On 08.07.2014 14:35, David Both wrote: > I still prefer IPTables, so in Fedora I simply disabled firewalld and enabled > IPTables. No need to uninstall. I have read that IPTables will continue to be > available alongside firewalld for the unspecified future. Be careful with this though. A while ago I tried this on a system that also had libvirtd running and ran into the problem that libvirt detected the existence of firewalld and as a result tried to use it even though it was disables. It took a while to figure this out once I actually uninstalled firewalld and restarted libvirtd it started to use iptables. This might have been fixed by now but you should keep that in mind when you run into firewall trouble. Some software might mistakenly assume that just because firewalld is present is must also be in active use. > Note that IPTables rule syntax and structure have evolved so your ruleset may > need to be updated. I did find that the current version of IPTables will > actually convert old rulesets on the fly, at least as far as the syntax of the > individual rules is concerned. From there you can simply use iptables-save to > save the converted ruleset. > > One of the items on my tudo list is to learn firewalld. The switch from ipchains > took a bit of learning and I expect this switch will as well. There was a discussion a while ago on fedora-devel that the current handling of firewalld and zones is not ideal and there might be changes in store for the future. This will probably not hit CentOS 7 but you might to want to keep an ear out in case some deeper structural changes happen. Always good to be ahead of the curve. > One of the stated reasons for firewalld is that dynamic rule changes do not > clear the old rules before loading the new ones, to paraphrase, "where IPTables > does." If true, that would leave a very small amount of time in which the host > would be vulnerable. I have no desire to peruse the source code to determine the > veracity of that statement, so if there is someone here who could verify that > changing the rules in IPTables, whether using the iptables command or the > iptables-restore command, I would be very appreciative. No need to go to any > trouble to locate that answer as I am merely curious. iptables-restore is atomic. It builds completely new tables and then just tells the kernel to switch the old version with the new version. Depending on the timing the packets are either handled by complete old rule set or the complete new rule set. There is never any moment where no rules are applied or only half of the new rules are inserted. The problem firewalld tries to solve is that nowadays you often want to insert temporary rules that should only be active while a certain application is running. This collides a bit with the way iptables works. For example libvirt inserts specific rules when you define networks for virtualization dynamically. If you now do an iptables-save these rules get saved and on next boot when these rules are restored the exist again but now libvirt will add them dynamically a second time. Firewalld is simply a framework built around iptables that allows for applications to "register" rules with additional information such as "this rule is a static one" or "this rule should only be used dynamically while application X is running". Then there is of course the handling of zones which is a concept iptables by itself does not know about. Regards, Dennis