firewalld vs iptables - when to use which

linux networking centos fedora firewalld

62,382

As firewalld is based on XML configuration, some might think that it's easier to configure the firewall in a programmatic manner. This can be achieved by iptables just as well, but with a different way, which is not XML. If you are already familiar with the way iptables works, why would you migrate all your configuration to firewalld?

If you consider your largest iptables firewall rule set, how often do you think you would benefit from the dynamic aspect of firewalld? In most cases the performance of iptables is never the issue. In most cases where the performance of iptables is an issue can be fixed by using ipset based source/destination IP sets.

It is a different debate whether or not you should use NetworkManager.

62,382

Amaia Carlin

Updated on September 18, 2022

Comments

Amaia Carlin over 1 year

TL;DR On new CentOS server installs should I be using firewalld or just disable that and go back to using /etc/sysconfig/iptables ?

firewalld and iptables serve similar purposes. Both do packet filtering - but if I understand it correctly firewalld does not flush the entire rule set each time a change is made.

I know a lot about iptables but very little about firewalld.

On Fedora and RHEL/CentOS - the traditional iptables configuration was done in /etc/sysconfig/iptables. With firewalld, it's configuration lives in /etc/firewalld/ and is a set of XML files. Fedora seems to be moving toward firewalld as a replacement for this legacy configuration. I do understand that firewalld uses iptables under the hood, but it also has it's own command line interface and configuration file format as above - which is what I'm referring to in terms of using one vs the other.

Is there a particular configuration/scenario that each of these is best suited for? In the case of NetworkMangaer vs network, it appears that although NetworkManager may have been intended as a replacement for the network scripts, due to it's lack of network bridge support and a few other things, many people are just not using it on server setups at all. So there seems to be a general concept of "use NetworkManager if you are on a Linux desktop/gui, and network if you are running a server". That's just what I pick up from reading various posts - but it at least gives a guide as to what is a workable use for those things - at least as they stand in their current state.

But I've been doing this same thing with firewalld and just turning it off and using iptables instead. (I am almost always installing linux on a server, not for desktop use). Is firewalld an effective replacement for iptables and should I just be using that on all new systems?
- user9517 about 9 years
  
  Firewalld uses iptables underneath.
- Amaia Carlin about 9 years
  
  Sure, and that makes sense. But obviously there is a big difference between how you store your config and which tool you use - iptables vs firewall-cmd, /etc/sysconfig/iptables vs /etc/firewalld/.../*.xml I'll revise the question a bit to make that clearer.
- gparent about 9 years
  
  There's no need to "flush the entire ruleset every time a chance is made" with iptables. It's just a front end tool, if it's flushing the tables that's because you told it to.
- Amaia Carlin over 8 years
  
  To clarify, I'm referring to "service iptables restart" causing the rules to be removed and re-added. (Although that still does not affect connection state, which is good.) You can of course just run the iptables command from the command line in order to modify individual rules - but I generally try to keep everything in /etc/sysconfig/iptables and use the "service" command in order to stick to the convention suggested by the tools provided by the distro.
gparent about 9 years

The performance of iptables is irrelevant in this case because the slowness will happen regardless of whether the rules are inserted via firewalld or directly with the iptables tool.