TrevorH wrote: ↑
If you look at the ridiculous ruleset that firewalld uses by default, you'll see it's much easier to start by amending that rather than trying to coerce your existing rules to match it.
I presume that developers say "automatically generated" or "machine readable" (and definitely "not for human eyes") when we say "ridiculous".
Its the same with raw sources generated by Word/Writer, email clients that inject html, webhotel page creators, etc. Atrocious.
The important thing is to separate what
. The what is more abstract.
For example the "discard clearly bad
packets early" is a what
. (Btw, does it add security or just improve throughput?)
The exact syntax to achieve the effect with Debian/CentOS iptables/nftables/firewall-cmd is a how
Firewall front-ends (firewalld, UFW, clickety-clack GUI crap) attempt to present what-like options to the user. However, set of options on a front-end might not cover all that the back-end can do.
Some users claim to write more efficient assembly than the best compilers. They have very specific what to achieve and they know exactly how.
J-B wrote: ↑
I am just struggling with the at least to me immensive complex CHAIN- and REFERENCE-Complexity of CentOS...
On a Debian 10 there are exactly 3 CHAINs by default and no Reference if I do remember right.
What is a 'reference'?
Netfilter (in kernel) does indeed have 3 built-in chains in the filter table. (nftables has 0 chains by default.)
RHEL 5 did add one custom "reusable" chain. RHEL 6, like Debian, did not.
Firewalld in RHEL 7 and 8 adds many custom chains. As said, one is expected to "speak firewall-cmd" rather than read iptables/nft directly.
Yes, it is a struggle; how to detect the essential and ignore the insignificant from the flood of "data".