On Fri, Apr 13, 2018 at 06:44:15PM +0000, alen.alen(a)powdermail.com wrote:
For adding a custom iptables rule using firewall-cmd, I'm having
time understanding the difference between these:
firewalld has three levels of custom rules. The offer different levels
of control. In descending order (high level --> low level):
1) rich rules
- abstraction over iptables. This small language is defined by
firewalld and is guaranteed to work between firewalld release
and iptables versions.
2) direct rules
- passes rules directly to iptables. firewalld makes no attempt
to verify the arguments that are sent to iptables.
- usually used to insert rules into the pre-created
3) direct passthrough rules
- similar #2 above, but allows you to insert into _any_ chain.
Even the top-level chains of iptables.
- used as a last resort
As described in #2 above.
Allows passing a command to iptables, but it will be untracked. This
means once the command has executed firewalld has no further knowledge
about it's execution. It does not keep runtime state that may have
occurred and it does not cause any configuration changes.
This is almost certainly not what you want. I'm not even sure why it
As described in #3 above.
The manual explanation sounds the same for all three. There must be a reason
to have each one, they have to be different, can you help me know which I am
If you can use rich rules, then definitely use them over the others.
They're portable even if the firewall backend changes (i.e. when we
switch to nftables).
Hope that helps.