Firewalld vs Iptables - Which one should I use?

Maxoq · Jan 23, 2017

What is better for a hosting sever to use, firewalld or iptables? and why? Should I just go and use firewalld as thats what seems to becoming the standard and iptables may get dropped?

eva2000 · Jan 23, 2017

You do know firewalld is just a wrapper to iptables itself. On CentOS 7 at least iptables service (iptables-services yum package) and iptables are 2 things. With firewalld default, all firewalld is doing taking over from iptables-service to talk with iptables . https://fedoraproject.org/wiki/Firewalld?rd=FirewallD

which means you can disable firewalld and install iptables-service package to interface with iptables https://fedoraproject.org/wiki/Fire...ules_with_the_iptables_and_ip6tables_services

though limitations /differences with firewalld

The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.

So basically, you are choosing between which method of talking to iptables, via firewalld (dynamic) or iptables-service (static)

Static Firewall (system-config-firewall/lokkit)

The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used by enabling the corresponding services.

It is planned to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.

The firewall daemon is independent to system-config-firewall, but should not be used at the same time.

Code:

yum -q deplist firewalld
package: firewalld.noarch 0.4.3.2-8.1.el7_3
  dependency: /bin/bash
   provider: bash.x86_64 4.2.46-21.el7_3
  dependency: /bin/sh
   provider: bash.x86_64 4.2.46-21.el7_3
  dependency: /usr/bin/python
   provider: python.x86_64 2.7.5-48.el7
  dependency: ebtables
   provider: ebtables.x86_64 2.0.10-15.el7
  dependency: firewalld-filesystem = 0.4.3.2-8.1.el7_3
   provider: firewalld-filesystem.noarch 0.4.3.2-8.1.el7_3
  dependency: ipset
   provider: ipset.x86_64 6.19-6.el7
  dependency: iptables
   provider: iptables-services.x86_64 1.4.21-17.el7
   provider: iptables.x86_64 1.4.21-17.el7
  dependency: python-firewall = 0.4.3.2-8.1.el7_3
   provider: python-firewall.noarch 0.4.3.2-8.1.el7_3
  dependency: systemd
   provider: systemd.x86_64 219-30.el7_3.6

Code:

yum list iptables* -q | tr -s ' '
Installed Packages
iptables.x86_64 1.4.21-17.el7 @cr
iptables-devel.x86_64 1.4.21-17.el7 @cr
iptables-services.x86_64 1.4.21-17.el7 @cr
iptables-utils.x86_64 1.4.21-17.el7 @cr

Code:

yum list firewalld* -q | tr -s ' '        
Available Packages
firewalld.noarch 0.4.3.2-8.1.el7_3 updates
firewalld-filesystem.noarch 0.4.3.2-8.1.el7_3 updates

i don't use firewalld, i disable it and install csf firewall to interface with iptables and if applicable ipset

HyperFilter · Jan 23, 2017

Yes, CSF is much better in terms of firewalling a server.

24x7CSM · Jan 24, 2017

yes , CSF is easy to install , configure and administrate and it helps to mitigate the DDOS attacks to some extent.

hostens · Jan 24, 2017

I would also prefer CSF especially for their compatibility with server control panels. However if you are going to choose between firewalld and iptables-service for iptables rules management I would recommend firewalld mainly because it is easier and do not require firewall restart like iptables-service do.

hfav · Jan 24, 2017

I will recommend Firewalld. It is easier to manage.

Firewalld vs Iptables - Which one should I use?

Maxoq

Well-known member

eva2000

Well-known member

HyperFilter

Member

24x7CSM

Well-known member

hostens

Well-known member

hfav

Active member

miken

Member

Latest posts New threads

Latest posts

New threads

Latest Hosting Offers New Reviews

Latest hosting offers

Popular Contributors - Past 30 Days

Sponsors

Tag Cloud