4

I used Iptables on Centos 6.5 and tried to translate iptables rules into firewalld rules on centos 7. However, with firewalld, i have discovered i am unable to

  • drop packets in invalid states
  • create a set of rules to protect from portscan
  • create a rule against SYN attacks (meaning looking for packets with syn flags)
  • Use hash limit to limit number of connections per second per IP

Am i right to think that firewalld has way less possible features as compared to Iptables?

Nicolas Guérinet
  • 581
  • 5
  • 15
  • 2
    It does look weird and crippled, indeed. I'm using iptables-services instead of firewalld. My opinion - its still immature at the moment. – drookie Feb 14 '16 at 17:36
  • 2
    @drookie that's exactly what i thought when i looked at the last man documentation for firewalld. It looks like a very simple firewall which does not take into account connection states, rate limit per ip or hash and packets flags. – Nicolas Guérinet Feb 14 '16 at 18:07
  • Firewalld uses iptables. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html – Federico Sierra Feb 14 '16 at 18:26
  • 1
    firewalld is an API into iptables, but it does have a little ways to go. It is fine for most desktops and I think that was actually the intention, to make a more dynamic API for applications to update iptables as folks move around from wifi to wifi zones. For a one-to-one configuration migration from C6 to C7, I would also stick with `iptables-services`, in my own personal experience and preference. – Aaron Feb 14 '16 at 19:07

1 Answers1

0

FirewallD, mostly used by Red Hat variants, is a front end to iptables. FirewallD and Ubuntu's UFW are user friendly tools that interact with iptables in the background, which in turn interact with netfilter. FirewallD cannot provide all the whistles and bells that iptables does. Adding on to your statement, firewalld cannot filter outgoing traffic, but iptatbles can (by default).

Bruce Malaudzi
  • 214
  • 1
  • 5