Operating System and Software
- Rocky Linux 8
nftables
firewalld
Problem
- How do I disable
firewalld
and usenftables
instead? - Some
nftables
rules do not get processed whenfirewalld
is enabled.
How to Fix
- It is not recommended to use
firewalld
and then also addnftables
rules directly. nftables
can be used in native/direct mode whenfirewalld
isdisabled
in Rocky Linux 8- The
nftables
is able to collapse firewall management for IPv4, IPv6 and bridging into the single command line utility:nft
Origin of the Problem
-
The default backend firewall module used by the Linux kernel in Rocky Linux 8 is
nftables
. -
The document Chapter 32. Getting started with nftables states,
firewalld
: Use thefirewalld
utility to configure a firewall on workstations. The utility is easy to use and covers the typical use cases for this scenario.
nftables
: Use thenftables
utility to set up complex firewalls, such as for a whole network.
iptables
: Theiptables
utility is deprecated in Rocky Linux 8. Use insteadnftables
. -
There are 2 ways to add rules on Rocky Linux 8, either via
firewalld
or directly vianftables
. It used to work that way in CentOS 7 except it usediptables
as the backend notnftables
. -
Unfortunately, firewalld’s
nftables
backend is unlikely to find it’s way to CentOS 7 -
In order to convert old
iptables
rules tonft
refer to How to convert iptables rules to nftables rules?
Diagnostic Steps
To switch to from firewalld
to nftables
there are a few steps that must be taken
- Firstly ensure the
nftables
package is installed.
[root@rhel8 ~]# cat /etc/redhat-release
Rocky Linux release 8.1 (Ootpa)
[root@rhel8 ~]# rpm -q nftables
nftables-0.9.0-14.el8.x86_64
- Next,
disable
,stop
andmask
thefirewalld
service
[root@rhel8 ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@rhel8 ~]# systemctl stop firewalld
[root@rhel8 ~]# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
- Then start
nftables
andenable
them to automatically start at boot
[root@rhel8 ~]# systemctl start nftables
[root@rhel8 ~]# systemctl enable nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
- To list existing tables
[root@rhel8 ~]# nft list tables
table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat