|
How do I disable firewalld and use nftables service ? Solution Verified - Updated 2025-06-09T18:03:26+00:00 - English EnvironmentRed Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Firewalld nftables IssueHow do I disable firewalld and use nftables service? How to start the nftables service in RHEL ? ResolutionIn RHEL 7 and later, firewalld is the default firewall solution. In RHEL 8 and later nftables is the default low level framework for packet filtering (replacing iptables). In RHEL 9 and later firewalld and nftables can be enabled simultaneously allowing users to utilize both. Utilizing both firewalld and nftables provides the ease of use of firewalld (managed via firewall-cmd) with its context-driven zones scoping while also allowing precise control directly via nftables (managed via nft) for all packet filtering. To fully switch to only nftables, you can disable the firewalld service and enable the nftables service. This article cover this option. By default, in RHEL 7 and later, the nftables service is in an inactive state. Follow the below step to switch from firewalld to nftables: First Make sure that nftables package is installed. # yum install -y -q nftablesNote: Make sure that only one firewall service runs on a RHEL host and disable the other services to prevent the different firewall services from influencing each other. Follow the below step to stop firewalld and start nftables in RHEL 7 as below:Install the nftables package on the RHEL 7 version. # yum install nftables -y Dependencies Resolved ============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Installing: nftables x86_64 1:0.8-14.el7 InstallMedia 186 k Installing for dependencies: libnftnl x86_64 1.0.8-3.el7 InstallMedia 78 k Transaction Summary ============================================================================================================================= Installed: nftables.x86_64 1:0.8-14.el7 Dependency Installed: libnftnl.x86_64 0:1.0.8-3.el7 Complete!You can use the documentation for How to use yum command to Install the Package yum command Disable the current running firewalld service. # systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.stop the firewalld service # systemctl stop firewalldMask the firewalld service to prevent the accidental startup of a service. # systemctl mask firewalld Created symlink from /etc/systemd/system/firewalld.service to /dev/null.start the nftables service. # systemctl start nftables # systemctl enable nftables Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /usr/lib/systemd/system/nftables.service. # systemctl status nftables ● nftables.service - Netfilter Tables Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2023-11-15 11:04:29 IST; 10s ago Docs: man:nft(8) Main PID: 8443 (code=exited, status=0/SUCCESS) Nov 15 11:04:29 rhel.test.com systemd[1]: Starting Netfilter Tables... Nov 15 11:04:29 rhel.test.com systemd[1]: Started Netfilter Tables. Follow the below step to stop the firewalld and start the nftables in RHEL 8 and RHEL 9 as below:Note: In RHEL 8 and RHEL 9 the nftables package as it comes by default and no need to install the package. disable the firewalld service. # systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.stop the firewalld service # systemctl stop firewalldmask the firewalld service to prevent the accidental startup of a service. # systemctl mask firewalld Created symlink /etc/systemd/system/firewalld.service → /dev/null.Check the current status of the nftables service. # systemctl status nftables ● nftables.service - Netfilter Tables Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:nft(8)Then start nftables services and enable them to automatically start at boot. # systemctl start nftables # systemctl enable nftables Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.Check the status of the nftables. # systemctl status nftables ● nftables.service - Netfilter Tables Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled) Active: active (exited) since Mon 2023-11-27 00:54:50 IST; 26s ago Docs: man:nft(8) Main PID: 2417 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 11080) Memory: 0B CGroup: /system.slice/nftables.service Nov 27 00:54:50 rhel.test.com systemd[1]: Starting Netfilter Tables... Nov 27 00:54:50 rhel.test.com systemd[1]: Started Netfilter Tables.Note: nft is used as a command-line utility for managing the nftables framework. After making these changes, you might want to configure your nftables rules as needed. The configuration files for nftables are typically located in /etc/nftables.conf or in individual files within the /etc/nftables.d/ directory. This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form. (责任编辑:) |