On 10/23/18 14:45, Phil Perry wrote:> On 23/10/18 19:05, mark wrote: >> Been looking, and haven't found the answer: in c7, is there a firewall-cmd >> command, or a systemctl cmd, to check whether ip6tables firewall is >> running > > Yes, the same as for any other service: > > systemctl status ip6tables.service >Um, no. I've discovered that on our boxen we have ip6tables running - I can do ip6tables-save and see them, but ip6tables.service, which comes, I find, as part of iptables-services, is *not* installed. Working around it. mark
On a similar note, Is there any reason to use Firewalld over IPTables? I'm incredibly new to Linux administration, and would like to your guys' opinions on it. Many thanks, Joel. On Wed, 24 Oct 2018 at 12:23, mark <m.roth at 5-cent.us> wrote:> On 10/23/18 14:45, Phil Perry wrote: > > On 23/10/18 19:05, mark wrote: > >> Been looking, and haven't found the answer: in c7, is there a > firewall-cmd > >> command, or a systemctl cmd, to check whether ip6tables firewall is > >> running > > > > Yes, the same as for any other service: > > > > systemctl status ip6tables.service > > > Um, no. I've discovered that on our boxen we have ip6tables running - I > can do > ip6tables-save and see them, but ip6tables.service, which comes, I find, > as > part of iptables-services, is *not* installed. > > Working around it. > > mark > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On Oct 24, 2018, at 8:06 PM, Joel Freeman <joel at joelazot.xyz> wrote:> > Is there any reason to use Firewalld over IPTables?Lots: https://firewalld.org/> I'm incredibly new to Linux administrationGiven that, which would you rather type: $ sudo firewall-cmd --add-service=ftp or whatever that does under the hood, which probably resembles the 7 commands given here: https://unix.stackexchange.com/a/93555/138 The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax. Contrast FirewallD, where you just re-issue the command above with a single additional flag: $ sudo firewall-cmd --add-service=ftp --permanent FTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case. FirewallD doesn?t require that you use predefined services, either. It works just fine with raw port numbers: $ sudo firewall-cmd --add-port=50000/tcp Contrast the equivalent iptables command: $ sudo iptables -A INPUT -p tcp --dport 50000 -j ACCEPT ?and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you?d have to understand in order to get the expected behavior. Why not let FirewallD handle all of that for you? I don?t miss direct iptables manipulation.
Joel Freeman wrote on 10/24/2018 9:06 PM:> On a similar note, Is there any reason to use Firewalld over IPTables? > > I'm incredibly new to Linux administration, and would like to your guys' > opinions on it. > > Many thanks, > Joel.My first impression was that firewalld and NetworkManager had a more desktop oriented/plug-n-play type feel compared to traditional tools like network and iptables so I chose to stick with the latter on my servers (manual IP4/IP6 configuration and a handful of services, some open to the public internet while others open only to certain sources). For a laptop or desktop (which probably uses DHCP and has few, if any, publicly accessible services) I'd probably stick with the former. I have no idea how well tools like fail2ban or logwatch integrate with firewalld, but if they work as well or better than iptables that would be great. Warren is correct that the firewall-cmd interface is probably more intuitive for most folks (especially those not familiar with managing iptables).