🔥 Managing CSF Firewall Rules on CentOS 8 with nftables

🚀 Introduction

CentOS 8 introduces nftables as its default firewall framework, replacing the legacy iptables system. This transition means that ConfigServer Security & Firewall (CSF) now operates through an nftables compatibility layer rather than directly on iptables.

📌 Key Takeaways:

• CentOS 8 does not support reverting to iptables-legacy.

• CSF translates its firewall rules into nftables automatically.

• Best practice: Let CSF manage firewall rules instead of modifying nftables manually.

🛠️ 1️⃣ The New Landscape: nftables on CentOS 8

🔍 What Changed?

✅ Default Framework: CentOS 8 has fully migrated from iptables-legacy to nftables. ✅ No iptables-legacy Package: Unlike other distributions, CentOS 8 does not provide a supported way to revert to iptables-legacy.

🎯 Why nftables?

🚀 Performance & Efficiency:

• Faster processing compared to iptables.

• Supports stateful packet filtering.

• Provides native support for sets and maps, reducing redundancy in rule management.

🛡️ Modern Firewall Management:

• Simplified syntax for rule management.

• Enhanced security and scalability.

🔥 2️⃣ How CSF Operates with nftables

🔄 CSF and the Compatibility Layer

Originally designed for iptables, CSF now works through a nftables compatibility layer on CentOS 8.

🔹 Automatic Translation: When you execute:

csf -r

CSF automatically translates iptables-style commands into nftables syntax.

🔹 Managed Tables: You may see warnings like:

# Warning: table ip filter is managed by iptables-nft, do not touch!

✅ What This Means: The system manages these tables automatically through CSF, and manual modifications are discouraged.

🛑 Best Practices: Let CSF Manage the Firewall

🚫 Avoid Manual Changes:

• Do NOT modify the auto-generated tables using nft or direct iptables commands.

• Instead, make all adjustments via CSF's configuration files.

✅ Use CSF Commands:

csf -r   # Reload firewall rules
csf -g <port>  # Check rules for a specific port

🔧 3️⃣ Managing CSF Configuration on CentOS 8

📝 Making Adjustments via CSF

All modifications should be performed through CSF's configuration files:

• Main Configuration: /etc/csf/csf.conf

• Allow/Deny Lists: /etc/csf/csf.allow & /etc/csf/csf.deny

🛠️ Whitelisting or Blacklisting IPs/Ports

To allow/block IPs or ports, edit the relevant file and reload CSF:

nano /etc/csf/csf.allow  # Whitelist IPs
nano /etc/csf/csf.deny   # Blacklist IPs
csf -r  # Apply changes

🏗 Custom Rules in CSF

If you need to define custom firewall rules, always do so within CSF's configuration instead of modifying nftables directly.

📊 4️⃣ Verifying Active Rules

Even though you shouldn't modify nftables manually, it's useful to review applied rules.

Run the following command to inspect the active ruleset:

nft list ruleset

🔍 What You'll See:

• Multiple tables like ip filter, ip raw, and ip mangle.

• Rules that are maintained by the iptables-nft compatibility layer.

🔥 5️⃣ Advantages of Using nftables with CSF

🛡️ Enhanced Security & Performance

⚡ Modern Syntax & Flexibility:

• Supports sets, maps, and efficient rule processing.

• Reduces the complexity of firewall configurations.

✅ CSF Compatibility:

• CSF seamlessly works with nftables.

• Allows continued use of familiar CSF commands while leveraging nftables' modern capabilities.

🎯 Streamlined Management

📌 Centralized Control:

• Managing the firewall through CSF configuration files ensures that changes are consistent.

• Reduces the risk of conflicts with system-managed tables.

📌 Reduced Configuration Drift:

• Prevents accidental overwrites or errors from manual nftables modifications.

• Ensures that security policies remain correctly enforced.

🏁 Conclusion

Managing CSF firewall rules on CentOS 8 means embracing the nftables framework. Since reverting to iptables-legacy is not an option, administrators should:

🔹 Use CSF commands & configuration files for all changes. 🔹 Avoid direct modifications to nftables-managed tables. 🔹 Verify rule translations using nft list ruleset to ensure security policies are correctly enforced.

By following these best practices, you maintain a secure, high-performance firewall configuration on CentOS 8 while still using the familiar CSF interface. 🚀🔥