedorahosted.org