On 1/30/19 10:05 PM, Simon Matter via CentOS wrote: > Did you look at Shorewall? IMHO that's what is best used in such > situations and it works since many years now. shorewall doesn't support nftables, which is largely the point of firewalld: The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should remain stable during the migration process. As far as I know, there are no plans to support nftables under shorewall, so new users will most likely throw away any investment they make in learning and implementing shorewall.