Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.

Benefits of using firewalld

Changes can be done immediately in the runtime environment. No restart of the service or daemon is needed.

With the firewalld D-Bus interface it is simple for services, applications and also users to adapt firewall settings. The interface is complete and is used for the firewall configuration tools firewall-cmd, firewall-config and firewall-applet.

The separation of the runtime and permanent configuration makes it possible to do evaulation and tests in runtime. The runtime configuration is only valid up to the next service reload and restart or to a system reboot. Then the permanent configuration will be loaded again. With the runtime environment it is possible to use runtime for settings that should only be active for a limited amount of time. If the runtime configuration has been used for evaluation, and it is complete and working, then it is possible to save this configuration to the permanent environment.

Features

  • Complete D-Bus API
  • IPv4, IPv6, bridge and ipset support
  • IPv4 and IPv6 NAT support
  • Firewall zones
  • Predefined list of zones, services and icmptypes
  • Simple service, port, protocol, source port, masquerading, port forwarding, icmp filter, rich rule, interface and source address handlig in zones
  • Simple service definition with ports, protocols, source ports, modules (netfilter helpers) and destination address handling
  • Rich Language for more flexible and complex rules in zones
  • Timed firewall rules in zones
  • Simple log of denied packets
  • Direct interface
  • Lockdown: Whitelisting of applications that may modify the firewall
  • Automatic loading of Linux kernel modules
  • Integration with Puppet
  • Command line clients for online and offline configuration
  • Graphical configuration tool using gtk3
  • Applet using Qt5

Who is using it?

firewalld is used in the following Linux distributions as the default firewall management tool:

  • RHEL 7 and newer
  • CentOS 7 and newer
  • Fedora 18 and newer
  • SUSE 15 and newer
  • OpenSUSE 15 and newer
  • Available for several other distributions

Applications and libraries which support firewalld as a firewall management tool include: