[CentOS] CentOS 7 - Firewall always allows outgoing packets?

Mon Aug 11 17:10:58 UTC 2014
Dennis Jacobfeuerborn <dennisml at conversis.de>

On 11.08.2014 15:43, Tom Bishop wrote:
>> You and 4 other guys are moving things from Linux to FreeBSD.
>>
>> The rest of the world is moving things from UNIX and Windows to Linux.
>>
>> CentOS-7 rebuild RHEL sources and most all of the "important" Enterprise
>> Linux things are moving to RHEL.
>>
>> RHEL runs the stock exchanges, the banks, etc.
>>
>> Free BSD is fine and people can use it if they like ... but if you want
>> real Enterprise grade software, it needs to be RHEL based, that is just
>> the way it is.
>>
>> Keep in mind that EL 7.0 is a 'dot zero release' and some of the
>> features need work.  It works for the majority of use cases, but some
>> features will need to be enhanced, and Red Hat will enhance it.  When
>> they do, we will build the source code and it will be in CentOS.
>>
>>
> 
> I hear you Johnny, I'm a big RH fan, but there is several things that
> they have shifted to in RHEL 7 that just chafes a little.
> 
> I am dual hat guy, network and IS and when iptables with firewalld, at
> a minimum I would like the ability to be able to accomplish the same
> things I accomplished with iptables. I read about firewalld the pros
> and cons and I understand the shift and reason.
> 
> But I do have heartburn when they call something a "firewall" and you
> cannot drop all the packets. It's not like they didn't know about it
> since I read about it in fedora and it's not clear if it will be
> addressed.  There are lots of use cases where I want to control all of
> the packets coming and going from a box, I see this becoming more so
> moving forward.
> 
> Hopefully this will be addressed in a future release, trying to figure
> out where I can go to now and keep up to date with the latest
> firewalld info, just to stay clued in.

While I am also disappointed with firewalld I think the whole situation
is not as terrible as people claim it is after all you can easily go
back to iptables as it was in CentOS 6:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables

It's strange that people threaten to go FreeBSD simply because the
defaults are not to their liking. Not exactly a rational way to look at
things.

Regards,
  Dennis