Dennis Jacobfeuerborn wrote:
On 08.07.2014 14:35, David Both wrote:
I still prefer IPTables, so in Fedora I simply disabled firewalld and enabled IPTables. No need to uninstall. I have read that IPTables will continue to be available alongside firewalld for the unspecified future.
<nsip>
One of the stated reasons for firewalld is that dynamic rule changes do not clear the old rules before loading the new ones, to paraphrase, "where IPTables does." If true, that would leave a very small amount of time
in which
the host would be vulnerable. I have no desire to peruse the source
code to
determine the veracity of that statement, so if there is someone here
who could verify that
changing the rules in IPTables, whether using the iptables command or the iptables-restore command, I would be very appreciative. No need to
go to
any trouble to locate that answer as I am merely curious.
<snip>
The problem firewalld tries to solve is that nowadays you often want to insert temporary rules that should only be active while a certain application is running. This collides a bit with the way iptables works. For example libvirt inserts specific rules when you define networks for virtualization dynamically. If you now do an iptables-save these rules get saved and on next boot when these rules are restored the exist again but now libvirt will add them dynamically a second time.
Firewalld is simply a framework built around iptables that allows for applications to "register" rules with additional information such as
<snip> And so nothing like, say, fail2ban....
mark