Thank you both for your very informative replies. I just wish there was a clear outline of these issues somewhere to make it easier to understand what differentiates firewalld from iptables....
In my case, since I control the firewalls on my computers and servers directly, without interference from other applications, there is not currently a compelling reason I can see to make the switch from iptables to firewalld. I'd make the switch for the sake of "future-proofing", but for firewalld's inability to control outbound connections.
> Subject: Re: what are the advantages of firewalld over iptables?
> To: firewalld-users@lists.fedorahosted.org
> From: laine@redhat.com
> Date: Fri, 21 Aug 2015 14:57:26 -0700
>
> On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
> > I believe I've found an explanation regarding the VM issue you mention:
> > http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your-kvm-network-stops-working/
> >
> > If I understand correctly, the issue is that temporary rules inserted
> > into iptables by other applications are lost when any of the following
> > are called:
>
> It's more than that. new rules inserted with iptables -I will override
> the rules aded by libvirt, often causing trafic to miss libvirt's rules.
>
> > service iptables stop; service iptables start;
> > service iptables restart;
> > iptables-restore < /etc/sysconfig/iptables;
> >
> > This issue would not apply when inserting your own temporary rules by
> > such as:
> > iptables -A
> >
> > The issue would also not apply when making your temporary rules
> > permanent via:
> > service iptables save
>
> "service iptables save" has its own problems. For starters, it will save
> *everything* that is currently in the in-memory rules, not just "what
> was previously saved + the rules you want saved". This could mean that
> some of the previous rules would be removed from the configuration (it
> something had for some reason temporarily removed them) or it could mean
> some extra rules that were intended to only be there temporarily would
> be permanently added (for example, if a libvirt virtual network is taken
> down, libvirt removes the iptables rules that it had previously added,
> but if you have saved those rules as you suggest above, then the next
> time your iptables service i restarted, all of those rules would be
> re-added, even though they are no longer applicable.
>
> What it all comes down to is that without firewalld, there is no central
> controlling authority, so everybody steps all over everybody else. If
> all applications that need to modify the iptables rules go through
> firewalld, it is in a good position to assure that the various
> applications don't interfere with each others' rules.
>
> (BTW, libvirt looks for the firewalld service, and always uses it if it
> is active).
>
> _______________________________________________
> firewalld-users mailing list
> firewalld-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users