26.3 About Packet-filtering Firewalls

A packet filtering firewall filters incoming and outgoing network packets based on the packet header information. You can create packet filter rules that determine whether packets are accepted or rejected. For example, if you create a rule to block a port, any request is made to that port that is blocked by the firewall, and the request is ignored. Any service that is listening on a blocked port is effectively disabled.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6 packets.

Netfilter consists of two components:

  • A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.

  • Utilities to create, maintain, and display the rules that netfilter stores. In Oracle Linux 7, the default firewall utility is firewall-cmd, which is provided by the firewalld package.

    If you prefer, you can enable the iptables and iptables6 services and use the iptables and ip6tables utilities, provided by the iptables package. These were the default utilities for firewall configuration in Oracle Linux 6.

The firewalld-based firewall has the following advantages over an iptables-based firewall:

  • Unlike the iptables and ip6tables commands, using firewalld-cmd does not restart the firewall and disrupt established TCP connections.

  • firewalld supports dynamic zones, which allow you to implement different sets of firewall rules for systems such as laptops that can connect to networks with different levels of trust. You are unlikely to use this feature with server systems.

  • firewalld supports D-Bus for better integration with services that depend on firewall configuration.

To implement a general-purpose firewall, you can use the Firewall Configuration GUI (firewall-config), provided by the firewall-config package.

Figure 26.1 shows the Firewall Configuration GUI.

Figure 26.1 Firewall Configuration

To create or modify a firewall configuration from the command line, use the firewall-cmd utility (or, if you prefer, the iptables, or ip6tables utilities) to configure the packet filtering rules.

The packet filtering rules are recorded in the /etc/firewalld hierarchy for firewalld and in the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files for iptables and ip6tables.