On Thu, Oct 25, 2018 at 09:53:13AM -0500, Blake Hudson wrote:
My first impression was that firewalld and NetworkManager had a more desktop oriented/plug-n-play type feel compared to traditional tools like network and iptables so I chose to stick with the latter on my servers (manual IP4/IP6 configuration and a handful of services, some open to the public internet while others open only to certain sources).
I use NetworkManager and firewalld on my servers. NM (particularly, the more modern one on EL7) is great for servers, because they'll bring the network interface up and down based on the status of the line, not just at boot. In one of our datacenters, our faster booting servers often start up faster than the network infrastructure after an emergency power cut. Without NM in place, they'd have tried to start networking on boot, detect that the network device was down, and give up. I'd have to reboot them at the console (or remotely through a serial console) to get them back online. With NM, they start up, network is down but they still come up, and the network is activated a few minutes later when the switch becomes active.
You can also set up NetworkManager dispatcher actions for when the network goes up or down. This way, after the network comes up, for example, you could have it reset the clock through chrony.
I like firewalld for a different reason. You can parcel out configuration files related to configuration management roles, and that's easier done with firewalld than the monolithic /etc/sysconfig/iptables file. I still have to use a template for some files, but it's not a huge mess like the template I use for the iptables file.
For a laptop or desktop (which probably uses DHCP and has few, if any, publicly accessible services) I'd probably stick with the former. I have no idea how well tools like fail2ban or logwatch integrate with firewalld, but if they work as well or better than iptables that would be great. Warren is correct that the firewall-cmd interface is probably more intuitive for most folks (especially those not familiar with managing iptables).
fail2ban works fine with firewalld. You just install the fail2ban-firewalld subpackage and it sets up the right firwalld configuration. (banaction = firewallcmd-ipset) It's nice, it uses ipsets instead of the iptables-multiport action, which I think is faster.