firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Bruno Wolff III
bruno at wolff.to
Wed Feb 26 14:06:03 UTC 2014
On Wed, Feb 26, 2014 at 08:24:18 -0500,
Stephen Gallagher <sgallagh at redhat.com> wrote:
>
>The main advantage that we get from firewalld is that it is providing
>a public D-BUS interface that we can use to connect central management
>tools (such as puppet) to apply a complete set of rules in one go (as
>opposed to the necessarily procedural approach we are currently faced
>with, which is reading the current state, parsing it, determining
>which changes need to be made and then performing the diff... all
>manually and racy)
You can also update iptable rules in a non-racy way if you are willing to
drop packects (which can happen in networks anyway, so most things
should be able to cope).
nftables provides atomic updates:
http://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement
So that might be another option.
More information about the server
mailing list