Dennis Jacobfeuerborn wrote:
> On 08.07.2014 14:35, David Both wrote:
>> I still prefer IPTables, so in Fedora I simply disabled firewalld and
>> enabled IPTables. No need to uninstall. I have read that IPTables will
>> continue to be available alongside firewalld for the unspecified future.
<nsip>
>> One of the stated reasons for firewalld is that dynamic rule changes do
>> not clear the old rules before loading the new ones, to paraphrase, "where
>> IPTables does." If true, that would leave a very small amount of time
in which
>> the host would be vulnerable. I have no desire to peruse the source
code to
>> determine the veracity of that statement, so if there is someone here
who could verify that
>> changing the rules in IPTables, whether using the iptables command or
>> the iptables-restore command, I would be very appreciative. No need to
go to
>> any trouble to locate that answer as I am merely curious.
<snip>
> The problem firewalld tries to solve is that nowadays you often want to
> insert temporary rules that should only be active while a certain
> application is running. This collides a bit with the way iptables works.
> For example libvirt inserts specific rules when you define networks for
> virtualization dynamically. If you now do an iptables-save these rules
> get saved and on next boot when these rules are restored the exist again
> but now libvirt will add them dynamically a second time.
>
> Firewalld is simply a framework built around iptables that allows for
> applications to "register" rules with additional information such as
<snip>
And so nothing like, say, fail2ban....
mark