![]() This is done, afaik, for practical reasons of user experience, and to protect against mistakes and hard-to-find bugs. It was subsequently asked in comments by why you would mask a service at all. And the use of separate nft tables in /etc/nftables.d is a nice and easy way of tracking what you have done, and where things are. I find that much more transparent than using a front end (there are others than firewalld of course) - it gives you a complete understanding of what you are doing, and you can easily get a complete review of the effect of your rules by running sudo nft list ruleset > /etc/nf. ![]() The best thing indeed is to completely disable and preferably mask firewalld - to be slightly pedantic, you can run: sudo systemctl stop firewalld ![]() If you were accustomed to run your own iptables rules anyway, it is the perfect solution to have converted them to nftables rules, and let them be the rules of your firewall. It gets quite confusing to run firewalld and nftables (formerly, iptables) in parallel, though I believe some people do so. Nftables in turn works directly as part of the kernel, using a number of modules there, which are partly new, and partly repeat the "netfilter" system of kernel hooks and modules which became part of the kernel around 2000. So you have a choice between running "firewalld using nftables" and running "nftables only". It only operates by taking instructions, then turning them into nftables rules (formerly iptables), and the nftables rules ARE the firewall. It's not an independent firewall by itself. First, you have done exactly the right thing.įirewalld is a pure frontend. I think the answer is fairly straightforward. Any clarity on it's use would be greatly appreciated! My question is, what are the repercussions of not using firewalld, nftables is still running and active, so I'm assuming that my actual firewall is still in place, is there any reason why I should leave firewalld running and instead adjust a setting to ensure it's using my nftables ruleset instead. correct? Once I systemctl disable firewalld and tried a reboot, my nftables rulesets were in place as expected. I learned that the culprit was firewalld, which from my understanding (because I never used it in CentOS 7), is a front end management tool for both iptables and nftables. The problem was that my custom nft rulesets were not persisting after a reboot, I had to manually systemctl restart nftables to get my rules back into force. ![]() I've recently started working with CentOS 8 and learned of the move from iptables to nftables and so I was able to rewrite my rulesets and got everything up and running. I've been on CentOS 7 for a long time and was used to building my custom iptables configurations on a variety of both personal and business boxes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |