[CentOS] CentOS 7 - Firewall always allows outgoing packets?

Mon Aug 11 18:47:26 UTC 2014
Kirk Bocek <t004 at kbocek.com>

On 8/11/2014 11:36 AM, Jonathan Billings wrote:
> On Aug 11, 2014, at 1:16 PM, Always Learning <centos at u62.u22.net> wrote:
>> Stating one's dread of having imposed as a standard, a firewall that can
>> not control outgoing packets and has dumbed-down Micro$oft-like 'zones'
>> and the possible future removal of IP Tables from the very much admired
>> Centos version of RHEL, is probably a desperate call for sanity to
>> prevail at Red Hat.
> 'FirewallD' doesn't replace 'iptables' except in the sense of activated system services, not the core firewall functionality.  FirewallD just builds and modifies iptables rules.  If anything, FirewallD might make it easier to migrate to nftables (a potential replacement for iptables) when that becomes mature[1].  But that's nowhere on the radar right now.
>
> If you don't like FirewallD, don't use it.  It's just a tool to make managing your firewall easier, and allowing the OS and user to dynamically load rules depending on certain logic.  It replaces the monolithic /etc/sysconfig/iptables file and the 'iptables' systemd unit.  No one is talking about removing the core netfilter technology behind 'iptables'.
>
> Just reading this thread makes me wonder if people criticizing FirewallD actually even tried it or even read the documentation!
>
>
> 1.) http://netfilter.org/projects/nftables/
>
> --
> Jonathan Billings <billings at negate.org>
>
>

Thank you Jonathan for injecting a little sanity. What I was reading 
just wasn't making sense to me.

I have not even started to digest 7. What is the proper method of 
getting back to an industrial strength firewall under 7? Does one 
disable FirewallD and install iptables or does iptables install on top 
of FirewallD? You are making it sound like FirewallD can act as a 
management tool for iptables.