On Dec 14, 2018, at 2:30 PM, Jon LaBadie <j...@labadie.us> wrote:
>
> After a recent large update, firewalld's status contains
> many lines of the form:
>
> WARNING: COMMAND_FAILED: '/usr/sbin/iptables…
What’s the rest of the command?
> Checking iptables.service status shows it to be masked.
That’s probably from package iptables-services, which isn’t installed by
default on purpose. It’s the legacy service from before firewalld was made the
default. Use one or the other, not both.
I strongly recommend that you use firewalld instead of the old iptables
service. While firewalld is based on the kernel’s iptables facility, it gives
many additional capabilities that you don’t get with raw iptables commands.
The old service was little more than a macro system for raw iptables commands.
Contrast firewalld, which:
1. Integrates with systemd.
2. Understands “services” as opposed to just raw port numbers and such. This
is especially valuable with complex services like NFS. With iptables…well, you
forgot to allow rpc.portmap again, didn’t you? :)
3. Updates the firewall in real time, live. You can do this by hand with raw
iptables commands, but the syntax for inserting new rules at the right place in
the tables is awkward. Firewalld automates all of that for you.
4. Add --permanent to a new rule to save it securely to the rule set loaded on
startup. Contrast iptables, where you’re often running across blog articles
and such that talk about saving such rules separately to /etc/rc.local and
such, or editing /etc/sysconfig/iptables directly.
5. If you prefer the “update global config and reload” pattern of the old
system-config-firewall scheme from CentOS 6, you can do that with firewalld,
too:
alias fcp="sudo firewall-cmd --permanent"
fcp --add-service foo
fcp --add-port somename/tcp
…more fcp commands here…
sudo firewall-cmd --reload
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
