I don't really understand the intent behind firewalld. The RHEL7 Security Guide states "A graphical configuration tool, *firewall-config*, is used
to
configure firewalld, which in turn uses *iptables tool* to communicate
with
*Netfilter* in the kernel which implements packet filtering".
Well, the order from Kernel inside outward is:
- Netfilter (inside Kernel), not directly accessible by userland
- iptables/iptables6, the userland cli tools to manipulate the Netfilter
.... 3. firewalld(RedHat/CentOS), or SuSEfirewall(Suse), or similar are the .... 4. GUI tools, that allow to manipulate the config of firewalld (or
similar), ....
Does that answer your question about *value added* by GUI tools? Not every user that needs to change firewall settings is a certified UNIX
admin.
I don't dispute the value of GUIs. I have a comment and a question, first that in "the data center" my experience is that iptables rules are put into place and only rarely changed thereafter, like the network configuration at the server.
But my question was partly this: What is the specific need for a continuously running daemon firewalld if what we wanted was a GUI front-end for iptables? Thanks....Nick Geo
On Sun, 13 Dec 2015 12:30:39 -0600 Nicholas Geovanis wrote:
I don't dispute the value of GUIs. I have a comment and a question, first that in "the data center" my experience is that iptables rules are put into place and only rarely changed thereafter, like the network configuration at the server.
But my question was partly this: What is the specific need for a continuously running daemon firewalld if what we wanted was a GUI front-end for iptables? Thanks....Nick Geo
Hi Nick,
Because it is not a 'static configurator.' It delivers a dynamic firewall. See
https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Dynamic_firewall_with_FirewallD
"The firewall daemon ... manages the firewall dynamically and applies changes without restarting the whole firewall. ..." Among other things, it:
- offers separation of runtime and permanent configuration options
- supports an interface for services or applications to add firewall rules directly
- provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods
hth & regards,
Carl
----- Original Message ----- | >> I don't really understand the intent behind firewalld. The RHEL7 Security | >> Guide states "A graphical configuration tool, *firewall-config*, is used | to | >> configure firewalld, which in turn uses *iptables tool* to communicate | with | >> *Netfilter* in the kernel which implements packet filtering". | | >Well, the order from Kernel inside outward is: | > | >1. Netfilter (inside Kernel), not directly accessible by userland | >2. iptables/iptables6, the userland cli tools to manipulate the Netfilter | > .... | >3. firewalld(RedHat/CentOS), or SuSEfirewall(Suse), or similar are the | > .... | >4. GUI tools, that allow to manipulate the config of firewalld (or | similar), | .... | >Does that answer your question about *value added* by GUI tools? | >Not every user that needs to change firewall settings is a certified UNIX | admin. | | I don't dispute the value of GUIs. I have a comment and a question, first | that in "the data center" my experience is that iptables rules are put into | place and only rarely changed thereafter, like the network configuration at | the server. | | But my question was partly this: What is the specific need for a | continuously running daemon firewalld if what we wanted was a GUI front-end | for iptables? | Thanks....Nick Geo
firewalld is more than just a GUI configuration system. It is a far more capable system than static firewall rules and can be used to simplify ruleset creation. With support for DBUS for example only when applications are running are the rules made available. For servers it can be used to help compartmentalize your current rules and the use of zones to apply different rulesets to different interfaces is quite nice.
I think the idea that rulesets are put into place and rarely change is becoming less and less true in cloud like environments. A well built firewalld system can deal with these types of environments a bit better IMHO.