Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend. (Debian 10 documentation seems more precise on this point) By the way I don't use it on oVirt nodes just on VMs... Just saying it is possible. -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France.

On Wed, Apr 22, 2020 at 11:24 AM Michaël Couren <couren(a)abes.fr&gt; wrote: This could be useful: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... and also this: https://www.redhat.com/en/blog/using-nftables-red-hat-enterprise-linux-8

I'm in no way a ovirt expert. But as Linux administrator, I would say that firewalld and iptables are "front-end" to kernel internal security tables, so, in the final of the day, will provide *almost* same functionality. Seems that firewalld is able to activate modules without restarting entire firewall infra-structure, which iptables is not capable of. This leverage an advantage for firewalld, specially where you would not have interruptions in existing stateful connections. I've used iptables *always* as replacement for firewalld because of almost 20 yrs using iptables - this is the first step in all about hundred Centos7 installations I've done past few years. I just can't throw away all my scripts that block hackers, provide 2 and 3 way "knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and all, everytime a new "firewall" front end appears. I've seen at least two or three "iptables killers tech" in the past, and iptables still is the king - at least for me. Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux admin which will not jump from iptables train yet. Perhaps, I would not reccomend to completely deactivate all firewall in any server! If it is the case, I would instead to advice to just replace firewalld with iptables-service (at least, in Centos7) - but only in case you have too much to loose without iptables (as am I). Regards, Edson ________________________________ De: eevans(a)digitaldatatechs.com <eevans(a)digitaldatatechs.com&gt; Enviado: quarta-feira, 22 de abril de 2020 12:18 Para: francesco(a)shellrent.com <francesco(a)shellrent.com>; users(a)ovirt.org <users(a)ovirt.org&gt; Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3] If you log in to the cockpit, you can add services or custom ports easily. I would not disable the firewall. <hostname:9090> for the cockpit. Eric Evans Digital Data Services LLC. 304.660.9080 -----Original Message----- From: francesco(a)shellrent.com <francesco(a)shellrent.com&gt; Sent: Tuesday, April 21, 2020 12:54 PM To: users(a)ovirt.org Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3] Hi all, I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of? Thanks for your time and help, Francesco _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi... oVirt Code of Conduct: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi... List Archives: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o... _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi... oVirt Code of Conduct: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi... List Archives: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...