IDK man, it took me a while to finally learn iptables and now switch to firewalld? Oh come on. It's not that I'm against learning new things, no. It's just that firewalld looks a bit.. crappy. If I get a server provisioned and run

firewall-cmd --add-port=53/udp --permanent
firewall-cmd --reload

and I get my ssh connection killed that's no good news, no sir! I mean come on, how can I rely on a tool this critical when a single line in its config file can make my machine inaccessible. Even better -- this config file is managed by that tool entirely!!! My commands passed all the tool's checks and they worked, but when I wanted to make those commands permanent and reload state from the config -- the tool starts spitting bile and blood and says "fuck off, it's my server now!"

IDK man.. It's just way too fishy. The good ol' iptables works very well and I'm kicking its retard younger brother out of the server.

shoosh you dirty pig firewalld, shoosh!

  • 3
    It seems you have not heard of nftables yet. That's the new tool to learn. Firewalld will get to use it as default soon if it is not already so on RHEL8. Nftables will be much faster and better for current needs.
  • 0
    @AtuM I've heard of it a long time ago already. Haven't checked it out. But if it's also as easy to brick your server due to fw errors as it is with firewall-cmd, then I'm still sticking with iptables 😁
  • 1
    @AtuM Faster? You do know that all the actual rules and filtering is handled by the same netfilter kernel modules right? All the tools don't filter/forward squat. Just use whatever does it (set kernel rules) properly.
  • 1
    Something is wrong if it's kicking you out. I regularly set firewall rules with firewalld (both manually and with Ansible) and don't get kicked out.
  • 0
    @hooksie1 interesting.. Two times this happened already: on my router and a new server. firewall-cmd allowed me to create on-fly rules - they worked well. Reran commands with parameter to persist them -- also no errors. Then reloaded firewalld and I'm out for good until reboot. After reboot I can login again [don't recall if my new rules got loaded tho].

    On my router [cent8] Journalctl said firewall found an incorrect iptables command. And the logged command was perfectly fine. Running it manually have me no errors. On server [cent7] -- same thing.
  • 0
    @netikras yeah that's weird. Are these rich rules or just normal ports/services?
  • 0
    @hooksie1 bau, very simple ones. Like 53/udp or 8080/tcp. Nothing fancy
  • 0
    @hjk101: faster in loading of rules. No more iptables blob.
Add Comment