Linode Forum
https://forum.linode.com/

firewalld vs "classic" iptables
https://forum.linode.com/viewtopic.php?f=19&t=11162		 Page 1 of 1
Author:  sblantipodi [ Sat Jul 12, 2014 6:04 am ]
Post subject:  firewalld vs "classic" iptables
Hi,
as far as I know, firewalld adds the possibility to use dynamic rules instead of the static one offered by the classic iptables.

The question is.
Does dynamic rules have sense on a server?
The server is connected always to the same net, what is the benefit of having dynamic rules on a server?
What is the sense of zones on a servr?
Author:  Ox- [ Sun Jul 13, 2014 5:54 pm ]
Post subject:  Re: firewalld vs "classic" iptables
iptables is dynamic. It would be useless otherwise. fail2ban, denyhosts, port knocking etc. all work by dynamically inserting rules into iptables.

I don't know anything about firewalld, so can't answer your question about zones.
Author:  sblantipodi [ Sun Jul 13, 2014 6:12 pm ]
Post subject:  Re: firewalld vs "classic" iptables
Ox- wrote:
iptables is dynamic. It would be useless otherwise. fail2ban, denyhosts, port knocking etc. all work by dynamically inserting rules into iptables.

I don't know anything about firewalld, so can't answer your question about zones.


Iptables does not provide dynamic rules. Firewalld yes.
The software you mentioned add rules to iptables dynamically but this does not mean that iptables rules are dynamic.

Hope to see someone who can answer my question anyway :)
Author:  akerl [ Sun Jul 13, 2014 6:22 pm ]
Post subject:  Re: firewalld vs "classic" iptables
... You realize that firewalld is just a layer over iptables, right? It is providing "dynamic" changes the same way that fail2ban, fwknop, and any other iptables-wrapper does.

- Les
Author:  sblantipodi [ Sun Jul 13, 2014 6:24 pm ]
Post subject:  Re: firewalld vs "classic" iptables
akerl wrote:
... You realize that firewalld is just a layer over iptables, right? It is providing "dynamic" changes the same way that fail2ban, fwknop, and any other iptables-wrapper does.

- Les


I know it perfectly, but what is the sense of zones on a server?
Author:  akerl [ Sun Jul 13, 2014 6:31 pm ]
Post subject:  Re: firewalld vs "classic" iptables
sblantipodi wrote:
but what is the sense of zones on a server?


Purple? Your question isn't very clear.
Author:  sblantipodi [ Sun Jul 13, 2014 6:34 pm ]
Post subject:  Re: firewalld vs "classic" iptables
akerl wrote:
sblantipodi wrote:
but what is the sense of zones on a server?


Purple? Your question isn't very clear.


Give me a real life reason why a person should learn about zones.
What is the real life improvement they brings on a server over the old iptables "way"?

I think that zones are cool on desktop but a no sense on servers.
Am I wrong?
If yes, please try to explain me why.

Thanks.
Author:  akerl [ Sun Jul 13, 2014 6:40 pm ]
Post subject:  Re: firewalld vs "classic" iptables
Computers talk to things. Servers are computers. Sometimes you want to control which services on which servers can talk to which other servers.

Since you don't want to write out a huge spec of firewall rules, you classify things into groups so you can apply rules on groups all at once. You don't like the word "group" because you were once attacked by a group of chickens after poking one with your sword, so you name your classifications "zones".

If you want to know the things you can do with iptables directly: http://man.cx/iptables
If you want to know the things you can do with firewalld: https://fedoraproject.org/wiki/FirewallD

Feel free to compare/contrast them.

- Les
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/