Theory & firewalld/nftables confusion

Issues related to applications and software problems and general support
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Theory & firewalld/nftables confusion

Post by lightman47 » 2023/05/12 18:10:21

[RHEL 8 /9]

I am considering learning some nftables but am confused. I currently use firewalld (I think). It is my understanding that firewalld actually now uses nftables -- sort of!

I seem to remember fiddling with nftables previously and discovering that it and firewalld don't "talk" (I want to think that nftables changes didn't show up in firewalld, but I could be wrong). Exactly what the heck is that 'relationship'??!! Do I disable/uninstall firewalld? Do I install/enable nftables?

I've absolutely no need or hurry to learn nftables; I just thought I ought to start learning a little more about it. I am fortunate to currently have a spare, connected, updated RHEL 8 machine with which to play around - and also to which almost no "outside" packets are forwarded.

As always, thank you for your input.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Theory & firewalld/nftables confusion

Post by jlehtone » 2023/05/12 20:42:35

FirewallD is a front-end. "User friendly" abstraction that hides the lower level details.
Debian-based distros seem to have similar front-end, ufw (Uncomplicated Firewall).

Up to el7, the kernel had netfilter for the rules. You were able to read (and write) those with 'iptables'.
Starting with el8 the kernel has nf_tables for the rules. You are able to read (and write) those with 'nft'.

FirewallD reads config files that are in FirewallD's syntax and generates rules into the kernel. FirewallD used to write to netfilter and does now write to nf_tables. When FirewallD runs, it assumes that nobody else writes rules directly to kernel; one should talk to FirewallD. That is one point of FirewallD; you can "dynamically" update the rules during runtime with it. You usually don't edit config files either, but ask FirewallD to do it for you (with the 'firewall-cmd').

The nftables.service and the iptables.service are more "static". They are "oneshot" services that on boot write ruleset into kernel. Obviously from config file(s). If you need to modify rules after boot, then you have to do it directly with nft. If you want to change the stored config, then you edit files.

Look at /etc/sysconfig/nftables and files in /etc/nftables/
Look also at the ruleset created by FirewallD: sudo nft list ruleset (Warning: ain't pretty.)

Yes, you can replace firewalld.service with nftables.service.

Code: Select all

sudo systemctl stop firewalld.service
sudo systemctl mask firewalld.service
sudo systemctl enable nftables.service
sudo systemctl start nftables.service
Note that the "start" loads only what is in the config. How you write the config is up to you.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Theory & firewalld/nftables confusion

Post by TrevorH » 2023/05/12 21:40:06

EPEL 8 and 9 have ufw too. I wonder if it's as awful as firewalld!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply