On Sun, Sep 06, 2020 at 03:12:06PM -0000, Richard Achmatowicz wrote:
I'm newly introduced to firewalld and I would like to make use of
it
to configure my firewall.
In playing around with firewall-cmd to set up some forwarding rules
(which were also maing use of logging the rule executions), I found
that rules were not being executed as I expected.
The newest release, v0.9.0, has native support for forward filtering.
Before that you had to use --direct (iptables) rules.
Consequently, I tried to find a way to be able to generate either an
nftables view or an iptables view of the rules that are generated by a
firewalld configuration so I can see why my rules are not being
executed. Running the iptables command would give me some results, but
they did not correspond to what I had set up in firewalld.
It depends on what firewall backend you're using. See FirewallBackend in
the man page for firewalld.conf and it /etc/firewalld/firewalld.conf.
Add to this the fact that when I do a fresh install, the firewalld
service is enabled and active and the iptables and nftables services
on my host/router are not active. This leads me to believe that in
order to use firewalld, neither iptables nor nftables should be
active. On the other hand, I have read that firewall-cmd is just a
front end to nftables (the subsystem) and so that might lead one to
think that nftables service should be enabled and active.
It's accurate that firewalld is an abstraction over iptables and
nftables, but the services are mutually exclusive.
So, here are my questions:
1. When using firewalld, should the iptables and nftables services be inactive? If one or
more is active, what are the consequences?
Correct. The services are mutually exclusive. The firewalld.service
should be enforcing this. Recently a Conflicts for nftables was added.
2. How can I generate an iptables view or an nftables view of the
rules in my firewalld configuration in order to see which rules
firewalld is really passing to nftables?
# iptables-save
or
# nft list ruleset