Seguridad
firewalld now uses nftables as its default backend
With this release, the nftables
filtering subsystem becomes the default
firewall backend for the firewalld
daemon. To change the backend, use the
FirewallBackend
option in the /etc/firewalld/firewalld.conf
file. This
change introduces the following differences in behavior when using
nftables
:
-
iptables
rule executions always occur beforefirewalld
rules.-
DROP
iniptables
means a packet is never seen byfirewalld
. -
ACCEPT
iniptables
means a packet is still subject tofirewalld
rules.
-
-
Direct-rule execution occurs before
firewalld
generic acceptance of established connections.
For more information, see https://firewalld.org/2018/07/nftables-backend and https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables.