firewalld vs "classic" iptables

Hi,

as far as I know, firewalld adds the possibility to use dynamic rules instead of the static one offered by the classic iptables.

The question is.

Does dynamic rules have sense on a server?

The server is connected always to the same net, what is the benefit of having dynamic rules on a server?

What is the sense of zones on a servr?

7 Replies

iptables is dynamic. It would be useless otherwise. fail2ban, denyhosts, port knocking etc. all work by dynamically inserting rules into iptables.

I don't know anything about firewalld, so can't answer your question about zones.

@Ox-:

iptables is dynamic. It would be useless otherwise. fail2ban, denyhosts, port knocking etc. all work by dynamically inserting rules into iptables.

I don't know anything about firewalld, so can't answer your question about zones.

Iptables does not provide dynamic rules. Firewalld yes.

The software you mentioned add rules to iptables dynamically but this does not mean that iptables rules are dynamic.

Hope to see someone who can answer my question anyway :)

… You realize that firewalld is just a layer over iptables, right? It is providing "dynamic" changes the same way that fail2ban, fwknop, and any other iptables-wrapper does.

  • Les

@akerl:

… You realize that firewalld is just a layer over iptables, right? It is providing "dynamic" changes the same way that fail2ban, fwknop, and any other iptables-wrapper does.

  • Les

I know it perfectly, but what is the sense of zones on a server?

@sblantipodi:

but what is the sense of zones on a server?

Purple? Your question isn't very clear.

@akerl:

@sblantipodi:

but what is the sense of zones on a server?

Purple? Your question isn't very clear.

Give me a real life reason why a person should learn about zones.

What is the real life improvement they brings on a server over the old iptables "way"?

I think that zones are cool on desktop but a no sense on servers.

Am I wrong?

If yes, please try to explain me why.

Thanks.

Computers talk to things. Servers are computers. Sometimes you want to control which services on which servers can talk to which other servers.

Since you don't want to write out a huge spec of firewall rules, you classify things into groups so you can apply rules on groups all at once. You don't like the word "group" because you were once attacked by a group of chickens after poking one with your sword, so you name your classifications "zones".

If you want to know the things you can do with iptables directly: http://man.cx/iptables

If you want to know the things you can do with firewalld: https://fedoraproject.org/wiki/FirewallD

Feel free to compare/contrast them.

  • Les

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct