IPtables, Firewalld - The right firewall?

Support for security such as Firewalls and securing linux
Post Reply
User avatar
rofe
Posts: 6
Joined: 2012/03/05 06:45:51
Location: Denmark

IPtables, Firewalld - The right firewall?

Post by rofe » 2019/02/07 09:31:51

Hi,

I'm going to replace my old Cisco router with a Linux gateway.

I've used Ubuntu in the past, but it seems Centos is a better fit for an internet gateway.

I see that Firewalld is the new firewall of choice, but I can't seem to find enough information about it's working.

When allowing a protocol/port and specifying a zone, is it for incoming or outgoing connections?
How do i specify the direction of a rule and also source IP-address?

I've used IPtables a couple of years ago, and wonder if it would be easier for me to continue using IPtables or move to Firewalld?

I have a network with several zones and tight rules that matches on both source and destination IP-addresses as well as ports - is that possible to do with Firewalld?
--
R o n n i

User avatar
TrevorH
Forum Moderator
Posts: 28586
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPtables, Firewalld - The right firewall?

Post by TrevorH » 2019/02/07 09:51:33

I hate firewalld. It appears to be designed for "new" users to make life easy and to a very limited extent, it does work for that. But as soon as you try to do anything vaguely complicated it becomes a nightmare to make it do it. The man page documents about 4 million options, none of them particularly intuitive. It installs a ruleset that you can view with iptables-save that is nearly 200 lines long just to allow port 22. To do anything complicated appears to need you to use "direct" rules that as far as I can see are just iptables rules without using iptables.

Having said that, iptables is going away in RHEL8 and firewalld is being pushed even more than before. I have yet to download and check the RHEL8 beta but I gather that it does contain nftables and hopefully also nftables-services so that it can save/restore a ruleset on boot.

I did try to like firewalld when RHEL 7 first came out but after 3 months of using it my opinion of it solidified and I've not used it since. It's a nice sounding idea but spoiled by being designed by committee and trying to be all things to all men. Doesn't work. Just ends up being a massive bloated pig that's unwieldy to manage.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
rofe
Posts: 6
Joined: 2012/03/05 06:45:51
Location: Denmark

Re: IPtables, Firewalld - The right firewall?

Post by rofe » 2019/02/07 11:06:37

Hi,

It sounds like Firewalld would be a bad choice - also my impression based on the information I'm able to find.

You say "... iptables is going away in RHEL8 ...", does this mean that it's also going away in a near future in Centos?

Is nftables an option in Centos? Do you have any experience with that?
--
R o n n i

tyler2016
Posts: 13
Joined: 2019/02/07 16:06:54
Contact:

Re: IPtables, Firewalld - The right firewall?

Post by tyler2016 » 2019/02/07 16:34:47

I played around with firewalld and didn't like it. My impression was it was targeted towards laptops. Maybe I just don't get it, but on my work network it didn't seem to have any advantage over just adding rules to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for iptables-restore to read.

User avatar
TrevorH
Forum Moderator
Posts: 28586
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPtables, Firewalld - The right firewall?

Post by TrevorH » 2019/02/07 16:46:02

Well if everything works then RHEL 8 will get rebuilt as CentOS 8. In the same way that CentOS 6/RHEL 6 and CentOS 7/RHEL7 are at present, both will be maintained until EOL - for CentOS 7 that's in 2024. So iptables is in CentOS 7 and will be until it dies. It won't be in RHEL 8/CentOS 8 but nftables will be - that's the new replacement for iptables from the mainline kernel. And, yes, nftables is also in CentOS 7 though I don't know how complete it is as I've never used it.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

tomkep
Posts: 34
Joined: 2018/04/25 13:30:50

Re: IPtables, Firewalld - The right firewall?

Post by tomkep » 2019/02/08 16:48:38

Are you sure iptables would die in RHEL 8? I was looking at Snapshot 4 earlier today (at work) and all of the stuff seems to be there. It is different to what's in RHEL7 a bit, but still available.

User avatar
jlehtone
Posts: 2806
Joined: 2007/12/11 08:17:33
Location: Finland

Re: IPtables, Firewalld - The right firewall?

Post by jlehtone » 2019/02/08 17:29:07

tomkep wrote:
2019/02/08 16:48:38
Are you sure iptables would die in RHEL 8? I was looking at Snapshot 4 earlier today (at work) and all of the stuff seems to be there. It is different to what's in RHEL7 a bit, but still available.
Genuine iptables or "wrappers"?
https://lwn.net/Articles/772215/

tomkep
Posts: 34
Joined: 2018/04/25 13:30:50

Re: IPtables, Firewalld - The right firewall?

Post by tomkep » 2019/02/10 16:45:34

That's good question. Apparently wrappers but it looks like they still support at least some of the functionality which is not available in nftables. I noticed that sets are likely somehow supported natively - they are only listed as comments when doing `nft list ruleset` but seem to be included in `iptables-save`. I haven't checked if they work.

Post Reply

Return to “CentOS 7 - Security Support”