firewall info requested

Support for security such as Firewalls and securing linux
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

firewall info requested

Post by lightman47 » 2021/08/27 18:32:03

In CentOS 7 I got an ipset (banned.xml) working using firewalld commands. Indeed, I am now programmatically rebuilding/updating it with addresses from endlessh log entries and adding sets of I.P CIDRs from several countries. Firewalld seems quite happy with it.

My understanding at that time was that firewalld used iptables as it's 'backend'. In CentOS 8, and now RHEL 8 I incorrectly assumed that if I used firewalld and it's firewall-cmd commands (of which I know very few) I could import my 'banned.xml' ipset and that firewalld would appropriately deal with it's nftables 'backend'. On the multiple occasions I attempted this incorporation to have 'systemctl status -l firewalld' eventually start spewing seemingly endless complaints about python-nftables and some missing file. {I know that was pretty generic).

It's becoming clear that my whole concept of how iptables, nftables and firewalld are related is horribly skewed. While solving my immediate ipset problem would be nice, I think I need to understand the whole 'relationship' first so I know WHAT to research.

Thank you.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall info requested

Post by jlehtone » 2021/08/27 20:03:12

Firewalld.service can use both nftables and iptables. In el8 it uses nftables, because kernel has nftables. Some options of firewall-cmd take iptables-syntax rules (because they were supposedly passed through to backend).

In el8 the user tool 'iptables' is only a wrapper for 'nft' that translates the iptables-syntax into nftables rules. The wrapper is not 100% complete, so some iptables-rules are untranslatable.

sudo nft list ruleset shows all the rules in the kernel. Note that in nftables there are no builtin tables/chains like in iptables. Firewalld.service (or just simple sudo iptables -L) creates the familiar-looking chains for rules that you give in iptables-syntax.
The "native" rules that firewalld generates from its config are not in those chains.

Errors with "python-nftables", etc, might be due to trying to insert xml-config that does not translate. It has to be recreated.


Red Hat documents both firewalld.service and nftables.service in https://access.redhat.com/documentation ... networking
They do not recommend firewalld for "complex and performance critical firewalls".

Nftables has "sets" and "maps" that might do what ipsets does. See https://wiki.nftables.org/wiki-nftables ... o_nftables

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewall info requested

Post by lightman47 » 2021/08/28 10:47:13

Ah - thank you. I guess it's time to un-learn firewalld and attempt to figure out a bit about nftables. When I get it working I'll be able to edit my script to keep it updated based on the O.S. that's running..

I'd read some of the access.redhat documentation but my 'concepts' kept me confused. I'll now also be visiting the nftables wiki link you provided. I'm greatly appreciative.

Post Reply