1 About Packet-Filtering Firewalls

A firewall can be configured to:
  • Filter incoming and outgoing network packets based on packet header information,
  • Redirect packets, such as with network address translation (NAT),
  • Perform packet mirroring,
  • Perform deep packet inspection,
  • Accepted or rejected packets based on rules.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4, IPv6, inet, arp, bridge, and netdev.

Netfilter consists of the following components:

  • A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.

  • Utilities to create, maintain, and display the rules that netfilter stores. In Oracle Linux 8, the default firewall utility is the firewall-cmd, which is provided by the firewalld package.

  • The nftables framework is the default network packet filtering framework used by firewalld in Oracle Linux . nftables functions as the backend for firewalld and integrates with netfilter. The nftables framework includes packet classification facilities, added convenience, and improved performance.

The firewalld-based firewall has the following advantages:

  • The firewalld-cmd utility doesn't restart the firewall and disrupt established TCP connections.

  • firewalld supports dynamic zones, which enable you to implement different sets of firewall rules for systems such as laptops that can connect to networks with different levels of trust. However, this feature isn't typically used on server systems.

  • firewalld supports D-Bus for better integration with services that depend on firewall configuration.

  • firewalld covers most basic use cases

For more complex scenarios consider creating and configuring nftables directly instead of using firewalld. For example, consider configuring nftables directly for scenarios such as:
  • Where you need direct control over netfilter,
  • Where you require high performance,
  • When using complex rules,
  • When dealing with specific or advanced networking requirements.

Disable the firewalld service before configuring and using nftables directly to avoid situations where each service might influence one another.