Ask Your Question

FirewallD vs iptables

asked 2015-06-15 19:07:03 -0500

codemonkeyrawks gravatar image

Hi There,

Does anyone know or can pinpoint me in the right direction on the advantage of using FirewallD or the old iptables (side by side comparison). Is one more secure than the other? In my last question I recognized that FirewallD has yet to block incoming traffic. Is there a way I can make a feature request?

edit retag flag offensive close merge delete



Much of your question is sort of an opinion. See for a discussion of firewalld and how to use it.

bodhi.zazen gravatar imagebodhi.zazen ( 2015-06-15 21:18:55 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2015-06-15 20:07:33 -0500

bthomas gravatar image

updated 2015-06-16 00:10:36 -0500

They're both packet filters that does right what it says on the tin. Filter packets. Neither seem to have flaws filtering packets. Thus neither seem to be more or less secure then the other. Therefor the security depends solely on how you make the policies, as well as the security of the rest of the system.

I heard a story once about someone setting up a brand new security system on all the doors and windows on their house. A few burglars got in by chainsawing through the wall beside the door. I'm not sure how true the story is, but it demonstrates that one piece of security is worthless if it can be subverted elsewhere (and this is especially true in computers). And attackers are usually pretty clever when it comes to finding the elsewhere.

I'm not sure where you got that FirewallD can't block incoming packets. Just read directly through the manpages or the docs and see for yourself; don't take someone else's word when you don't need too.

edit flag offensive delete link more


Hi bthomas,

Thanks for your reply. On my previous request I actually meant to say firewalld does not "block outgoing traffic". Is there a service like Gnome Bugs where I can put in a feature request. I think I will stick with iptables for now since it allows both in/out and is simple using UFW. Thanks for the article/man page. Exactly what I was looking for.

Thanks, Arcade!

codemonkeyrawks gravatar imagecodemonkeyrawks ( 2015-06-15 23:29:53 -0500 )edit

Well, I think the reason why they don't is because SELinux already takes care of that well (not that I've played with it that much). If I remember correctly, it has networking rbac. Think of it like permissions for process/users to access resources, instead of system wide filters, which is probably more flexible. If you also wanted system wide filtering, you can just apply it through iptables (which is firewallds' backend). If you really wanted to submit a feature request, just go to the projects page (usually a safe bet).

bthomas gravatar imagebthomas ( 2015-06-16 00:07:33 -0500 )edit

I believe this is somewhat incorrect. Neither iptables nor FirewallD are packet filters, instead both of them are interfaces to Linux kernel's packet filter (Netfilter). Therefore the actual piece of software doing the packet filtering is the same, i.e. the Netfilter codes inside Linux kernel. Either iptables nor FirewallD are simply different ways to setup and monitor rules inside Netfilter.

Arif at gravatar imageArif at ( 2015-12-05 18:13:50 -0500 )edit

Question Tools

1 follower


Asked: 2015-06-15 19:07:03 -0500

Seen: 899 times

Last updated: Jun 16 '15