firewalld 0.4.4.4 release

The new firewalld version 0.4.4.4 is available as a third bug fix release for 0.4.4.

The main changes are

Drop all references to fedorahosted.org

fedorahosted.org has been shut down. The spec file and Makefile.am has been adapted to use the archive from the github repo instead.

Fix inconsistent order of source bindings

The order of zones has been inconsistent since the transaciton model has been introduced. This also resulted in inconsistent ordering of source bindings in the INPUT_ZONE_SOURCE chain.

The load order of zones is now preserved by using a dictionary that preserves the order of the added items.

This fixes issue #166 and RHBZ#1421222

Fix ipset overloading from /etc/firewalld/ipsets

The overloading of ipsets from /etc/firewalld/ipsets has been broken with version 0.4.4.3. The check if an ipset has been applied already is used only now if ipsets are about to get modified.

This fixes RHBZ#1423941.

Fix permanent rich rules using icmp-type elements

Rich language rules using the icmp-type element have not been saved properly. The code to handle the icmp-type element in the zone writer has been missing and this has only been logged as a warning. An element without name has been created because of this. This resulted in a corrupt zone file.

The code to handle the icmp-type element has been added and the warning for an unknown element has been transformed into a FirewallError. A curruption of the zone file can not happen anymore with an unhandled element.

This fixes RHBZ#1434763.

Check if ICMP types are supported by kernel

The supported ICMP types are now gathered from the kernel to be able to check the types before trying to use them. This helps to preserve the speed with the transaction model.

This is related to RHBZ#1401978.

Show icmptypes and ipsets with type errors in permanent environment

Type errors for ipsets and icmptypes resulted in a load failure while loading the config file. The type are occuring if an invalid type is used or if the type is not supported be the kernel.

These ipsets and icmptypes have been invisible in the runtime and also in the permanent environment. This has been fixed and these items are now visible in the permanent environment to be able to edit them.

firewall-config: Show invalid ipset types

Invalid ipset types are now shown in the ipset configuration dialog in the permanent environment in a special label.

firewall-config: Deactivate modify buttons if there are no items

Deactivate the edit and remove buttons for zones, services, ipsets, icmptypes and helpers if there are no items in the list.


The new firewalld version 0.4.4.4 is available here:


firewalld 0.4.4.3 release

The new firewalld version 0.4.4.3 is available as a second bug fix release for 0.4.4.

The main changes are

Speed up of large file loading

The loading of large config files has been optimized in the generic io handler. This results in a huge speed up for big config files.

Support for more ipset types

This is the list of ipset types that can now be managed by firewalld:

  • hash:ip
  • hash:ip,port
  • hash:ip,port,ip
  • hash:ip,port,net
  • hash:ip,mark
  • hash:net
  • hash:net,net
  • hash:net,port
  • hash:net,port,net
  • hash:net,iface
  • hash:mac

To speed up the generation and to simplifay the ipset generation in transactions, new checks have been added to be able to verify ipset entries according to the the ipset type.

Currently there is no way to define how ipsets are used as sources, therefore only a limited list of ipset types can be used as sources in zones at the moment. These are:

  • hash:ip
  • hash:ip,port
  • hash:ip,mark
  • hash:net
  • hash:net,port
  • hash:net,iface
  • hash:mac

The source and destination flags for the ipset types parts will be added with a later release.

Speed up of adding or removing entries for ipsets from files

The file import has been optimized in several places: The loading of the import file, the checks on the imported entries, the way how entres from this file are added or removed and also the way how this is then imported into firewalld.

Support icmp-type usage in rich rules

ICMP types can now be used as elements in rich language rules. With this it is possible to have more fine grained ICMP type handling with the ability to combine them with an address, logging and also an action.

Support for more icmp types

This is the list of ICMP types that can now be used by firewalld for ICMP blocking and also in rich language rules:

address-unreachable, bad-header, beyond-scope, communication-prohibited,
failed-policy, fragmentation-needed, host-precedence-violation,
host-prohibited, host-redirect, host-unknown, host-unreachable,
ip-header-bad, neighbour-advertisement, neighbour-solicitation,
network-prohibited, network-redirect, network-unknown, network-unreachable,
no-route, packet-too-big, port-unreachable, precedence-cutoff,
protocol-unreachable, reject-route, required-option-missing,
source-route-failed, tos-host-redirect, tos-host-unreachable,
tos-network-redirect, tos-network-unreachable, ttl-zero-during-reassembly,
ttl-zero-during-transit, unknown-header-type, unknown-option

Support for h323 conntrack helper

The conntrack helper h323 can now be used with enabled and disabled automatic helper assignment. The helper is not diretly usable with disabled automatic helper assignment and therefore needs to be replaced by the helpers that the netfilter kernel module provides.

For disabled automatic helper assignment: If there are no helper ports defined in a firewalld helper configuration file, then firewalld tries to replace the helper with all the helpers that are provided by the netfilter helper module in the kernel. But only with the ones where a firewalld helper configuration exists. The H.245 helper is not usable right now because of an issue in the helper code in netfilter. Therefore there is no H.245 helper provided by firewalld at the moment as there is no way to properly detect a fixed version at the moment.

New services

freeipa-trust, mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync

Code cleanup and several other bug fixes

Translation updates


The new firewalld version 0.4.4.3 is available here:


firewalld 0.4.4.2 release

The new firewalld version 0.4.4.2 is available as a second bug fix release for 0.4.4.

The main changes are

Lazy NMClient creation

The NMClient creation is now delayed till it is really used. With firewalld version 0.4.4 it has been created at import time of the fw_nm module, which could result in a start issue with NetworkManager.

Use configure for kmod utils path detection

The kmod utils are not placed in the paths for all distributions. The tools and their path is now detected within the configure call.

Enhancements and fixes for the ifcfg io backend

The ifcfg io file backend is now properly hadnling quoted values and is not failing on shell script code in the ifcfg file.

Do not reset ZONE with ifdown and enabled network service

On reboot or shutdown the zone has been reset to default in an ifcfg file if the network service was enabled and controlling the interface.

The call of firewall-cmd --remove-interface in ifdown.post is now only removing the zone binding in the firewall, but not modifying the ifcfg file anymore.

Translation updates


The new firewalld version 0.4.4.2 is available here:


firewalld 0.4.4.1 release

The new firewalld version 0.4.4.1 is available as a bug fix release for 0.4.4.

The main changes are

firewall-config: Use proper source check in sourceDialog (issue #162)

firewallctl: Use sys.excepthook to force exception_handler usage always

firewallctl: Support helpers


The new firewalld version 0.4.4 is available here:


firewalld 0.4.4 release

The new firewalld version 0.4.4 is available as an enhancement and bug fix release.

The main changes are

Support Recognition of Automatic Helper Assignment Setting

Automatic helper assignment has been disabled in kernel 4.7. firewalld version 0.4.4 is now able to recognize this and to create rules if automatic helper assignment has been turned off to make conntrack helpers work again. If automatic helper assignment is turned on, then firewalld will behave as before.

For more information about the use of netfilter conntrack helper, please have a look at Automatic Helper Assignment

Firewall-applet is now using Qt5

The firewall applet has been ported from Qt4 to Qt5.

Fixes LogDenied for zone reject targets

The logging rules for LogDenied have been placed after the reject rules for zones using the reject targets. The logging rules are now placed before these reject rules to fix logging.

Does not abort transaction on failed ipv6_rpfilter rules

The existing transaction will be executed before trying to add the rules for ipv6_rpfilter and a new transaction will be used to apply the ipv6_rpfiler rules. If this transaction fails, a warning is printed out and the remaining rules are applied with the next transaction.

Enhancements for the command line tools

The command line tools are now more consistent with errors and error codes in sequence options. The NOT_AUTHORIZED error is now also working.

New services

The services cfengine, condor-collector and smtp-submission have been added.

Several other enhancements and fixes


The new firewalld version 0.4.4 is available here: