firewalld, an excellent utility that protects and blocks network traffic
Few days ago the release of the new version of firewalld 2.0 was announced, which is a major version that in addition to marking the branch change, the release is due to the correction of policy problems, as well as support improvements and more.
For those who are unaware of Firewalld, they should know that it is implemented as a wrapper over the nftables and iptables packet filters. Firewalld runs as a background process that allows packet filter rules to be changed dynamically over D-Bus without reloading packet filter rules and without disconnecting established connections.
To manage the firewall, the firewall-cmd utility is used, which, when creating rules, is based not on IP addresses, network interfaces and port numbers, but on the names of services, for example, to open access to SSH, to close SSH, among others.
The firewall-config (GTK) graphical interface and the firewall-applet (Qt) applet also can be used to change firewall settings. Support for management via D-BUS API firewalld is available in projects such as NetworkManager, libvirt, podman, docker, and fail2ban.
In addition, firewalld maintains a running and a permanent configuration separately. Thus, firewalld also provides an interface for applications to add rules in a convenient way.
Main new features of firewalld 2.0
As mentioned at the beginning, this release stands out for introducing policy changes that violate backwards compatibility and they eliminate the problem with processing rules that prescribe the processing of incoming packets only in relation to a zone in a situation where the address ranges overlap with other zones (if the address ranges in the zones overlap, then the packet could fall into several zones, ignoring the specified rules).
Other changes that stand out in this new version of firewalld 2.0 is the added support for nftables, which allows you to use the flow table packet forwarding path selection mechanism, which can significantly improve traffic forwarding performance.
We can also find that added NftablesCounters configuration to use nftables packet counters. Firewalld with NftablesFlowtable enabled has increased iperf performance with network forwarding by approximately 59%.
In addition to that, we can also find that added support for setting different priorities for zones, which allows the user to control the order in which the packets enter the zones.
On the other hand, it is worth mentioning that in Firewalld 2.0 the TFTP client service was removed, which basically did not work as expected, since it was incorporated in order to allow power access the servers. Which "never actually worked" when added to a zone.
Of the other changes that stand out from this new version:
- Added services to support Zabbix Java Gateway and Zabbix Web Service.
- Added services supporting Minecraft, 0AD, anno 1602, anno 1800, Civilization IV, Civilization V, factorio, Need For Speed: Most Wanted, Stellaris, Stronghold Crusader, Super Tux kart, Terraria, Zero K, and Settlers.
- Aggregate service for OpenTelemetry (OTLP).
- Also, the policies ignored some long-standing rules about the area.
– Sources are always sent before interfaces
– Sources are sorted by zone name
If you are interested in knowing more about this new version, you can consult the details in the following link
Get Firewalld
Finally for those who are interested in being able to install this Firewall, you should know that the project is already in use on many Linux distributions, including RHEL 7+, Fedora 18+, and SUSE/openSUSE 15+. The firewalld code is written in Python and is released under the GPLv2 license.
You can get the source code for your build from the link below.