[CentOS] C7, firewalld and rich rules

Thu Jan 31 17:35:01 UTC 2019
Simon Matter <simon.matter at invoca.ch>

> On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:
>> Did you look at Shorewall? IMHO that's what is best used in such
>> situations and it works since many years now.
> shorewall doesn't support nftables, which is largely the point of
> firewalld:  The Linux firewall system is currently undergoing yet
> another deprecation and migration from iptables to nftables. firewalld
> should remain stable during the migration process.  As far as I know,
> there are no plans to support nftables under shorewall, so new users
> will most likely throw away any investment they make in learning and
> implementing shorewall.

IIRC nftables has a compatibility mode with iptables?

Anyway, I thought the future on Linux is bpfilter, no?

Until then, I'll continue to enjoy Shorewall as I did for more a decade now.