firewall replaces iptables ?

Support for security such as Firewalls and securing linux
Post Reply
zio_mangrovia
Posts: 40
Joined: 2015/06/11 08:34:13

firewall replaces iptables ?

Post by zio_mangrovia » 2020/08/06 06:03:44

I usually use iptables to protect my server in Centos 6 but now I installed new server and I ask myself if It's better to migrate to firewalld, what do you think ? Iptables will go out of support ? Firewall gives the same characteristic like Iptables ?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall replaces iptables ?

Post by jlehtone » 2020/08/06 07:12:36

Red Hat describes firewalld here: https://access.redhat.com/documentation ... _firewalls
Red Hat summarizes their solutions for (RHEL 8 and hence CentOS 8) here: https://access.redhat.com/documentation ... networking

First a note:
"iptables" can refer to three essentially different concepts:
1. netfilter -- rule implementation in the kernel
2. userland tool to access netfilter
3. iptables.service that uses the userland tool

Firewalld.service is an alternative for iptables.service. It does use the same 'iptables' userland tool.

CentOS 8 is a bit different:
1. Kernel implementation is nftables
2. Userland tool to access nftables is nft
3. Tool 'iptables' is a mere wrapper for nft
4. firewalld.service does use nft

The firewalld is more abstract. More complex|bloated, yet limited. An UI to manage firewall. A problem with (G)UI is that while it presents "good options" to user, it limits possible combinations. Red Hat acknowledges that in the RHEL 8 document.


You have thus two options:
  1. Write rules for iptables.service. You know what they are. You have to learn some other approach, when CentOS 7 dies in 2024.
  2. Learn firewalld.service now. You can continue with it at least in CentOS 8, although by 2024 there might be other major releases with who knows what firewall UIs.
The choice depends on your needs.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: firewall replaces iptables ?

Post by KernelOops » 2020/08/06 08:18:43

My suggestion is to learn firewalld and migrate your rules accordingly. Since Fedora/CentOS/RHEL and other linux distros are using firewalld by default, its the future. Sure it has some usability issues but things will improve eventually.

Plus, unless you are doing something very complex, you won't notice any difference.
--
R.I.P. CentOS :cry:
--

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewall replaces iptables ?

Post by TrevorH » 2020/08/06 08:41:29

My personal opinion is that firewalld is a horrendous bloated pig and should have been strangled at birth. It has a hideous interface and is completely unintuitive to use.

CentOS 7 still has iptables and they work perfectly and if you are comfortable using iptables then I would continue to do so.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

zio_mangrovia
Posts: 40
Joined: 2015/06/11 08:34:13

Re: firewall replaces iptables ?

Post by zio_mangrovia » 2020/08/06 10:05:29

Thanks for the links, I read firewall is suitable for clients while iptables is suggested for server platform. what do you think ?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall replaces iptables ?

Post by jlehtone » 2020/08/07 06:07:21

The division is not client|server. More like: "what you can do easily with firewalld" | "everything else".

Routers tend to be in the latter category. It is hard to coerce the hog in to that sty.

There are additional players, like libvirt, fail2ban, and docker that like to inject their rules -- directly or via firewalld. Frankly, that is a mess no matter what you use.

Post Reply