How do I disable firewalld and use nftables service ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Firewalld
  • nftables

Issue

  • How do I disable firewalld and use nftables service?
  • How to start the nftables service in RHEL ?

Resolution

In RHEL 7, firewalld is the default firewall solution, while RHEL 8 and RHEL 9 introduced nftables as the default framework for packet filtering. You can switch to using nftables directly by stopping firewalld and starting the nftable service in RHEL.

By default In RHEL 8 and RHEL 9, the nftables service is in an inactive state when the firewalld is running state.

Follow the below step to switch from firewalld to nftables in RHEL 7, RHEL 8 and RHEL 9:

  • First Make sure that nftables package is installed.
# yum install -y -q nftables

Note: Make sure that only one firewall service runs on a RHEL host and disable the other services to prevent the different firewall services from influencing each other.

Follow the below step to stop the firewalld and start the nftables in RHEL 7 as below:

  • Install the nftables package on the RHEL 7 version.
# yum install nftables -y

Dependencies Resolved

=============================================================================================================================
 Package                         Arch                  Version               Repository              Size
=============================================================================================================================
Installing:
 nftables                      x86_64                1:0.8-14.el7            InstallMedia            186 k
Installing for dependencies:
 libnftnl                      x86_64                1.0.8-3.el7             InstallMedia            78 k

Transaction Summary
=============================================================================================================================
Installed:
  nftables.x86_64 1:0.8-14.el7

Dependency Installed:
  libnftnl.x86_64 0:1.0.8-3.el7

Complete!

You can use the documentation for How to use yum command to Install the Package yum command

  • Disable the current running firewalld service.
# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
  • stop the firewalld service
# systemctl stop firewalld
  • Mask the firewalld service to prevent the accidental startup of a service.
# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
  • start the nftables service.
# systemctl start nftables
# systemctl enable nftables
Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /usr/lib/systemd/system/nftables.service.


# systemctl status nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2023-11-15 11:04:29 IST; 10s ago
     Docs: man:nft(8)
 Main PID: 8443 (code=exited, status=0/SUCCESS)

Nov 15 11:04:29 rhel.test.com systemd[1]: Starting Netfilter Tables...
Nov 15 11:04:29 rhel.test.com systemd[1]: Started Netfilter Tables.

Follow the below step to stop the firewalld and start the nftables in RHEL 8 and RHEL 9 as below:

Note: In RHEL 8 and RHEL 9 the nftables package as it comes by default and no need to install the package.

  • disable the firewalld service.
# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
  • stop the firewalld service
# systemctl stop firewalld
  • mask the firewalld service to prevent the accidental startup of a service.
# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
  • Check the current status of the nftables service.
# systemctl status nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:nft(8)
  • Then start nftables services and enable them to automatically start at boot.
# systemctl start nftables

# systemctl enable nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
  • Check the status of the nftables.
# systemctl status  nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2023-11-27 00:54:50 IST; 26s ago
     Docs: man:nft(8)
 Main PID: 2417 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 11080)
   Memory: 0B
   CGroup: /system.slice/nftables.service

Nov 27 00:54:50 rhel.test.com systemd[1]: Starting Netfilter Tables...
Nov 27 00:54:50 rhel.test.com systemd[1]: Started Netfilter Tables.

Note: nft is used as a command-line utility for managing the nftables framework. After making these changes, you might want to configure your nftables rules as needed. The configuration files for nftables are typically located in /etc/nftables.conf or in individual files within the /etc/nftables.d/ directory.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments