I don’t think “faster” is the right comparison. It’s more about whether you want a frontend or to write everything by hand.
Firewalld isn’t a firewall engine, it’s just a management layer on top of nftables (or iptables on older systems). The actual packet filtering is still done by the kernel, so there’s no real performance hit in day-to-day use.
Raw nftables can be faster to manage if you’re dealing with huge rule sets or doing fancy scripting, but for normal server setups the difference is negligible. Firewalld just adds convenience and reduces the chance of shooting yourself in the foot.
I think this comment refers to the time taken by fail2ban to reinstate the bans after a fail2ban restart or system reboot when you are using firewalldcmd-? over iptables-? in the fail2ban jail configuration(s), in certain cases it can take nearly an hour to reinstate bans if using firewalld and with the same data set a couple of minutes using iptables, because of this I now use my own coded variant of fail2ban which uses iptables to communicate with the kernel and uses the iptables restore command to setup the firewall after a reboot or service restart
Yes, you’re right that firewalld can be slow when Fail2Ban loads massive numbers of bans, but that’s a very specific edge case, I reckon. Firewalld applies rules via D-Bus one by one, so if one has tens of thousands of rich rules, the startup can take ages. Iptables/nftables loads everything in one atomic operation, which is why it’s faster.
However, this has nothing to do with runtime firewall performance or firewalld being ‘slow’ in general; it only affects Fail2Ban rule restoration at scale. For normal ban counts and everyday server setups, firewalld behaves normally and there’s no practical difference to my knowledge.
I have 3 edge case servers then, on an average day with the jails I have set up I get about 500 bans per day & I also used bantime.increment = true and setting bantime.factor within fail2ban’s config which in turn meant there was always in excess of 500 current bans, in fact it was nearly 700 current bans at this point fail2ban/firewalld was ‘overwhelmed’
got to ask
is there any particular range of ips or consistency across all 3 servers or something particular that is attracting them like a particular domain name?
2 are on the same subnet which is about the only thing in common between them, that said the one server now serves as a honeypot so I can develop the code I use instead of firewalld/fail2ban so on that actual server i welcome bad actors
I guess, just seems high to me - the vast majority of my bans are WP villains and search engine bots add a new domain to a VM and the flood gates open once again
