Skip to main content

Does Elevate migrate firewalld to nftables for Almalinux

Comments

9 comments

  • cPRex Jurassic Moderator

    Hey hey!  I spoke with the team confirmed we do *not* make any conversions of the firewall rules.  They are going to be adding that to the ELevate documentation so that is more clear in the future.

    0
  • PeteS

    Ok, thanks for confirming that. So after migration firewalld will continue to function as before, using iptables, correct?

    And then it would be best to convert to nftables as recommended here: https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/#almalinux-rocky-linux-and-cloudlinux-firewall-management using this set of command, correct?

    To replace your server’s existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:

    1. Run the yum install firewalld command to ensure that you have installed the firewalld service daemon on your system.
    2. Run the systemctl start firewalld.service command to start the firewalld service.
    3. Run the systemctl enable firewalld command to start the firewalld service when the server starts.
    4. Run the iptables-save > backupfile command to save your existing firewall rules.
    5. Run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script.
    6. Run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.

    Or do I misunderstand? If this is not the conversion process to nftables, then what is the proper process on a cPanel server. (The instructions there could be a little more clear about the conversion process.)

    After conversion, is there any additional cleanup or removal pertaining to iptables?

    0
  • cPRex Jurassic Moderator

    Nope, that all looks correct to me!

    0
  • PeteS

    Circling back to this today with a follow-up question.

    CSF (to my knowledge) does not use nftables, so that would seem to mean it would not function after the switch, and thus isn't compatible with cPanel on Almalinux.

    It would seem to be a decision point: either run Almalinux firewalld on iptables, or don't use CSF.

    Can you elaborate on this?

    0
  • Andrew

    Pete, CSF is absolutely compatible with Almalinux and works great after Elevating from CentOS 7 with all the previously set rules retained. 

    Andrew N. - cPanel Plesk VMWare Certified Professional
    Do you need immediate assistance? 20 minutes response time!* Open a ticket
    EmergencySupport - Professional Server Management and One-time Services

    0
  • PeteS

    Good to know, but just to be clear, I'm asking if CSF works with nftables (which is recommended over iptables for Almalinux).

    0
  • Andrew
    Translate

    Have you asked ConfigServer about this yet? They should be the one confirming just fyi but CSF works with iptables_nft for sure.

    Andrew N. - cPanel Plesk VMWare Certified Professional
    Do you need immediate assistance? 20 minutes response time!* Open a ticket
    EmergencySupport - Professional Server Management and One-time Services

    0
  • PeteS

    I haven't.

    I started here because cPanel recommends moving Almalinux to nftables, and also still promotes/recommends CSF without comment about nftables.

    Edit to update: I had always heard that firewalld used iptables underneath, but at least on the servers I'm concerned with it already uses nftables by default. (Not sure how long that's been default - likely a while.) So my initial concern isn't a concern anymore. I'm betting CSF handles nftables just fine - just didn't find it in the CSF pages I looked on. (FYI to check what firewalld is using: # grep 'FirewallBackend=' /etc/firewalld/firewalld.conf)

    cPRex Does this all sound right, and does cPanel need an update on docs on some of this?

    0
  • cPRex Jurassic Moderator

    That all sounds right to me!

    0

Please sign in to leave a comment.