How to migrate from iptables to firewalld

Issues related to configuring your network
User avatar
TrevorH
Forum Moderator
Posts: 26942
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How to migrate from iptables to firewalld

Post by TrevorH » 2019/10/31 21:56:51

If you look at the ridiculous ruleset that firewalld uses by default, you'll see it's much easier to start by amending that rather than trying to coerce your existing rules to match it.

If you don't like firewalld then don't use it. CentOS 7 has iptables-services and ipset-service packages and those together can be used to revert to plain old iptables.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2383
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to migrate from iptables to firewalld

Post by jlehtone » 2019/11/01 08:09:46

TrevorH wrote:
2019/10/31 21:56:51
If you look at the ridiculous ruleset that firewalld uses by default, you'll see it's much easier to start by amending that rather than trying to coerce your existing rules to match it.
I presume that developers say "automatically generated" or "machine readable" (and definitely "not for human eyes") when we say "ridiculous".
Its the same with raw sources generated by Word/Writer, email clients that inject html, webhotel page creators, etc. Atrocious.

The important thing is to separate what from how. The what is more abstract.

For example the "discard clearly bad packets early" is a what. (Btw, does it add security or just improve throughput?)
The exact syntax to achieve the effect with Debian/CentOS iptables/nftables/firewall-cmd is a how.

Firewall front-ends (firewalld, UFW, clickety-clack GUI crap) attempt to present what-like options to the user. However, set of options on a front-end might not cover all that the back-end can do.

Some users claim to write more efficient assembly than the best compilers. They have very specific what to achieve and they know exactly how.

J-B wrote:
2019/10/31 17:35:14
I am just struggling with the at least to me immensive complex CHAIN- and REFERENCE-Complexity of CentOS...
On a Debian 10 there are exactly 3 CHAINs by default and no Reference if I do remember right.
What is a 'reference'?

Netfilter (in kernel) does indeed have 3 built-in chains in the filter table. (nftables has 0 chains by default.)
RHEL 5 did add one custom "reusable" chain. RHEL 6, like Debian, did not.
Firewalld in RHEL 7 and 8 adds many custom chains. As said, one is expected to "speak firewall-cmd" rather than read iptables/nft directly.

Yes, it is a struggle; how to detect the essential and ignore the insignificant from the flood of "data".

Post Reply

Return to “CentOS 7 - Networking Support”