Firewalls filter incoming and outgoing network packets based on their packet header information. You can create packet filter rules that decide whether packets are accepted or rejected. If you create a rule to block a port, any request to that port is automatically rejected by the firewall and the request is ignored. Any service that's listening on a blocked port no longer processes network traffic because it doesn't receive any new packets from that port.

You can configure the Netfilter feature to act as a packet-filtering firewall that uses rules to decide whether network packets are received, dropped, or forwarded. In addition, Netfilter provides Network Address Translation (NAT) and IP masquerading to alter IP header information for routed packets. You can also set rule-based packet logging and define a dedicated log file by changing /etc/syslog.conf.

The nftables framework is the default stateful network packet filtering framework in Oracle Linux, replacing the iptables framework. The nftables framework provides improved performance over the iptables framework. The nftables framework uses components of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, the user-space queueing component, and the logging subsystem. In addition nftables can also classify packets.

For more information, see Oracle Linux 8: Configuring the Firewall.