[Solved] firewall info appreciated

Issues related to applications and software problems and general support
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

[Solved] firewall info appreciated

Post by lightman47 » 2021/04/20 17:39:58

I am running weekly updated rhel 8.3 since shortly after the CentOS 'redirection' announcement.. The whole "firewall thing" eludes me and I have therefore clobbered at least one installation and perhaps a second. I do NOT understand the relationship between firewalld, iptables, nftables or any other tables and need a 'concept alignment'! Additionally, I am skilled in "no-tables" - I generally research to get things working.

In CentOS 7, I had and ipset running using firewalld. I don't know how it worked, but assume maybe iptables(?) from reading queries & replies here. Anyway following Red Hat page instructions I got it working with firewall-cmd commands. In CentOS 8, I initially had some trouble, but then those same scripted firewalld commands worked (or seemed to). Rhel 8 apparently doesn't ship with firewalld - so I installed it. That didn't help.

I read here that firewalld now uses nftables - but that didn't help me much as I don't know nftables either.. Since then, I've read that that my ipsets won't work in rhel8 and I'm ok with that as I expect there is now a different proper way to accomplish, and even script the task.

My question:
How does this all play together - I do NOT understand the relationship? Does firewalld use iptables in CentOS7 and nftables in 8? Do I need firewalld which seems to be the "dashboard"? Is there a hierarchy? To build my list of iip's to block, do I need to learn firewall-cmd, or nftables commands?

I love working GUIs, but am not opposed to command lines - once I know where I need to focus.

Thank you,
Last edited by lightman47 on 2021/04/21 11:25:09, edited 1 time in total.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall info appreciated

Post by jlehtone » 2021/04/20 19:06:22

First, RHEL 8 has documentation: https://access.redhat.com/documentation ... networking

The kernel has a subsystem that handles network traffic. In CentOS 7's kernel that subsystem is called "netfilter".
In CentOS 8's kernel there is "nftables" that replaces and/or is on top of netfilter.

The tool to access netfilter is "iptables". The tool to access nftables is "nft". The syntax of rules is different.
CentOS 8 has still command "iptables", but it is a wrapper to nft that translates "iptables syntax" to nftables rules.

iptables.service loads rules that were stored in iptables syntax into the kernel (at boot).
nftables.service loads rules that were stored in nftables syntax into the kernel (at boot).
firewalld.service reads config from its own syntax, and uses tool like iptables or nft to load rules into kernel.
The three services are mutually exclusive. You need only one.

Firewalld has tool "firewall-cmd" for user to query and update the config of firewalld.
There probably is some [TG]UI interface too, but frankly I'd rather not know.
In ideal world same firewalld config would work on both 7 and 8, because firewalld translates its concepts
into language of the system (be it netfilter or nftables).

Ubuntu(?) has "Uncomplicated Firewall". That is apprently equivalent to FirewallD. Both serve as layer
of abstraction between the meatbag and the kernel parlance.


There are services that modify firewall rules. E.g. fail2ban, libvirtd, and docker.
If they are "smart", then they talk to firewalld (if it is in use).
If they are not, then they bypass firewalld (even if it is in use).
The integration is worse in 7.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewall info appreciated

Post by lightman47 » 2021/04/21 11:24:35

Thank you. That was actually what I was looking for. Now I have a starting point for unraveling what I've done here. I do run fail2ban and that seems to be working fine.

As mentioned, I am appreciative!

Post Reply