Scenario / Questions

TL;DR On new CentOS server installs should I be using firewalld or just disable that and go back to using /etc/sysconfig/iptables ?


firewalld and iptables serve similar purposes. Both do packet filtering – but if I understand it correctly firewalld does not flush the entire rule set each time a change is made.

I know a lot about iptables but very little about firewalld.

On Fedora and RHEL/CentOS – the traditional iptables configuration was done in /etc/sysconfig/iptables. With firewalld, it’s configuration lives in /etc/firewalld/ and is a set of XML files. Fedora seems to be moving toward firewalld as a replacement for this legacy configuration. I do understand that firewalld uses iptables under the hood, but it also has it’s own command line interface and configuration file format as above – which is what I’m referring to in terms of using one vs the other.

Is there a particular configuration/scenario that each of these is best suited for? In the case of NetworkMangaer vs network, it appears that although NetworkManager may have been intended as a replacement for the network scripts, due to it’s lack of network bridge support and a few other things, many people are just not using it on server setups at all. So there seems to be a general concept of “use NetworkManager if you are on a Linux desktop/gui, and network if you are running a server”. That’s just what I pick up from reading various posts – but it at least gives a guide as to what is a workable use for those things – at least as they stand in their current state.

But I’ve been doing this same thing with firewalld and just turning it off and using iptables instead. (I am almost always installing linux on a server, not for desktop use). Is firewalld an effective replacement for iptables and should I just be using that on all new systems?

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

As firewalld is based on XML configuration, some might think that it’s easier to configure the firewall in a programmatic manner. This can be achieved by iptables just as well, but with a different way, which is not XML. If you are already familiar with the way iptables works, why would you migrate all your configuration to firewalld?

If you consider your largest iptables firewall rule set, how often do you think you would benefit from the dynamic aspect of firewalld? In most cases the performance of iptables is never the issue. In most cases where the performance of iptables is an issue can be fixed by using ipset based source/destination IP sets.

It is a different debate whether or not you should use NetworkManager.