Does Elevate migrate firewalld to nftables for Almalinux
When using Elevate to migrate a server from CentOS to AlmaLinux is firewalld automatically switched from iptables to nftables (including iptables rules,etc.), or do we have to do that manually after migration?
-
Hey hey! I spoke with the team confirmed we do *not* make any conversions of the firewall rules. They are going to be adding that to the ELevate documentation so that is more clear in the future.
0 -
Ok, thanks for confirming that. So after migration firewalld will continue to function as before, using iptables, correct?
And then it would be best to convert to nftables as recommended here: https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/#almalinux-rocky-linux-and-cloudlinux-firewall-management using this set of command, correct?
To replace your server’s existing
iptables
rules with the rules in the/etc/firewalld/services/cpanel.xml
file, perform the following steps:- Run the
yum install firewalld
command to ensure that you have installed thefirewalld
service daemon on your system. - Run the
systemctl start firewalld.service
command to start thefirewalld
service. - Run the
systemctl enable firewalld
command to start thefirewalld
service when the server starts. - Run the
iptables-save > backupfile
command to save your existing firewall rules. - Run the
/usr/local/cpanel/scripts/configure_firewall_for_cpanel
script. - Run the
iptables-restore < backupfile
command to incorporate your old firewall rules into the new firewall rules file.
Or do I misunderstand? If this is not the conversion process to nftables, then what is the proper process on a cPanel server. (The instructions there could be a little more clear about the conversion process.)
After conversion, is there any additional cleanup or removal pertaining to iptables?
0 - Run the
-
Nope, that all looks correct to me!
0 -
Circling back to this today with a follow-up question.
CSF (to my knowledge) does not use nftables, so that would seem to mean it would not function after the switch, and thus isn't compatible with cPanel on Almalinux.
It would seem to be a decision point: either run Almalinux firewalld on iptables, or don't use CSF.
Can you elaborate on this?
0 -
Pete, CSF is absolutely compatible with Almalinux and works great after Elevating from CentOS 7 with all the previously set rules retained.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services0 -
Good to know, but just to be clear, I'm asking if CSF works with nftables (which is recommended over iptables for Almalinux).
0 -
Have you asked ConfigServer about this yet? They should be the one confirming just fyi but CSF works with iptables_nft for sure.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services0 -
I haven't.
I started here because cPanel recommends moving Almalinux to nftables, and also still promotes/recommends CSF without comment about nftables.
Edit to update: I had always heard that firewalld used iptables underneath, but at least on the servers I'm concerned with it already uses nftables by default. (Not sure how long that's been default - likely a while.) So my initial concern isn't a concern anymore. I'm betting CSF handles nftables just fine - just didn't find it in the CSF pages I looked on. (FYI to check what firewalld is using: # grep 'FirewallBackend=' /etc/firewalld/firewalld.conf)
cPRex Does this all sound right, and does cPanel need an update on docs on some of this?
0 -
That all sounds right to me!
0
Please sign in to leave a comment.
Comments
9 comments