firewalld release

The new firewalld version is available as a bug fix only release for version 0.4.3.

The main changes are

Fix regression with unavailable optional commands

When a command is not available, new implementation to run a program raises an unexpected error which is not being handled by the callers. An emulation of the old behaviour has been added to fix this regression.

Revert to individual calls on missing restore commands

If iptables is available but not iptables-restore, then the transaction model was not able to apply firewall rules. With this change, individual calls will be used for missing restore commands. This applies to iptables, ip6tables and also ebtables.

Only ask for authentication once for add and remove options

With the use of the command backend a not authorized user was asked two times to authenticate for a query and later for the add or remove action that are done internally. With sequence options, the user was asked two times the number of options.

New RH-Satellite-6 service

The service has been included finally in the release. It does not need to be added in RHEL now.

The new firewalld version is available here:

firewalld release

The new firewalld version is available as a bug fix only release for version 0.4.3.

The main changes are

Fixes missing ICMP rules for some zones

The zone specific ICMP rules for ICMP block inversion have been missing in zones with bindings, that are defined in the zone configuration file.

Fixes issue with running programs using Python3

With using Python3 for firewalld, firewall rules have not been applied in some cases without an error message.

Splits up source and destination address lists for transaction

A direct rule could contain source and destination address lists. iptables splits them up to only contain one source and one destination address at maximum. This is also needed in firewalld especially with the transaction model that uses the restore commands.

Completed firewallctl and firewallctl man page

The firewallctl command line tool and also the man page of firewallctl have been completed.

There are also other bug fixes.

The new firewalld version is available here:

firewalld 0.4.3 release

The new firewalld version 0.4.3 is available with mostly bug fixes and some usability enhancements.

The main changes are

Add and remove several ipset entries with firewall-config

The graphical configuration tool firewall-config now also has the ability to add and remove ipset entries loaded from a file. This is the same as the the command line options –add-entries-from-file and –remove-entries-from-file. This is possible in the runtime and also to the permanent environment.

Create backup on removal of zones, services, ipsets and icmptypes

The configuration of a zone, service, ipset or icmptype is now preserved in a backup file on removal. The backup file has an additional “.old” extension. This makes it possible to manually undo removals.

Additional information zone handling with NetworkManager and ifcfg files

With version 0.4.2 the zone handling with NetworkManager and ifcfg files has ben changed to be more expected. Information about this hndling has been added to the firewalld and zone man pages.

Sequence options in all command line utilities

All command line utilities now support sequence options. It is now for example simply possible to add, remove and query several services in a zone.

New firewallctl command line utility

The new command line utility is an addition to the existing firewall-cmd and firewall-offline-cmd tools. It provides an other interface with shorter names.

Updated and new services

The high-availability service now also opens the port 5403/tcp for corosync-qnetd.

The new services are: kshell, rsh, ganglia-master and ganglia-client

Test suite enhancements

There are other bug fixes and also code clean ups.

The new firewalld version 0.4.3 is available here:

firewalld 0.4.2 release

The new firewalld version 0.4.2 is available with enhancements, bug fixes and very nice speed ups.

The main changes are

New transaction model

Changes are done in one big transaction instead of smaller ones. This speeds up firewalld start and restart tremendously. The start is done up to in six or nine calls to the restore commands depending on the configuration. This depends on ipset and also direct configuration usage. Also all other actions benefit from this change.

Enhanced handling of connections and interfaces

For interfaces that are handled by NetworkManager, requests to add or change bindings are directed to NetworkManager in the firewall-cmd and firewall-config tools. For interfaces on Fedora and RHEL systems that are not handled by NM, there is a new mechanism that changes the ifcfg file if there is one using the interface. This makes zone interface bindings more consistent.

Usability enhancements for firewall-config

firewall-config has a new side bar with the active bindings of connections, interfaces and also sources. With this side bar it is possible to change the binding assignments in a simple way. A new overlay message window if the connection to firewalld could not be established or if it is lost. Speed ups for view changes runtime to permanent and back by introduction of new D-Bus methods in firewalld. The resize behavior has been fixed to be more expected.

Enhanced runtime to permanent migration

The enhanced migration is not saving interfaces that are under control of NetworkManager to the permanent configuration. Zones, services etc. are only migrated if there are changes compared to current permanent configuration.

New ICMP block inversion

The ICMP block is now completely handled per zone. With the new ICMP block inversion flag in the zone it is possible to invert the ICMP block. That means that the enabeld ICMP blocks are allowed and all others are blocked. In a drop zone these remaining types are dropped and not blocked. The logging of denied rules have been added to icmp-blocks.

Source port support in zones, services and rich rules

Additionally to ports is it also now possible to allow source ports in a zones and also in a service in a similar way as existing ports. There is a new flag source-port for this. Source ports can also be used in rich rules as elements. The source ports can be combined with logging, limiting and also an action.

Rich rules with destination only

Destination addresses can now be used in rich rules without an element. This enabled the use of rich rules containing destination addresses combined with an action and logging only.

There are also several other bug fixes or enhancements and code optimizations.

The new firewalld version 0.4.2 is available here:

More firewalld speed ups

Previously firewalld got a nice speed up by using the iptables restore commands, that made it possible to commit several changes at once. Now there is also a transaction model using these commands, which enables firewalld to apply lots of rules at once. For example to apply a single zone or also to apply the default rules and all zones while loading.

Here are some comparison numbers of the old firewalld version 0.3.9 in RHEl-7.2, the actual firewalld version and the development version 0.4.2 that will be released soon.


The diagram shows the time that is needed to start firewalld with loading of all config files, applying all rules and the generation of the D-Bus interfaces.

Each of the zones has 5 interface bindings which are therefore active and also applied.

Here is the table with all numbers:

Active zones 0.3.9 EL7 pre 0.4.2
0 317 - 1.32s 335 - 0.31s 335 - 0.18s
5 1037 - 5.59s 1055 - 1.53s 1055 - 0.19s
10 1757 - 11.69s 1775 - 3.11s 1775 - 0.24s
20 3197 - 27.00s 3215 - 7.35s 3215 - 0.40s
30 4637 - 54.08s 4655 - 16.65s 4655 - 0.49s
50 7517 - 145.01s 7535 - 47.95s 7535 - 0.90s
100   14735 - 298.34s 14735 - 1.81s
200     29135 - 3.40s
500     72335 - 6.33s
1000     144335 - 13.35s

The empty fields are not bench marked anymore, because it will take too much time. The first number in the cells is the number of rules. Since firewalld version, there are some extra rules because of a better way to handle zones with accept, reject or drop targets.

The number of rules is gathered with the command

 (iptables-save; ip6tables-save; ebtables-save) | wc -l

The firewalld start method has been extended with time callsin the beginning and the end to get the time difference.

The test are done on a Lenovo ThinkPad T510 with an i7M620 CPU and a normal HDD running RHEL-7.2. The ebtables package has been patched with the upstream noflush patch for ebtables-restore. Without this option firewalld will not use ebtables-restore. The tested firewalld version additionally contains a fix for ebtables-restore usage.