Firewalld, an excellent firewall management tool

Most Linux distributions have their own firewall services pre-built, so the user usually does not have to intervene in this part. But sometimes some kind of special configuration is necessary or for whatever else the user wants.

And that is why today let's talk firewalld, which is a dynamically manageable firewall, basically allows you to manage the Firewall with support for network zones to define the level of confidence of the networks or interfaces you use to connect. It has support for IPv4, IPv6 and ethernet bridging configurations.

About Firewalld

Firewalld is implemented as a wrapper over the nftables and iptables packet filters. Firewalld runs as a background process that allows packet filter rules to be changed dynamically over D-Bus without reloading packet filter rules and without disconnecting established connections.

To manage the firewall, the firewall-cmd utility is used, which, when creating rules, is based not on IP addresses, network interfaces and port numbers, but on the names of services, for example, to open access to SSH, to close SSH, among others.

The firewall-config (GTK) graphical interface and the firewall-applet (Qt) applet also can be used to change firewall settings. Support for management via D-BUS API firewalld is available in projects such as NetworkManager, libvirt, podman, docker, and fail2ban.

In addition, firewalld maintains a running and a permanent configuration separately. Thus, firewalld also provides an interface for applications to add rules in a convenient way.

The previous model (system-config-firewall/lokkit) was static and each change required a hard reboot. This meant having to unload the kernel modules (eg: netfilter) and reload them at every configuration. In addition, this restart meant losing the status information of the established connections.

By contrast, firewalld does not require a service restart to apply a new configuration. Therefore, it is not necessary to reload the kernel modules. The only drawback is that for all of this to work correctly, the configuration must be done through firewalld and its configuration tools (firewall-cmd or firewall-config). Firewalld is capable of adding rules using the same syntax as the {ip,ip6,eb}tables commands (direct rules).

Firewalld 1.3

Currently, Firewalld is in its version 1.3, which was recently released and it highlights the following changes:

• A service compatible with the Warpinator file sharing application developed by the Linux Mint distribution has been implemented.
• Added the bareos-director, bareos-filedaemon, and bareos-storage services to support the Bareos backup system.
• A masking rule has been implemented for the nftables backend, which allows you to bind network interfaces to a zone that processes incoming traffic. For the iptables backend, this feature is not supported.
• Added service for overlay P2P networks of Nebula.
• Added a service for the Ceph metrics export system to the Prometheus database.
• Added a service that supports the OMG DDS (Object Management Group Data Distribution Service) protocol.
• A service has been added to process client requests to determine host names using the LLMNR (Link-Local Multicast Name Resolution) protocol.
• Added a service for the ps2link protocol used to communicate with PlayStation 2 game consoles.
• A service has been added to support server operation for the Syncthing file synchronization system.

If you are interested in knowing more about this new version, you can consult the details in the following link

Get Firewalld

Finally for those who are interested in being able to install this Firewall, you should know that the project is already in use on many Linux distributions, including RHEL 7+, Fedora 18+, and SUSE/openSUSE 15+. The firewalld code is written in Python and is released under the GPLv2 license.

You can get the source code for your build from the link below.