The release of the dynamically controlled firewall firewalld 2.4.0, implemented in the form of a wrapper over the nftables and iptables packet filters, has been released. Firewalld runs as a background process that allows you to dynamically change packet filter rules via D-Bus without having to reload the packet filter rules or breaking established connections. The project is already used in many Linux distributions, including RHEL 7+, Fedora 18+ and SUSE/openSUSE 15+. The firewalld code is written in Python and is licensed under the GPLv2 license.
To manage the firewall, the firewall-cmd utility is used, which, when creating rules, is based not on IP addresses, network interfaces and port numbers, but on the names of services (for example, to open access to SSH you need to run “firewall-cmd —add —service= ssh”, to close SSH – “firewall-cmd –remove –service=ssh”). To change the firewall configuration, the firewall-config (GTK) graphical interface and the firewall-applet (Qt) applet can also be used. Support for firewall management via the D-BUS API firewalld is available in projects such as NetworkManager, libvirt, podman, docker and fail2ban.
Key changes:
- A "gateway" ruleset has been added, covering the functionality of a typical home router (including NAT, conntrack handlers, and inter-zone traffic redirection). An example of configuring a gateway with internal and external network interfaces using the "gateway" ruleset: firewall-cmd --permanent --zone internal --add-interface eth0 firewall-cmd --permanent --zone external --add-interface eth1 firewall-cmd --permanent --policy-set gateway --remove-disable firewall-cmd --reload
- A "disable" flag has been implemented that can be used in XML settings, the command line utility, or via DBus to disable individual rules and policy sets.
- The maximum size of rule names has been increased from 17 to 128 characters.
- Added the gitea service for the collaborative development platform of the same name (TCP port 3000).
- Added the syslog-ng service for the logging system of the same name (ports 514, 601 and 6514).
- Added proxy-http service for HTTP/HTTPS proxy, such as Squid (TCP port 3128).
- Added socks service for proxy servers implementing the SOCKS protocol (TCP port 1080).
Source: opennet.ru
