Solutions

How do I disable firewalld and use nftables instead ?

by ,

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Operating System and Software

  • Rocky Linux 8
  • nftables
  • firewalld

Problem

  • How do I disable firewalld and use nftables instead?
  • Some nftables rules do not get processed when firewalld is enabled.

How to Fix

  • It is not recommended to use firewalld and then also add nftables rules directly.
  • nftables can be used in native/direct mode when firewalld is disabled in Rocky Linux 8
  • The nftables is able to collapse firewall management for IPv4, IPv6 and bridging into the single command line utility: nft

Origin of the Problem

  • The default backend firewall module used by the Linux kernel in Rocky Linux 8 is nftables.
  • The document Chapter 32. Getting started with nftables states,
    firewalld: Use the firewalld utility to configure a firewall on workstations. The utility is easy to use and covers the typical use cases for this scenario.
    nftables: Use the nftables utility to set up complex firewalls, such as for a whole network.
    iptables: The iptables utility is deprecated in Rocky Linux 8. Use instead nftables.
  • There are 2 ways to add rules on Rocky Linux 8, either via firewalld or directly via nftables. It used to work that way in CentOS 7 except it used iptables as the backend not nftables.
  • Unfortunately, firewalld’s nftables backend is unlikely to find it’s way to CentOS 7
  • In order to convert old iptables rules to nft refer to How to convert iptables rules to nftables rules?

Diagnostic Steps

To switch to from firewalld to nftables there are a few steps that must be taken

  • Firstly ensure the nftables package is installed.
[root@rhel8 ~]# cat /etc/redhat-release 
Rocky Linux release 8.1 (Ootpa)
[root@rhel8 ~]# rpm -q nftables
nftables-0.9.0-14.el8.x86_64
  • Next, disable, stop and mask the firewalld service
[root@rhel8 ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@rhel8 ~]# systemctl stop firewalld
[root@rhel8 ~]#  systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
  • Then start nftables and enable them to automatically start at boot
[root@rhel8 ~]# systemctl start nftables
[root@rhel8 ~]# systemctl enable nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
  • To list existing tables
[root@rhel8 ~]# nft list tables
table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.