How do I disable firewalld and use nftables service ?

Resolution

In RHEL 7 and later, firewalld is the default firewall solution.

In RHEL 8 and later nftables is the default low level framework for packet filtering (replacing iptables).

In RHEL 9 and later firewalld and nftables can be enabled simultaneously allowing users to utilize both.

Utilizing both firewalld and nftables provides the ease of use of firewalld (managed via firewall-cmd) with its context-driven zones scoping while also allowing precise control directly via nftables (managed via nft) for all packet filtering.

To fully switch to only nftables, you can disable the firewalld service and enable the nftables service. This article cover this option.

By default, in RHEL 7 and later, the nftables service is in an inactive state.

Follow the below step to switch from firewalld to nftables:

• First Make sure that nftables package is installed.

# yum install -y -q nftables

Note: Make sure that only one firewall service runs on a RHEL host and disable the other services to prevent the different firewall services from influencing each other.

Follow the below step to stop firewalld and start nftables in RHEL 7 as below:

• Install the nftables package on the RHEL 7 version.

# yum install nftables -y

Dependencies Resolved

=============================================================================================================================
 Package                         Arch                  Version               Repository              Size
=============================================================================================================================
Installing:
 nftables                      x86_64                1:0.8-14.el7            InstallMedia            186 k
Installing for dependencies:
 libnftnl                      x86_64                1.0.8-3.el7             InstallMedia            78 k

Transaction Summary
=============================================================================================================================
Installed:
  nftables.x86_64 1:0.8-14.el7

Dependency Installed:
  libnftnl.x86_64 0:1.0.8-3.el7

Complete!

You can use the documentation for How to use yum command to Install the Package yum command

• Disable the current running firewalld service.

# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

• stop the firewalld service

# systemctl stop firewalld

• Mask the firewalld service to prevent the accidental startup of a service.

# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

• start the nftables service.

# systemctl start nftables
# systemctl enable nftables
Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /usr/lib/systemd/system/nftables.service.


# systemctl status nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2023-11-15 11:04:29 IST; 10s ago
     Docs: man:nft(8)
 Main PID: 8443 (code=exited, status=0/SUCCESS)

Nov 15 11:04:29 rhel.test.com systemd[1]: Starting Netfilter Tables...
Nov 15 11:04:29 rhel.test.com systemd[1]: Started Netfilter Tables.

Follow the below step to stop the firewalld and start the nftables in RHEL 8 and RHEL 9 as below:

Note: In RHEL 8 and RHEL 9 the nftables package as it comes by default and no need to install the package.

• disable the firewalld service.

# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

• stop the firewalld service

# systemctl stop firewalld

• mask the firewalld service to prevent the accidental startup of a service.

# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.

• Check the current status of the nftables service.

# systemctl status nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:nft(8)

• Then start nftables services and enable them to automatically start at boot.

# systemctl start nftables

# systemctl enable nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.

• Check the status of the nftables.

# systemctl status  nftables
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2023-11-27 00:54:50 IST; 26s ago
     Docs: man:nft(8)
 Main PID: 2417 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 11080)
   Memory: 0B
   CGroup: /system.slice/nftables.service

Nov 27 00:54:50 rhel.test.com systemd[1]: Starting Netfilter Tables...
Nov 27 00:54:50 rhel.test.com systemd[1]: Started Netfilter Tables.

Note: nft is used as a command-line utility for managing the nftables framework. After making these changes, you might want to configure your nftables rules as needed. The configuration files for nftables are typically located in /etc/nftables.conf or in individual files within the /etc/nftables.d/ directory. Refer How to enable custom rules for nftables service ? for enabling individual config files.