IPtables, Firewalld - The right firewall?
IPtables, Firewalld - The right firewall?
Hi,
I'm going to replace my old Cisco router with a Linux gateway.
I've used Ubuntu in the past, but it seems Centos is a better fit for an internet gateway.
I see that Firewalld is the new firewall of choice, but I can't seem to find enough information about it's working.
When allowing a protocol/port and specifying a zone, is it for incoming or outgoing connections?
How do i specify the direction of a rule and also source IP-address?
I've used IPtables a couple of years ago, and wonder if it would be easier for me to continue using IPtables or move to Firewalld?
I have a network with several zones and tight rules that matches on both source and destination IP-addresses as well as ports - is that possible to do with Firewalld?
I'm going to replace my old Cisco router with a Linux gateway.
I've used Ubuntu in the past, but it seems Centos is a better fit for an internet gateway.
I see that Firewalld is the new firewall of choice, but I can't seem to find enough information about it's working.
When allowing a protocol/port and specifying a zone, is it for incoming or outgoing connections?
How do i specify the direction of a rule and also source IP-address?
I've used IPtables a couple of years ago, and wonder if it would be easier for me to continue using IPtables or move to Firewalld?
I have a network with several zones and tight rules that matches on both source and destination IP-addresses as well as ports - is that possible to do with Firewalld?
--
R o n n i
R o n n i
Re: IPtables, Firewalld - The right firewall?
I hate firewalld. It appears to be designed for "new" users to make life easy and to a very limited extent, it does work for that. But as soon as you try to do anything vaguely complicated it becomes a nightmare to make it do it. The man page documents about 4 million options, none of them particularly intuitive. It installs a ruleset that you can view with iptables-save that is nearly 200 lines long just to allow port 22. To do anything complicated appears to need you to use "direct" rules that as far as I can see are just iptables rules without using iptables.
Having said that, iptables is going away in RHEL8 and firewalld is being pushed even more than before. I have yet to download and check the RHEL8 beta but I gather that it does contain nftables and hopefully also nftables-services so that it can save/restore a ruleset on boot.
I did try to like firewalld when RHEL 7 first came out but after 3 months of using it my opinion of it solidified and I've not used it since. It's a nice sounding idea but spoiled by being designed by committee and trying to be all things to all men. Doesn't work. Just ends up being a massive bloated pig that's unwieldy to manage.
Having said that, iptables is going away in RHEL8 and firewalld is being pushed even more than before. I have yet to download and check the RHEL8 beta but I gather that it does contain nftables and hopefully also nftables-services so that it can save/restore a ruleset on boot.
I did try to like firewalld when RHEL 7 first came out but after 3 months of using it my opinion of it solidified and I've not used it since. It's a nice sounding idea but spoiled by being designed by committee and trying to be all things to all men. Doesn't work. Just ends up being a massive bloated pig that's unwieldy to manage.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: IPtables, Firewalld - The right firewall?
Hi,
It sounds like Firewalld would be a bad choice - also my impression based on the information I'm able to find.
You say "... iptables is going away in RHEL8 ...", does this mean that it's also going away in a near future in Centos?
Is nftables an option in Centos? Do you have any experience with that?
It sounds like Firewalld would be a bad choice - also my impression based on the information I'm able to find.
You say "... iptables is going away in RHEL8 ...", does this mean that it's also going away in a near future in Centos?
Is nftables an option in Centos? Do you have any experience with that?
--
R o n n i
R o n n i
Re: IPtables, Firewalld - The right firewall?
I played around with firewalld and didn't like it. My impression was it was targeted towards laptops. Maybe I just don't get it, but on my work network it didn't seem to have any advantage over just adding rules to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for iptables-restore to read.
Re: IPtables, Firewalld - The right firewall?
Well if everything works then RHEL 8 will get rebuilt as CentOS 8. In the same way that CentOS 6/RHEL 6 and CentOS 7/RHEL7 are at present, both will be maintained until EOL - for CentOS 7 that's in 2024. So iptables is in CentOS 7 and will be until it dies. It won't be in RHEL 8/CentOS 8 but nftables will be - that's the new replacement for iptables from the mainline kernel. And, yes, nftables is also in CentOS 7 though I don't know how complete it is as I've never used it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: IPtables, Firewalld - The right firewall?
Are you sure iptables would die in RHEL 8? I was looking at Snapshot 4 earlier today (at work) and all of the stuff seems to be there. It is different to what's in RHEL7 a bit, but still available.
Re: IPtables, Firewalld - The right firewall?
Re: IPtables, Firewalld - The right firewall?
That's good question. Apparently wrappers but it looks like they still support at least some of the functionality which is not available in nftables. I noticed that sets are likely somehow supported natively - they are only listed as comments when doing `nft list ruleset` but seem to be included in `iptables-save`. I haven't checked if they work.