A release of the dynamically managed firewalld 1.0 firewall implemented in the form of a wrapper over the nftables and iptables packet filters is presented. Firewalld runs as a background process that allows packet filter rules to be changed dynamically over D-Bus without having to reload packet filter rules and without dropping established connections. The project is already in use on many Linux distributions, including RHEL 7+, Fedora 18+, and SUSE/openSUSE 15+. The firewalld code is written in Python and distributed under the GPLv2 license.
To manage the firewall, the firewall-cmd utility is used, which, when creating rules, is based not on IP addresses, network interfaces and port numbers, but on the names of services (for example, to open access to SSH, you need to execute "firewall-cmd -add -service = ssh", to close SSH - "firewall-cmd --remove --service=ssh"). The firewall-config (GTK) graphical interface and the firewall-applet (Qt) applet can also be used to change the firewall configuration. Support for firewall management via D-BUS API firewalld is available in projects such as NetworkManager, libvirt, podman, docker, and fail2ban.
The significant version number change is due to changes that break backwards compatibility and change the behavior of working with zones. All filtering options defined in the zone now only apply to traffic destined for the host running firewalld, and filtering transit traffic requires policy settings. The most notable changes:
- Declared deprecated backend that allowed to work on top of iptables. Support for iptables will be maintained for the foreseeable future, but this backend will not evolve.
- The intra-zone-forwarding mode is enabled and activated by default for all new zones, allowing free movement of packets between network interfaces or traffic sources within the same zone (public, block, trusted, internal, etc.). To return the old behavior and disable packet forwarding within the same zone, you can use the "firewall-cmd --permanent --zone public --remove-forward" command.
- Rules related to address translation (NAT) have been moved to the "inet" protocol family (previously added in the "ip" and "ip6" families, which led to the need to duplicate the rules for IPv4 and IPv6). The change allowed to get rid of duplicates when using ipset - instead of three copies of ipset entries, one is now used.
- The "default" action specified in the "--set-target" parameter is now equivalent to "reject", i.e. all packets that do not match the rules defined in the zone will be blocked by default. An exception is made only for ICMP packets, which are still allowed through. To return the old behavior for the publicly accessible "trusted" zone, you can use the rules: firewall-cmd --permanent --new-policy allowForward firewall-cmd --permanent --policy allowForward --set-target ACCEPT firewall-cmd --permanent --policy allowForward --add-ingress -zone public firewall-cmd --permanent --policy allowForward --add-egress-zone trusted firewall-cmd --reload
- Policies with positive priority are now executed immediately before the "--set-target catch-all" rule is executed, i.e. at the point before adding the final drop, reject, or accept rules, including for zones that use "--set-target drop|reject|accept".
- ICMP blocking now applies only to incoming packets addressed to the current host (input) and does not affect packets forwarded between zones (forward).
- Removed the tftp-client service, which was designed to track connections for the TFTP protocol, but was in an unusable form.
- The "direct" interface has been deprecated, allowing direct substitution of ready-made packet filter rules. The need for this interface disappeared after the addition of the ability to filter forwarded and outgoing packets.
- Added the CleanupModulesOnExit parameter, which is changed to "no" by default. This option controls how kernel modules are unloaded after firewalld exits.
- Allowed the use of ipset when determining the target system (destination).
- Added definitions for WireGuard, Kubernetes and netbios-ns services.
- Implemented autocompletion rules for zsh.
- Support for Python 2 has been dropped.
- The list of dependencies has been shortened. For firewalld to work, in addition to the Linux kernel, now only the dbus, gobject and nftables python libraries are required, and the ebtables, ipset and iptables packages are classified as optional. Removed decorator and slip python libraries from dependencies.
Source: opennet.ru