[CentOS] CentOS 7 - Firewall always allows outgoing packets?

Tue Aug 12 03:54:09 UTC 2014
Rob Kampen <rkampen at reaching-clients.com>

On 08/12/2014 07:25 AM, Always Learning wrote:
> On Mon, 2014-08-11 at 14:36 -0400, Jonathan Billings wrote:
>
>
>> 'FirewallD' doesn't replace 'iptables' except in the sense of
>> activated system services
> I just love using sv ipt ... (my abbreviations for service iptables).
> Not keen on another 'service' duplicating my manual and automated
> efforts.
>
>> FirewallD just builds and modifies iptables rules.
> Why do I need more complexity together with more learning time and more
> effort and conversion of existing rules ?  IP Tables works fine.
> Absolutely no complaints.
>
>> If anything, FirewallD might make it easier to migrate to nftables
>> (a potential replacement for iptables) when that becomes mature[1].
> Think I would prefer to use the nftables without a Lindoze wrapper.
>
>
I think all the various folk that have learned to manage iptables have 
forgotten the pain and arcane syntax and gotchas that trap you when you 
first start.
So now you have your favourite script that "just works" and you do not 
want to change.

Fine, that is an option available to you - take the option and move on.
For others, those new to Linux, and many that use things like webmin the 
new firewalld may be an adequate solution. Sure it feels a little 
windoze like, but please give it a rest.

For better or otherwise the CentOS upstream provider has made a change 
and thus that is the new world for any that want CentOS-7. It is a done 
deal, perfect? unlikely, I for one have seldom needed or put in place an 
outgoing firewall, in fact cannot recall ever needing to.
I have set up dozens of servers on multiple continents and always have 
an incoming firewall in place, along with selinux enforcing (since 
CentOS-6).

Will shortly start installing CentOS-7, thus far, only done live boot of 
gnome and kde disks to have a look, and look forward to seeing how it plays.

Would appreciate more constructive posts on the list - please