🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Oracle Linux 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Firewall behavior is inconsistent because rules are managed by mixed legacy and nft backends.

Environment & Reproduction

Hosts migrated from older builds may retain legacy iptables scripts.

iptables -S
nft list ruleset | head -n 80

Root Cause Analysis

Parallel rule management stacks create unexpected packet path outcomes and policy drift.

Quick Triage

Identify active firewall manager and backend expectations.

systemctl status firewalld
firewall-cmd --state
rpm -qa | grep -E 'iptables|nftables'
getenforce
journalctl -u firewalld -n 40 --no-pager

Step-by-Step Diagnosis

Compare effective ruleset with intended service exposure.

nft list ruleset
firewall-cmd --list-all-zones
ss -tulpen | head -n 80
Illustrative mockup for oracle-linux-10 β€” nftables_legacy_conflict
Conflicting packet filter toolchains β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Standardize on firewalld+nftables and retire unmanaged legacy scripts.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo systemctl disable --now iptables || true
sudo systemctl enable --now firewalld
sudo firewall-cmd --reload
sudo systemctl restart firewalld
Illustrative mockup for oracle-linux-10 β€” nftables_alignment_success
Unified nftables/firewalld policy β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

If legacy tooling is unavoidable, isolate it and disable firewalld ownership for affected hosts.

sudo systemctl disable --now firewalld
sudo systemctl enable --now nftables

Verification & Acceptance Criteria

Single firewall control plane is active and expected ports match policy.

firewall-cmd --list-all
nft list ruleset | head -n 120

Rollback Plan

Restore previous firewall service state and known-good ruleset backup.

sudo cp /root/backup/nftables.conf /etc/nftables.conf
sudo systemctl restart nftables

Prevention & Hardening

Block ad-hoc iptables scripts and enforce centrally managed firewall templates.

auditctl -w /usr/sbin/iptables -p x -k legacy_fw_use

Related to Docker/Podman custom chains and direct rule bypass in firewalld.

Related tutorial: View the step-by-step tutorial for oracle-linux-10.

View all oracle-linux-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL nftables transition guidance and firewalld backend notes.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.