firewalld 0.4.4.3 release

Feb 10, 2017 • Thomas Woerner

The new firewalld version 0.4.4.3 is available as the third bug fix release for 0.4.4.

The main changes are

Speed up of large file loading

The loading of large config files has been optimized in the generic io handler. This results in a huge speed up for big config files.

Support for more ipset types

This is the list of ipset types that can now be managed by firewalld:

  • hash:ip
  • hash:ip,port
  • hash:ip,port,ip
  • hash:ip,port,net
  • hash:ip,mark
  • hash:net
  • hash:net,net
  • hash:net,port
  • hash:net,port,net
  • hash:net,iface
  • hash:mac

To speed up the generation and to simplifay the ipset generation in transactions, new checks have been added to be able to verify ipset entries according to the the ipset type.

Currently there is no way to define how ipsets are used as sources, therefore only a limited list of ipset types can be used as sources in zones at the moment. These are:

  • hash:ip
  • hash:ip,port
  • hash:ip,mark
  • hash:net
  • hash:net,port
  • hash:net,iface
  • hash:mac

The source and destination flags for the ipset types parts will be added with a later release.

Speed up of adding or removing entries for ipsets from files

The file import has been optimized in several places: The loading of the import file, the checks on the imported entries, the way how entres from this file are added or removed and also the way how this is then imported into firewalld.

Support icmp-type usage in rich rules

ICMP types can now be used as elements in rich language rules. With this it is possible to have more fine grained ICMP type handling with the ability to combine them with an address, logging and also an action.

Support for more icmp types

This is the list of ICMP types that can now be used by firewalld for ICMP blocking and also in rich language rules:

address-unreachable, bad-header, beyond-scope, communication-prohibited,
failed-policy, fragmentation-needed, host-precedence-violation,
host-prohibited, host-redirect, host-unknown, host-unreachable,
ip-header-bad, neighbour-advertisement, neighbour-solicitation,
network-prohibited, network-redirect, network-unknown, network-unreachable,
no-route, packet-too-big, port-unreachable, precedence-cutoff,
protocol-unreachable, reject-route, required-option-missing,
source-route-failed, tos-host-redirect, tos-host-unreachable,
tos-network-redirect, tos-network-unreachable, ttl-zero-during-reassembly,
ttl-zero-during-transit, unknown-header-type, unknown-option

Support for h323 conntrack helper

The conntrack helper h323 can now be used with enabled and disabled automatic helper assignment. The helper is not diretly usable with disabled automatic helper assignment and therefore needs to be replaced by the helpers that the netfilter kernel module provides.

For disabled automatic helper assignment: If there are no helper ports defined in a firewalld helper configuration file, then firewalld tries to replace the helper with all the helpers that are provided by the netfilter helper module in the kernel. But only with the ones where a firewalld helper configuration exists. The H.245 helper is not usable right now because of an issue in the helper code in netfilter. Therefore there is no H.245 helper provided by firewalld at the moment as there is no way to properly detect a fixed version at the moment.

New services

freeipa-trust, mssql, kibana, elasticsearch, quassel, bitcoin-rpc, bitcoin-testnet-rpc, bitcoin-testnet, bitcoin and spideroak-lansync

Code cleanup and several other bug fixes

Translation updates

The new firewalld version 0.4.4.3 is available here:

firewalld 0.4.4.2 release

Dec 1, 2016 • Thomas Woerner

The new firewalld version 0.4.4.2 is available as a second bug fix release for 0.4.4.

The main changes are

Lazy NMClient creation

The NMClient creation is now delayed till it is really used. With firewalld version 0.4.4 it has been created at import time of the fw_nm module, which could result in a start issue with NetworkManager.

Use configure for kmod utils path detection

The kmod utils are not placed in the paths for all distributions. The tools and their path is now detected within the configure call.

Enhancements and fixes for the ifcfg io backend

The ifcfg io file backend is now properly hadnling quoted values and is not failing on shell script code in the ifcfg file.

Do not reset ZONE with ifdown and enabled network service

On reboot or shutdown the zone has been reset to default in an ifcfg file if the network service was enabled and controlling the interface.

The call of firewall-cmd --remove-interface in ifdown.post is now only removing the zone binding in the firewall, but not modifying the ifcfg file anymore.

Translation updates

The new firewalld version 0.4.4.2 is available here:

firewalld 0.4.4.1 release

Nov 10, 2016 • Thomas Woerner

The new firewalld version 0.4.4.1 is available as a bug fix release for 0.4.4.

The main changes are

firewall-config: Use proper source check in sourceDialog (issue #162)

firewallctl: Use sys.excepthook to force exception_handler usage always

firewallctl: Support helpers

The new firewalld version 0.4.4 is available here:

firewalld 0.4.4 release

Oct 31, 2016 • Thomas Woerner

The new firewalld version 0.4.4 is available as an enhancement and bug fix release.

The main changes are

Support Recognition of Automatic Helper Assignment Setting

Automatic helper assignment has been disabled in kernel 4.7. firewalld version 0.4.4 is now able to recognize this and to create rules if automatic helper assignment has been turned off to make conntrack helpers work again. If automatic helper assignment is turned on, then firewalld will behave as before.

For more information about the use of netfilter conntrack helper, please have a look at Automatic Helper Assignment

Firewall-applet is now using Qt5

The firewall applet has been ported from Qt4 to Qt5.

Fixes LogDenied for zone reject targets

The logging rules for LogDenied have been placed after the reject rules for zones using the reject targets. The logging rules are now placed before these reject rules to fix logging.

Does not abort transaction on failed ipv6_rpfilter rules

The existing transaction will be executed before trying to add the rules for ipv6_rpfilter and a new transaction will be used to apply the ipv6_rpfiler rules. If this transaction fails, a warning is printed out and the remaining rules are applied with the next transaction.

Enhancements for the command line tools

The command line tools are now more consistent with errors and error codes in sequence options. The NOT_AUTHORIZED error is now also working.

New services

The services cfengine, condor-collector and smtp-submission have been added.

Several other enhancements and fixes

The new firewalld version 0.4.4 is available here:

Automatic Helper Assignment

Oct 31, 2016 • Thomas Woerner

With kernel 4.7 and up the automatic helper assignment in kernel has been turned off by default. Netfilter conntrack helpers like for example nf_conntrack_ftp now need to be used in a different way. See Secure use of iptables and connection tracking helpers for more information.

The new AutomaticHelpers configuration setting has been added to firewalld.conf:

# AutomaticHelpers
# For the secure use of iptables and connection tracking helpers it is
# recommended to turn AutomaticHelpers off. But this might have side effects on
# other services using the netfilter helpers as the sysctl setting in
# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
# With the system setting, the default value set in the kernel or with sysctl
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system

firewalld is now checking the /proc/sys/net/netfilter/nf_conntrack_helper kernel setting at start. With AutomaticHelpers set to system, this is the default, firewalld will use the actual setting in the kernel. This could wither be the default in the kernel itself or has been set using sysctl.

If automatic helper assignment is turned off, firewalld will create rules in the PREROUTING chain of the raw table to enable the helper for the zone, where it is used. For this it uses the helper settings defined in the new helpers. These are the nf_conntrack_ module that provides the helper, the optional family if a helper could only be used for IPv4 or IPv6 and also the ports. The helper will only listen on the ports defined in the helper configuration. If there is a need to modify these ports, then it is possible to create an adapted configruaiton either with the GUI or command line tools or by copying the file to /etc/firewalld/helpers. If you want to change the protocol, please make sure that the helper is able to use this protocol. There is only a limited amount of helpers that are abel to handle more than one protocol.

Here is an eample of the ftp helper added by enabling the ftp service in the public zone:

# iptables -t raw -S | grep CT
-A PRE_public_allow -p tcp -m tcp --dport 21 -j CT --helper ftp

A new backend has been added, the D-Bus interface has been extended, also the GUI and command line tools and the documentation.