firewall replaces iptables ?
-
- Posts: 40
- Joined: 2015/06/11 08:34:13
firewall replaces iptables ?
I usually use iptables to protect my server in Centos 6 but now I installed new server and I ask myself if It's better to migrate to firewalld, what do you think ? Iptables will go out of support ? Firewall gives the same characteristic like Iptables ?
Re: firewall replaces iptables ?
Red Hat describes firewalld here: https://access.redhat.com/documentation ... _firewalls
Red Hat summarizes their solutions for (RHEL 8 and hence CentOS 8) here: https://access.redhat.com/documentation ... networking
First a note:
"iptables" can refer to three essentially different concepts:
1. netfilter -- rule implementation in the kernel
2. userland tool to access netfilter
3. iptables.service that uses the userland tool
Firewalld.service is an alternative for iptables.service. It does use the same 'iptables' userland tool.
CentOS 8 is a bit different:
1. Kernel implementation is nftables
2. Userland tool to access nftables is nft
3. Tool 'iptables' is a mere wrapper for nft
4. firewalld.service does use nft
The firewalld is more abstract. More complex|bloated, yet limited. An UI to manage firewall. A problem with (G)UI is that while it presents "good options" to user, it limits possible combinations. Red Hat acknowledges that in the RHEL 8 document.
You have thus two options:
Red Hat summarizes their solutions for (RHEL 8 and hence CentOS 8) here: https://access.redhat.com/documentation ... networking
First a note:
"iptables" can refer to three essentially different concepts:
1. netfilter -- rule implementation in the kernel
2. userland tool to access netfilter
3. iptables.service that uses the userland tool
Firewalld.service is an alternative for iptables.service. It does use the same 'iptables' userland tool.
CentOS 8 is a bit different:
1. Kernel implementation is nftables
2. Userland tool to access nftables is nft
3. Tool 'iptables' is a mere wrapper for nft
4. firewalld.service does use nft
The firewalld is more abstract. More complex|bloated, yet limited. An UI to manage firewall. A problem with (G)UI is that while it presents "good options" to user, it limits possible combinations. Red Hat acknowledges that in the RHEL 8 document.
You have thus two options:
- Write rules for iptables.service. You know what they are. You have to learn some other approach, when CentOS 7 dies in 2024.
- Learn firewalld.service now. You can continue with it at least in CentOS 8, although by 2024 there might be other major releases with who knows what firewall UIs.
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: firewall replaces iptables ?
My suggestion is to learn firewalld and migrate your rules accordingly. Since Fedora/CentOS/RHEL and other linux distros are using firewalld by default, its the future. Sure it has some usability issues but things will improve eventually.
Plus, unless you are doing something very complex, you won't notice any difference.
Plus, unless you are doing something very complex, you won't notice any difference.
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: firewall replaces iptables ?
My personal opinion is that firewalld is a horrendous bloated pig and should have been strangled at birth. It has a hideous interface and is completely unintuitive to use.
CentOS 7 still has iptables and they work perfectly and if you are comfortable using iptables then I would continue to do so.
CentOS 7 still has iptables and they work perfectly and if you are comfortable using iptables then I would continue to do so.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 40
- Joined: 2015/06/11 08:34:13
Re: firewall replaces iptables ?
Thanks for the links, I read firewall is suitable for clients while iptables is suggested for server platform. what do you think ?
Re: firewall replaces iptables ?
The division is not client|server. More like: "what you can do easily with firewalld" | "everything else".
Routers tend to be in the latter category. It is hard to coerce the hog in to that sty.
There are additional players, like libvirt, fail2ban, and docker that like to inject their rules -- directly or via firewalld. Frankly, that is a mess no matter what you use.
Routers tend to be in the latter category. It is hard to coerce the hog in to that sty.
There are additional players, like libvirt, fail2ban, and docker that like to inject their rules -- directly or via firewalld. Frankly, that is a mess no matter what you use.