Does Elevate migrate firewalld to nftables for Almalinux
When using Elevate to migrate a server from CentOS to AlmaLinux is firewalld automatically switched from iptables to nftables (including iptables rules,etc.), or do we have to do that manually after migration?
-
Hey hey! I spoke with the team confirmed we do *not* make any conversions of the firewall rules. They are going to be adding that to the ELevate documentation so that is more clear in the future.
0 -
Ok, thanks for confirming that. So after migration firewalld will continue to function as before, using iptables, correct?
And then it would be best to convert to nftables as recommended here: https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/#almalinux-rocky-linux-and-cloudlinux-firewall-management using this set of command, correct?
To replace your server’s existing
iptablesrules with the rules in the/etc/firewalld/services/cpanel.xmlfile, perform the following steps:- Run the
yum install firewalldcommand to ensure that you have installed thefirewalldservice daemon on your system. - Run the
systemctl start firewalld.servicecommand to start thefirewalldservice. - Run the
systemctl enable firewalldcommand to start thefirewalldservice when the server starts. - Run the
iptables-save > backupfilecommand to save your existing firewall rules. - Run the
/usr/local/cpanel/scripts/configure_firewall_for_cpanelscript. - Run the
iptables-restore < backupfilecommand to incorporate your old firewall rules into the new firewall rules file.
Or do I misunderstand? If this is not the conversion process to nftables, then what is the proper process on a cPanel server. (The instructions there could be a little more clear about the conversion process.)
After conversion, is there any additional cleanup or removal pertaining to iptables?
0 - Run the
-
Nope, that all looks correct to me!
0 -
Circling back to this today with a follow-up question.
CSF (to my knowledge) does not use nftables, so that would seem to mean it would not function after the switch, and thus isn't compatible with cPanel on Almalinux.
It would seem to be a decision point: either run Almalinux firewalld on iptables, or don't use CSF.
Can you elaborate on this?
0 -
Pete, CSF is absolutely compatible with Almalinux and works great after Elevating from CentOS 7 with all the previously set rules retained.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services0 -
Good to know, but just to be clear, I'm asking if CSF works with nftables (which is recommended over iptables for Almalinux).
0 -
Have you asked ConfigServer about this yet? They should be the one confirming just fyi but CSF works with iptables_nft for sure.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services0 -
I haven't.
I started here because cPanel recommends moving Almalinux to nftables, and also still promotes/recommends CSF without comment about nftables.
Edit to update: I had always heard that firewalld used iptables underneath, but at least on the servers I'm concerned with it already uses nftables by default. (Not sure how long that's been default - likely a while.) So my initial concern isn't a concern anymore. I'm betting CSF handles nftables just fine - just didn't find it in the CSF pages I looked on. (FYI to check what firewalld is using: # grep 'FirewallBackend=' /etc/firewalld/firewalld.conf)
cPRex Does this all sound right, and does cPanel need an update on docs on some of this?
0 -
That all sounds right to me!
0
Please sign in to leave a comment.
Comments
9 comments