On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
Did you look at Shorewall? IMHO that's what is best used in such situations and it works since many years now.
shorewall doesn't support nftables, which is largely the point of firewalld: The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should remain stable during the migration process. As far as I know, there are no plans to support nftables under shorewall, so new users will most likely throw away any investment they make in learning and implementing shorewall.
IIRC nftables has a compatibility mode with iptables?
Anyway, I thought the future on Linux is bpfilter, no?
Until then, I'll continue to enjoy Shorewall as I did for more a decade now.
Regards, Simon