Oracle Cloud Infrastructure Documentation

Configuring Packet-Filtering Firewalls

A firewall can be configured to:
  • Filter incoming and outgoing network packets based on packet header information,
  • Redirect packets, such as with network address translation (NAT),
  • Perform packet mirroring,
  • Perform deep packet inspection,
  • Accepted or rejected packets based on rules.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4, IPv6, inet, arp, bridge, and netdev.

Netfilter consists of the following components:

  • A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.

  • Utilities to create, maintain, and display the rules that netfilter stores. The default firewall utility is the firewall-cmd, which is provided by the firewalld package.

Default packet filtering frameworks vary by release. Use the release-specific guidance in the following tabs.

The firewalld-based firewall has the following advantages:

  • The firewalld-cmd utility doesn't restart the firewall and disrupt established TCP connections.

  • firewalld supports dynamic zones, which enable you to implement different sets of firewall rules for systems such as laptops that can connect to networks with different levels of trust. However, this feature isn't typically used on server systems.

  • firewalld supports D-Bus for better integration with services that depend on firewall configuration.

  • firewalld covers most basic use cases

For more complex scenarios consider creating and configuring nftables directly instead of using firewalld. For example, consider configuring nftables directly for scenarios such as:
  • Where you need direct control over netfilter,
  • Where you require high performance,
  • When using complex rules,
  • When dealing with specific or advanced networking requirements.

Disable the firewalld service before configuring and using nftables directly to avoid situations where each service might influence one another.

  • In Oracle Linux 8, firewalld uses the iptables framework as its default packet filtering backend.

  • The nftables framework is the default packet filtering backend for firewalld and replaces the iptables framework used in previous releases. nftables integrates with netfilter and includes packet classification facilities, added convenience, and improved performance over iptables.

  • The nftables framework is the default packet filtering backend for firewalld. It integrates with netfilter and includes packet classification facilities, added convenience, and improved performance.