--On Friday, December 14, 2018 11:48 PM -0500 Jon LaBadie <jcu at labadie.us> wrote: > I don't play with iptables, so I assume it is a legacy > continued from CentOS 6.x. I'll gladly remove the > iptables service package. firewalld is a user-space layer on top of the kernel's iptables machinery. It provides for dynamic changes to the underlying iptables firewall. The old firewall configuration (iptables.service, previously implemented as an initscript in older CentOS versions) assumed a static firewall that was loaded once at boot time. Changes required flushing the entire set of rules and starting again, but that would disrupt running network applications. Firewalld is a higher level description that is able to and and remove rules on a running machine without disrupting applications. It still uses the iptables machinery under the hood. It's good for dynamic systems like mobile devices where interfaces come and go and the device changes networks frequently.