[CentOS] Stupid C7 firewall question

Thu Oct 25 15:48:15 UTC 2018
Jonathan Billings <billings at negate.org>

On Thu, Oct 25, 2018 at 09:53:13AM -0500, Blake Hudson wrote:
> My first impression was that firewalld and NetworkManager had a more desktop
> oriented/plug-n-play type feel compared to traditional tools like network
> and iptables  so I chose to stick with the latter on my servers (manual
> IP4/IP6 configuration and a handful of services, some open to the public
> internet while others open only to certain sources).

I use NetworkManager and firewalld on my servers.  NM (particularly,
the more modern one on EL7) is great for servers, because they'll
bring the network interface up and down based on the status of the
line, not just at boot.  In one of our datacenters, our faster booting
servers often start up faster than the network infrastructure after an
emergency power cut.  Without NM in place, they'd have tried to start
networking on boot, detect that the network device was down, and give
up.  I'd have to reboot them at the console (or remotely through a
serial console) to get them back online.  With NM, they start up,
network is down but they still come up, and the network is activated a
few minutes later when the switch becomes active.

You can also set up NetworkManager dispatcher actions for when the
network goes up or down.  This way, after the network comes up, for
example, you could have it reset the clock through chrony.  

I like firewalld for a different reason.  You can parcel out
configuration files related to configuration management roles, and
that's easier done with firewalld than the monolithic
/etc/sysconfig/iptables file.  I still have to use a template for some
files, but it's not a huge mess like the template I use for the
iptables file.

> For a laptop or desktop
> (which probably uses DHCP and has few, if any, publicly accessible services)
> I'd probably stick with the former. I have no idea how well tools like
> fail2ban or logwatch integrate with firewalld, but if they work as well or
> better than iptables that would be great. Warren is correct that the
> firewall-cmd interface is probably more intuitive for most folks (especially
> those not familiar with managing iptables).

fail2ban works fine with firewalld.  You just install the
fail2ban-firewalld subpackage and it sets up the right firwalld
configuration.  (banaction = firewallcmd-ipset)  It's nice, it uses
ipsets instead of the iptables-multiport action, which I think is

Jonathan Billings <billings at negate.org>