A packet filtering firewall filters incoming and outgoing network packets based on the packet header information. You can create packet filter rules that determine whether packets are accepted or rejected. For example, if you create a rule to block a port, any request is made to that port that is blocked by the firewall, and the request is ignored. Any service that is listening on a blocked port is effectively disabled.
The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6 packets.
Netfilter consists of two components:
A
netfilter
kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.Utilities to create, maintain, and display the rules that
netfilter
stores. In Oracle Linux 7, the default firewall utility is firewall-cmd, which is provided by thefirewalld
package.If you prefer, you can enable the
iptables
andiptables6
services and use the iptables and ip6tables utilities, provided by theiptables
package. These were the default utilities for firewall configuration in Oracle Linux 6.
The firewalld
-based firewall has the following
advantages over an iptables
-based firewall:
Unlike the iptables and ip6tables commands, using firewalld-cmd does not restart the firewall and disrupt established TCP connections.
firewalld
supports dynamic zones, which allow you to implement different sets of firewall rules for systems such as laptops that can connect to networks with different levels of trust. You are unlikely to use this feature with server systems.firewalld
supports D-Bus for better integration with services that depend on firewall configuration.
To implement a general-purpose firewall, you can use the Firewall
Configuration GUI (firewall-config), provided
by the firewall-config
package.
Figure 26.1 shows the Firewall Configuration GUI.
To create or modify a firewall configuration from the command line, use the firewall-cmd utility (or, if you prefer, the iptables, or ip6tables utilities) to configure the packet filtering rules.
The packet filtering rules are recorded in the
/etc/firewalld
hierarchy for
firewalld
and in the
/etc/sysconfig/iptables
and
/etc/sysconfig/ip6tables
files for
iptables and ip6tables.