Centos 7 and Firewalld

I did some searching and found Shane Spinuzzi’s post very helpful.


I try to embrace change and have configured the basic firewall via the shell but APF is very comprehensive and uses other services along with rules to help keep the bad boys and girls out. Unfortunately I don’t see any talk of APF supporting firwalld soon.

The question I have is;

If I follow Shanes link to instructions and disable Firewalld and enable the old way, will all work well as it did under Centos 6 with scripts like APF (advanced policy firewall)? Or will there be unintended consequences to this approach?

I went ahead and followed the instructions and so far, everything is back to the way it was under Centos 6.

Still have to wonder, will I regret stepping back to the old ways?

John Wolgamot

Why regret? If you are used to iptables then is better to stick with what you know if you are new to server management or just dont care then is same whatever you install. The only difference i saw is that firewalld is working based on xml files and (correct me if i’m wrong here) you can change the rules without restarting the service so existing connections will not be interrupted. Because of xml its easier (?) to put large number of rules without loosing speed, e.g. banning ip ranges or entire countries.

On other hand iptables is old and proven to work system, a lot software still is based on them and on the internet you can find any information or guide you need. Is true that if you put a lot of rules like banning entire countries could slow down your page speed (speaking here of several thousands of rules) but then you can always use ipset and get same effect like with firewalld and xml files.

Personally i find iptables easier and i like how it works. Frankly i dont want to learn new system if i dont need (for now) and i’m using them on my Centos 7 servers without any problem. But i’m sure there will be someone who will say that firewalld is better or he/she likes it more. Either way stay with iptables nothing wrong with them.

Thanks for mentioning ipset. It looks like it will work well for me. I can’t believe I never discovered ipset until you mentioned it here.

As mentioned, I’ve become used to using APF to manage iptables and it really creates a lot of rules which I don’t even understand all of their purposes. Some I understand but many I don’t

I’ve been around Linux servers long enough to know just how much I don’t know. I can amaze my friends but at the bi-monthly Linux meetings, we get white hat hackers as guests periodically. I usually have a week of nightmares after those meetings so I generally try to harden my servers the best I can after those mental thrashings.

I’ve been in the game since Redhat 7.3
Thankfully I discovered Virtualmin Pro install.sh script back in 2007.

Thanks again for your reply.