Scenario / Questions
TL;DR On new CentOS server installs should I be using firewalld or just disable that and go back to using
firewalld and iptables serve similar purposes. Both do packet filtering – but if I understand it correctly firewalld does not flush the entire rule set each time a change is made.
I know a lot about iptables but very little about firewalld.
On Fedora and RHEL/CentOS – the traditional iptables configuration was done in
/etc/sysconfig/iptables. With firewalld, it’s configuration lives in
/etc/firewalld/ and is a set of XML files. Fedora seems to be moving toward firewalld as a replacement for this legacy configuration. I do understand that firewalld uses iptables under the hood, but it also has it’s own command line interface and configuration file format as above – which is what I’m referring to in terms of using one vs the other.
Is there a particular configuration/scenario that each of these is best suited for? In the case of NetworkMangaer vs network, it appears that although NetworkManager may have been intended as a replacement for the network scripts, due to it’s lack of network bridge support and a few other things, many people are just not using it on server setups at all. So there seems to be a general concept of “use NetworkManager if you are on a Linux
desktop/gui, and network if you are running a server”. That’s just what I pick up from reading various posts – but it at least gives a guide as to what is a workable use for those things – at least as they stand in their current state.
But I’ve been doing this same thing with firewalld and just turning it off and using iptables instead. (I am almost always installing linux on a server, not for desktop use). Is firewalld an effective replacement for iptables and should I just be using that on all new systems?
Find below all possible solutions or suggestions for the above questions..
firewalld is based on XML configuration, some might think that it’s easier to configure the firewall in a programmatic manner. This can be achieved by
iptables just as well, but with a different way, which is not XML. If you are already familiar with the way
iptables works, why would you migrate all your configuration to
If you consider your largest
iptables firewall rule set, how often do you think you would benefit from the dynamic aspect of
firewalld? In most cases the performance of
iptables is never the issue. In most cases where the performance of
iptables is an issue can be fixed by using
ipset based source/destination IP sets.
It is a different debate whether or not you should use NetworkManager.
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.