I don't really understand the intent behind firewalld. The RHEL7 Security
Guide states "A graphical configuration tool, *firewall-config*, is used to
configure firewalld, which in turn uses *iptables tool* to communicate with
*Netfilter* in the kernel which implements packet filtering".
So is the goal for firewalld to implement a GUI for iptables? What is the
"value added" by firewalld?
Thanks....Nick Geo
On Sun, 13 Dec 2015 01:46, Nicholas Geovanis <nickgeovanis at ...> wrote:> I don't really understand the intent behind firewalld. The RHEL7 Security > Guide states "A graphical configuration tool, *firewall-config*, is used to > configure firewalld, which in turn uses *iptables tool* to communicate with > *Netfilter* in the kernel which implements packet filtering". > > So is the goal for firewalld to implement a GUI for iptables? What is the > "value added" by firewalld? > Thanks....Nick GeoWell, the order from Kernel inside outward is: 1. Netfilter (inside Kernel), not directly accessible by userland 2. iptables/iptables6, the userland cli tools to manipulate the Netfilter entries, mighty and complex, error-prone for casual use. 3. firewalld(RedHat/CentOS), or SuSEfirewall(Suse), or similar are the tools that simplify the task of creating the needed iptable rules, as not every one wants to write them by hand. 4. GUI tools, that allow to manipulate the config of firewalld (or similar), for those that are unfamilar with the command line, or want a quick and graphical way to do the job needed. Does that answer your question about *value added* by GUI tools? Not every user that needs to change firewall settings is a certified UNIX admin. - Yamaban.
Yamaban wrote:>> So is the goal for firewalld to implement a GUI for iptables? What is the >> "value added" by firewalld? >> Thanks....Nick Geo > > Well, the order from Kernel inside outward is: > > 1. Netfilter (inside Kernel), not directly accessible by userland > > 2. iptables/iptables6, the userland cli tools to manipulate the Netfilter > entries, mighty and complex, error-prone for casual use. > > 3. firewalld(RedHat/CentOS), or SuSEfirewall(Suse), or similar are the > tools that simplify the task of creating the needed iptable rules, as > not every one wants to write them by hand. > > 4. GUI tools, that allow to manipulate the config of firewalld (or > similar), > for those that are unfamilar with the command line, or want a quick > and graphical way to do the job needed.It might be mentioned that the previous firewall is still available. It can obtained by "yum install system-config-firewall". Actually I use shorewall - I'm not sure how this compares with firewalld. It is certainly much better documented. -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin