Firewalld vs Iptables

opethdisciple

opethdisciple

opethdisciple

Soldato
Joined
18 May 2010
Posts
22,895
Location
London
Fairly new to Linux and only just started tinkering.

I've come across firewalld and iptables on my cyber travels. I've been playing with iptables as this is what we use at work. However I'm a little confused.

Is firewalld what iptables is going to be replaced by across all distributions of Linux?

Is iptables and firewalld just distribution specific?

What are the main differences between firewalld and iptables, except for syntax and commands?
 
firewalld is what most distros are moving to as a replacement for iptables, only exception is ubuntu which has its own 'ufw' (ubuntu firewall) program.
Red Hat/CentOS 7 already made the switch to firewalld
 
opethdisciple said:
Is firewalld what iptables is going to be replaced by across all distributions of Linux?

Is iptables and firewalld just distribution specific?

What are the main differences between firewalld and iptables, except for syntax and commands?
Click to expand...
melvis said:
firewalld is what most distros are moving to as a replacement for iptables
Click to expand...
wikipedia said:
FirewallD is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the iptables packet filtering system provided by the Linux kernel.

The name firewalld adheres to the Unix convention of naming system daemons by appending the letter “d”
Click to expand...
Seems like it's just a python frontend for configuring iptables using a XML based configuration.

I personally use iptables-save (iptables-persistent on debian) on servers. (don't see an advantage in using XML for configuration)
FirewallD ships by default on the following Linux distributions:

CentOS 7 and newer
Fedora 18 and newer
Red Hat Enterprise Linux 7 and newer
FirewallD is enabled by default in all the distributions that rely on it as their default firewall.
Click to expand...
I guess the main advantage some might see is the GUI's but who needs to continually change iptables in the desktop?
If it had application based rules like most windows firewalls then maybe this would be beneficial but don't see the point with iptables.

I think ufw/gufw has 'application' templates but think they just give the default ports for the specific application. (so don't apply to a specific app binary)
 
Last edited:
mortals said:
Seems like it's just a python frontend for configuring iptables using a XML based configuration.

I personally use iptables-save (iptables-persistent on debian) on servers. (don't see an advantage in using XML for configuration)

I guess the main advantage some might see is the GUI's but who needs to continually change iptables in the desktop?
If it had application based rules like most windows firewalls then maybe this would be beneficial but don't see the point with iptables.

I think ufw/gufw has 'application' templates but think they just give the default ports for the specific application. (so don't apply to a specific app binary)
Click to expand...

I write my iptables rule into a bash script and execute it on boot, i never got on with iptables-save.
 
If you want the real difference between iptables (service) and firewalld then read this link:

https://access.redhat.com/documenta.../html/Security_Guide/sec-Using_Firewalls.html

Basically it replaces the iptables service (so the /etc/sysconfig/iptables file isn't used for configuration). It does have some useful features that iptables doesn't, like being able to dynamically load rules without having to do a full flush and reload.

We use it because it makes running multiple firewall zones on the same system very clear and we can define application firewall requirements as single files and easily drop them in consistently across multiple systems. You can define your own services and zones easily and then add the appropriate interfaces into them, or use the pre-defined services.

For instance to add the necessary ports for clustering I could run something like the following:
Code: 
# firewall-cmd --permanent --zone=Heartbeat --add-service=high-availability
(where I have already defined a Heartbeat zone added the appropriate interfaces to it).

rather than having to look up ports and protocols and write iptables rules.

It is used on Red Hat and related derivatives (which includes more OSes than listed above, e.g. Oracle Linux).
 
You must log in or register to reply here.
Back
Top Bottom