Firewalld vs Iptables - Which one should I use?

Maxoq

Well-known member
Registered
Joined
Feb 25, 2015
Messages
520
Points
28
What is better for a hosting sever to use, firewalld or iptables? and why? Should I just go and use firewalld as thats what seems to becoming the standard and iptables may get dropped?
 

eva2000

Well-known member
Registered
Joined
Jan 14, 2017
Messages
173
Points
28
You do know firewalld is just a wrapper to iptables itself. On CentOS 7 at least iptables service (iptables-services yum package) and iptables are 2 things. With firewalld default, all firewalld is doing taking over from iptables-service to talk with iptables . https://fedoraproject.org/wiki/Firewalld?rd=FirewallD

which means you can disable firewalld and install iptables-service package to interface with iptables https://fedoraproject.org/wiki/Fire...ules_with_the_iptables_and_ip6tables_services

though limitations /differences with firewalld
The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.
So basically, you are choosing between which method of talking to iptables, via firewalld (dynamic) or iptables-service (static)

Static Firewall (system-config-firewall/lokkit)

The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used by enabling the corresponding services.

It is planned to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.

The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
Code:
yum -q deplist firewalld
package: firewalld.noarch 0.4.3.2-8.1.el7_3
  dependency: /bin/bash
   provider: bash.x86_64 4.2.46-21.el7_3
  dependency: /bin/sh
   provider: bash.x86_64 4.2.46-21.el7_3
  dependency: /usr/bin/python
   provider: python.x86_64 2.7.5-48.el7
  dependency: ebtables
   provider: ebtables.x86_64 2.0.10-15.el7
  dependency: firewalld-filesystem = 0.4.3.2-8.1.el7_3
   provider: firewalld-filesystem.noarch 0.4.3.2-8.1.el7_3
  dependency: ipset
   provider: ipset.x86_64 6.19-6.el7
  dependency: iptables
   provider: iptables-services.x86_64 1.4.21-17.el7
   provider: iptables.x86_64 1.4.21-17.el7
  dependency: python-firewall = 0.4.3.2-8.1.el7_3
   provider: python-firewall.noarch 0.4.3.2-8.1.el7_3
  dependency: systemd
   provider: systemd.x86_64 219-30.el7_3.6
Code:
yum list iptables* -q | tr -s ' '
Installed Packages
iptables.x86_64 1.4.21-17.el7 @cr
iptables-devel.x86_64 1.4.21-17.el7 @cr
iptables-services.x86_64 1.4.21-17.el7 @cr
iptables-utils.x86_64 1.4.21-17.el7 @cr
Code:
yum list firewalld* -q | tr -s ' '        
Available Packages
firewalld.noarch 0.4.3.2-8.1.el7_3 updates
firewalld-filesystem.noarch 0.4.3.2-8.1.el7_3 updates
i don't use firewalld, i disable it and install csf firewall to interface with iptables and if applicable ipset :)
 

hostens

Well-known member
Hosting Provider
Registered
Joined
Jan 18, 2017
Messages
215
Points
28
I would also prefer CSF especially for their compatibility with server control panels. However if you are going to choose between firewalld and iptables-service for iptables rules management I would recommend firewalld mainly because it is easier and do not require firewall restart like iptables-service do.
 
Newer Threads
Replies
4
Views
3,891
Replies
1
Views
2,041
Recommended Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top