Folks using firewalld and/or systemd - what are your thoughts?

Latest response

Any gotcha's?
Has it been pretty straight-forward?
Any advice you can lend the "late adopters?" ;-)

EDIT: some of the recent turmoil with some of the other Linux variants has me curious how the folks that generally rely on a corporate supported stack have experienced the transition.

Responses

Well, you start to 'use' systemd, if you start using RHEL 7. Straightforward, yes, but very different to SysinitV.
Firewalld ... personally i dont like it, looks like tool for laptop users. Personally i dont see a reason why RH implemented it.
I uninstalled and reinstalled iptables.

I can't for the life of me figure out why there is a need for firewald. Replaced it with iptables after spending several hours trying to make firewalld do things that were simple with iptables.

If you're using Linux as a workstation distro, I can maybe understand a "need" for firewalld. However, my primary use-case is servers, so, I always just install the iptables service and mask-off the firewalld service.

As to systemd, my feelings are mixed. I was a big fan of SMF in Solaris, so I like those equivalencies in systemd. Systemd also makes running "light" containers stupid-easy (via systemd-nspawn). However, sometimes, I feel like systemd tries to do too much and just gets in the way (e.g., generating a new OS-image via a chroot-style method is stupid easy in EL6 but is a righteous pain-in-the-dick with systemd). Red Hat's use of systemd seems to be a bit buggy, as well: if you want to run a service in a custom way (e.g., you want to run named-chroot with the service chrooted someplace other than the default location, it's pointlessly picayune to make it work the way you'd prefer).

So, right now, it's a love-hate relationship with systemd.

I use both quite happily. Both have a learning curve, but are worth the effort in my opinion. I found that managing things is alot simpler in both, although sometimes things LOOK clunky.

As for firewalld, I love it as a frontend (which is what it is) for iptables, as it can be scripted in a much cleaner way. Plus you can create profile files for all things surrounding a service - ports, port type (tcp/udp) and then since its a file, you can share that across the LAN via NFS or whatever. Yes it was doable too with iptables in its raw form, and even ipchains, but its alot cleaner now. I would hate to have to convert any old scripts over, but starting over with alot of stuff hasn't been too problematic.

Systemd is another beast, and it took me a while of getting used to it on Fedora (think it dropped in F15) to truly appreciate it. But put simply it makes admin life alot easier. Creating sane init scripts are now a walk in the park, as the new methodology is a 180deg shift from Upstart or SysV. I read what Tom Jones had said, and although he is spot on with Solaris -- I have to say that these days either SysD has improved or I just got used to the quirks. That said, I have NOT done OS-images as he mentioned. But I have customized the services. My method to keep things sane for myself and others is as follows:

First I copy the unit file and rename it, and the name of the service. So if its something that tweaked like .... Apache we shall say, I call it something along the lines of apache-modified-modification_name and that denotes something is different (helps others know this, and me if I am "tired" and "not thinking well" due to not drugging myself with enough Red Bull in the morning. But this also prevents any package from mucking with it. I have had zero issues here with odd behavior or just plain quirkiness. Perhaps its the type of service being utilized. The bulk of my custom unit files tend to be docker startup scripts and for the game hosting company I contract with, each instance has its own init script. I would bet that its on a case by case basis and I got REAL lucky.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.