On Tue, Oct 02, 2018 at 10:08:52PM -0400, Igor Kapushkin wrote:
Hello, I am new to firewalld and I have a some questions because I am curious about it. First, the documentation says that firewalld can have multiple backends. I find it strange that the image on that documentation page lists such different things such as iptables, ebtables and NetworkManager. I imagine that the way firewalld interacts with iptables/ebtables/etc. is completely different that the way it interacts with NetworkManager. I'm confused why NetworkManager is called a "backend" in that case.
"backend" often just means "something not directly exposed to the user". Firewalld communicates with NetworkManager to manage interface to zone assignments (e.g. --add-interface).
When referring to a FirewallBackend there are two options; iptables and nftables. In Firewalld, nftables support is very new. These are the low level firewall implementation offered by the OS (Linux). Firewalld provides an abstraction over these.
Second, I have a computer running Centos 7. I can see that the iptables is installed, but the service (systemctl status iptables) is not part of the OS. I also know that on Centos 7 firewalld interfaces with iptables. My questions is, why is firewalld interfacing with iptables if the iptables service is not even installed? What's the point in doing that? I'm not an expert in the area, so I would really thank you if you could give me a hint or an explanation. I'm confused how iptables can still be relevant if the service is not there for systemd. How is iptables changing anything in that scenario?
They are two different packages that manage the underlying iptables firewall in different ways. They should never be used simultaneously.
iptables-services is a package to maintain persistent iptables rules. At startup it will apply rules in /etc/sysconfig/iptables. If you use it, you must manually write iptables rules.
Firewalld abstracts firewall concepts and makes it much easier for users. It will then translate these concepts into iptables rules and apply them for the user.
On Thu, Oct 04, 2018 at 12:04:59AM -0400, Igor Kapushkin wrote:
Thank you very much for your answer!
Now I am curious to use NFTables with firewalld. I couldnt find documentation explaining how to upgrade. These are my specs: CentOS 7.5 firewalld 0.4.4.4 NFTables installed (according to "modinfo nf_tables")
You can't use the nftables backend on stock CentOS. The nftables backend requires a 4.18+ kernel.
See the 0.6.0 release notes: https://firewalld.org/2018/07/firewalld-0-6-0-release
Do I need to install the new version (0.6.2) firewalld from the tarball on the website or is there an easier way? 03.10.2018, 08:41, "Eric Garver" egarver@redhat.com:
On Tue, Oct 02, 2018 at 10:08:52PM -0400, Igor Kapushkin wrote: Hello, I am new to firewalld and I have a some questions because I am curious about it. First, the documentation says that firewalld can have multiple backends. I find it strange that the image on that documentation page lists such different things such as iptables, ebtables and NetworkManager. I imagine that the way firewalld interacts with iptables/ebtables/etc. is completely different that the way it interacts with NetworkManager. I'm confused why NetworkManager is called a "backend" in that case. "backend" often just means "something not directly exposed to the user". Firewalld communicates with NetworkManager to manage interface to zone assignments (e.g. --add-interface). When referring to a FirewallBackend there are two options; iptables and nftables. In Firewalld, nftables support is very new. These are the low level firewall implementation offered by the OS (Linux). Firewalld provides an abstraction over these. Second, I have a computer running Centos 7. I can see that the iptables is installed, but the service (systemctl status iptables) is not part of the OS. I also know that on Centos 7 firewalld interfaces with iptables. My questions is, why is firewalld interfacing with iptables if the iptables service is not even installed? What's the point in doing that? I'm not an expert in the area, so I would really thank you if you could give me a hint or an explanation. I'm confused how iptables can still be relevant if the service is not there for systemd. How is iptables changing anything in that scenario? They are two different packages that manage the underlying iptables firewall in different ways. They should never be used simultaneously. iptables-services is a package to maintain persistent iptables rules. At startup it will apply rules in /etc/sysconfig/iptables. If you use it, you must manually write iptables rules. Firewalld abstracts firewall concepts and makes it much easier for users. It will then translate these concepts into iptables rules and apply them for the user. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
References
Visible links . mailto:firewalld-users@lists.fedorahosted.org . mailto:firewalld-users-leave@lists.fedorahosted.org . https://getfedora.org/code-of-conduct.html . https://fedoraproject.org/wiki/Mailing_list_guidelines . https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
--On Wednesday, October 03, 2018 9:40 AM -0400 Eric Garver egarver@redhat.com wrote:
They are two different packages that manage the underlying iptables firewall in different ways. They should never be used simultaneously.
Note that this means you shouldn't use the systemd iptables service. You can still use the command line iptables commands to inspect the tables that firewalld creates.
firewalld-users@lists.fedorahosted.org