Firewalld vs Iptables - Which one should I use?

Maxoq

Well-known member
Joined
Feb 25, 2015
Messages
294
Best answers
0
Ratings
34 1
Points
28
#1
What is better for a hosting sever to use, firewalld or iptables? and why? Should I just go and use firewalld as thats what seems to becoming the standard and iptables may get dropped?
 

eva2000

Well-known member
Joined
Jan 14, 2017
Messages
160
Best answers
0
Ratings
50 3
Points
28
#2
You do know firewalld is just a wrapper to iptables itself. On CentOS 7 at least iptables service (iptables-services yum package) and iptables are 2 things. With firewalld default, all firewalld is doing taking over from iptables-service to talk with iptables . https://fedoraproject.org/wiki/Firewalld?rd=FirewallD

which means you can disable firewalld and install iptables-service package to interface with iptables https://fedoraproject.org/wiki/Fire...ules_with_the_iptables_and_ip6tables_services

though limitations /differences with firewalld
The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.
So basically, you are choosing between which method of talking to iptables, via firewalld (dynamic) or iptables-service (static)

Static Firewall (system-config-firewall/lokkit)

The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used by enabling the corresponding services.

It is planned to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.

The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
Code:
yum -q deplist firewalld
package: firewalld.noarch 0.4.3.2-8.1.el7_3
  dependency: /bin/bash
   provider: bash.x86_64 4.2.46-21.el7_3
  dependency: /bin/sh
   provider: bash.x86_64 4.2.46-21.el7_3
  dependency: /usr/bin/python
   provider: python.x86_64 2.7.5-48.el7
  dependency: ebtables
   provider: ebtables.x86_64 2.0.10-15.el7
  dependency: firewalld-filesystem = 0.4.3.2-8.1.el7_3
   provider: firewalld-filesystem.noarch 0.4.3.2-8.1.el7_3
  dependency: ipset
   provider: ipset.x86_64 6.19-6.el7
  dependency: iptables
   provider: iptables-services.x86_64 1.4.21-17.el7
   provider: iptables.x86_64 1.4.21-17.el7
  dependency: python-firewall = 0.4.3.2-8.1.el7_3
   provider: python-firewall.noarch 0.4.3.2-8.1.el7_3
  dependency: systemd
   provider: systemd.x86_64 219-30.el7_3.6
Code:
yum list iptables* -q | tr -s ' '
Installed Packages
iptables.x86_64 1.4.21-17.el7 @cr
iptables-devel.x86_64 1.4.21-17.el7 @cr
iptables-services.x86_64 1.4.21-17.el7 @cr
iptables-utils.x86_64 1.4.21-17.el7 @cr
Code:
yum list firewalld* -q | tr -s ' '        
Available Packages
firewalld.noarch 0.4.3.2-8.1.el7_3 updates
firewalld-filesystem.noarch 0.4.3.2-8.1.el7_3 updates
i don't use firewalld, i disable it and install csf firewall to interface with iptables and if applicable ipset :)
 

24x7CSM

Well-known member
Joined
Sep 27, 2016
Messages
219
Best answers
0
Ratings
26
Points
0
#4
yes , CSF is easy to install , configure and administrate and it helps to mitigate the DDOS attacks to some extent.
 

hostens

Well-known member
Joined
Jan 18, 2017
Messages
141
Best answers
1
Ratings
40 5
Points
28
#5
I would also prefer CSF especially for their compatibility with server control panels. However if you are going to choose between firewalld and iptables-service for iptables rules management I would recommend firewalld mainly because it is easier and do not require firewall restart like iptables-service do.
 
Newer Threads
Replies
4
Views
1,564
Replies
1
Views
892
Latest Threads
Replies
1
Views
2
Replies
2
Views
23
Replies
3
Views
41
Recommended Threads

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads