Thank you very much for your answer!

Now I am curious to use NFTables with firewalld. I couldnt find documentation explaining how to upgrade. These are my specs:
 
CentOS 7.5
firewalld 0.4.4.4
NFTables installed (according to "modinfo nf_tables")
 
Do I need to install the new version (0.6.2) firewalld from the tarball on the website or is there an easier way?


03.10.2018, 08:41, "Eric Garver" <egarver@redhat.com>:

On Tue, Oct 02, 2018 at 10:08:52PM -0400, Igor Kapushkin wrote:

    Hello,
     
    I am new to firewalld and I have a some questions because I am curious
    about it.
     
    First, the documentation says that firewalld can have multiple backends. I
    find it strange that the image on that documentation page lists such
    different things such as iptables, ebtables and NetworkManager. I imagine
    that the way firewalld interacts with iptables/ebtables/etc. is completely
    different that the way it interacts with NetworkManager. I'm confused why
    NetworkManager is called a "backend" in that case.


"backend" often just means "something not directly exposed to the user".
Firewalld communicates with NetworkManager to manage interface to zone
assignments (e.g. --add-interface).

When referring to a FirewallBackend there are two options; iptables and
nftables. In Firewalld, nftables support is very new. These are the low
level firewall implementation offered by the OS (Linux). Firewalld
provides an abstraction over these.

    Second, I have a computer running Centos 7. I can see that the iptables is
    installed, but the service (systemctl status iptables) is not part of the
    OS. I also know that on Centos 7 firewalld interfaces with iptables. My
    questions is, why is firewalld interfacing with iptables if the iptables
    service is not even installed? What's the point in doing that? I'm not an
    expert in the area, so I would really thank you if you could give me a
    hint or an explanation. I'm confused how iptables can still be relevant if
    the service is not there for systemd. How is iptables changing anything in
    that scenario?


They are two different packages that manage the underlying iptables
firewall in different ways. They should never be used simultaneously.

iptables-services is a package to maintain persistent iptables rules. At
startup it will apply rules in /etc/sysconfig/iptables. If you use it,
you must manually write iptables rules.

Firewalld abstracts firewall concepts and makes it much easier for
users. It will then translate these concepts into iptables rules and
apply them for the user.
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org