FirewallD is a front-end. "User friendly" abstraction that hides the lower level details.
Debian-based distros seem to have similar front-end, ufw (Uncomplicated Firewall).
Up to el7, the kernel had netfilter for the rules. You were able to read (and write) those with 'iptables'.
Starting with el8 the kernel has nf_tables for the rules. You are able to read (and write) those with 'nft'.
FirewallD reads config files that are in FirewallD's syntax and generates rules into the kernel. FirewallD used to write to netfilter and does now write to nf_tables. When FirewallD runs, it assumes that nobody else writes rules directly to kernel; one should talk to FirewallD. That is one point of FirewallD; you can "dynamically" update the rules during runtime with it. You usually don't edit config files either, but ask FirewallD to do it for you (with the 'firewall-cmd').
The nftables.service and the iptables.service are more "static". They are "oneshot" services that on boot write ruleset into kernel. Obviously from config file(s). If you need to modify rules after boot, then you have to do it directly with nft. If you want to change the stored config, then you edit files.
Look at /etc/sysconfig/nftables and files in /etc/nftables/
Look also at the ruleset created by FirewallD: sudo nft list ruleset (Warning: ain't pretty.)
Yes, you can replace firewalld.service with nftables.service.
Code: Select all
sudo systemctl stop firewalld.servicesudo systemctl mask firewalld.servicesudo systemctl enable nftables.servicesudo systemctl start nftables.service
Note that the "start" loads only what is in the config. How you write the config is up to you.