3.12.1.2 firewalld Uses nftables by Default

In Oracle Linux 8, the nftables filtering subsystem is the default firewall backend for the firewalld daemon. If you want to change the back-end firewall, specify the FirewallBackend option in the /etc/firewalld/firewalld.conf file.

This feature change introduces the following notable differences in behavior when using nftables:

  • The iptables rule executions always occur before firewalld rules.

  • In iptables, DROP means a packet is never seen by firewalld, while ACCEPT means a packet is still subject to firewalld rules.

  • The firewalld direct rules are still implemented through iptables, while other firewalld features use nftables.

  • Direct rule execution occurs before firewalld generic acceptance of established connections.