Recently the launch of the new version of the dynamic management firewall firewalld 1.2, implemented as a wrapper on top of the nftables and iptables packet filters.
For those who are unaware of Firewalld, I can tell you that is a manageable dynamic firewall, with support for network zones to define the level of trust of the networks or interfaces you use to connect. It has support for IPv4, IPv6 configurations and ethernet bridges.
Also, firewalld maintains a running configuration and a permanent configuration separately. Thus, firewalld also provides an interface for applications to add rules to the firewall in a convenient way.
The old firewall model (system-config-firewall/lokkit) was static and each change required a full firewall reset. This meant having to unload kernel firewall modules (eg netfilter) and reload them again on every configuration. In addition, this restart meant losing the status information of the established connections.
By contrast, firewalld does not require a service restart to apply a new configuration. Therefore, it is not necessary to reload kernel modules. The only drawback is that for all this to work correctly, the firewall configuration must be done through firewalld and its configuration tools (firewall-cmd or firewall-config). Firewalld is capable of adding rules using the same syntax as the {ip,ip6,eb}tables commands (direct rules).
The service also provides information about the current firewall configuration via DBus, and in the same way new rules can also be added, using PolicyKit for the authentication process.
Firewalld runs as a background process that allows packet filter rules to be changed dynamically over D-Bus without reloading packet filter rules and without disconnecting established connections.
To manage the firewall, the utility firewall-cmd is used which, when creating rules, is not based on IP addresses, network interfaces, and port numbers, but on the names of services (for example, to open SSH access, you need to run “firewall-cmd – add — service=ssh”, to close SSH – “firewall-cmd –remove –service=ssh”).
The firewall-config (GTK) graphical interface and the firewall-applet (Qt) applet can also be used to change firewall settings. Support for firewall management via the D-BUS API firewalld is available from projects such as NetworkManager, libvirt, podman, docker, and fail2ban.
Main new features of firewalld 1.2
In this new version snmptls and snmptls-trap services have been implemented to manage access to the SNMP protocol through a secure communication channel.
It is also highlighted that implemented a service that supports the protocol used in the IPFS file system decentralized.
Another change that stands out in this new version is that services with support were added for gpsd, ident, ps3netsrv, CrateDB, checkmk, netdata, Kodi JSON-RPC, EventServer, Prometheus node-exporter, kubelet-readonly.
In addition to this, it is also highlighted that added failsafe boot mode, which allows, in case of problems with the specified rules, to return to the default configuration without leaving the host unprotected.
Of the other changes that stand out from this new version:
- Added “–log-target” parameter.
- Bash provides support for command autocompletion to work with rules.
- Added safe version of k8s driver blueprint components
If you are interested in knowing more about this new version, you can consult the details in the following link
Get Firewalld 1.2
Finally for those who are interested in being able to install this Firewall, you should know that the project is already in use on many Linux distributions, including RHEL 7+, Fedora 18+, and SUSE/openSUSE 15+. The firewalld code is written in Python and is released under the GPLv2 license.
You can get the source code for your build from the link below.
As for the part of a user manual, I can recommend the following.