Thank you both for your very informative replies. I just wish there was a clear outline of these issues somewhere to make it easier to understand what differentiates firewalld from iptables....
In my case, since I control the firewalls on my computers and servers directly, without interference from other applications, there is not currently a compelling reason I can see to make the switch from iptables to firewalld. I'd make the switch for the sake of "future-proofing", but for firewalld's inability to control outbound connections.
> Subject: Re: what are the advantages of firewalld over iptables?
> To:
> From:
> Date: Fri, 21 Aug 2015 14:57:26 -0700
> On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
> > I believe I've found an explanation regarding the VM issue you mention:
> >
> >
> > If I understand correctly, the issue is that temporary rules inserted
> > into iptables by other applications are lost when any of the following
> > are called:
> It's more than that. new rules inserted with iptables -I will override
> the rules aded by libvirt, often causing trafic to miss libvirt's rules.
> > service iptables stop; service iptables start;
> > service iptables restart;
> > iptables-restore < /etc/sysconfig/iptables;
> >
> > This issue would not apply when inserting your own temporary rules by
> > such as:
> > iptables -A
> >
> > The issue would also not apply when making your temporary rules
> > permanent via:
> > service iptables save
> "service iptables save" has its own problems. For starters, it will save
> *everything* that is currently in the in-memory rules, not just "what
> was previously saved + the rules you want saved". This could mean that
> some of the previous rules would be removed from the configuration (it
> something had for some reason temporarily removed them) or it could mean
> some extra rules that were intended to only be there temporarily would
> be permanently added (for example, if a libvirt virtual network is taken
> down, libvirt removes the iptables rules that it had previously added,
> but if you have saved those rules as you suggest above, then the next
> time your iptables service i restarted, all of those rules would be
> re-added, even though they are no longer applicable.
> What it all comes down to is that without firewalld, there is no central
> controlling authority, so everybody steps all over everybody else. If
> all applications that need to modify the iptables rules go through
> firewalld, it is in a good position to assure that the various
> applications don't interfere with each others' rules.
> (BTW, libvirt looks for the firewalld service, and always uses it if it
> is active).
> _______________________________________________
> firewalld-users mailing list