ipset support

Dec 1, 2015 • Thomas Woerner

The support for ipsets has been added to the git repo of firewalld and will be available with the next version. This will be version 0.4.0 and is planned to be released in the next days.

With ipsets it is simple to create black or white lists for ip, network or mac address. An ipset can simply be used to bind zones to or also in rich rules. Witht he use in rich rules also more complex rules can be created.

The advantage of using ipsets is that it is not needed to add a rule per IP address that needs to be black listed in the example. There is only one rule added to the firewall to use the ipset for black listing. The matching against the set entries is a lot faster.

Here is an example for a blcklist creation using an ipset for IPv4:

To create the ipset blacklist for IPv4:

firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip

Reload to make the ipset usable in runtime environment:

firewall-cmd --reload

Add runtime only entries to the blacklist:

firewall-cmd --ipset=blacklist --add-entry=192.168.1.4
firewall-cmd --ipset=blacklist --add-entry=192.168.1.6
firewall-cmd --ipset=blacklist --add-entry=192.168.1.8
firewall-cmd --ipset=blacklist --add-entry=192.168.1.10

Add a rich rule in the default zone for dropping all entries on the blacklist:

firewall-cmd --add-rich-rule='rule source ipset=blacklist drop'

To create the ipset blacklist6 for IPv6:

firewall-cmd --permanent --new-ipset=blacklist6 --type=hash:ip --option=family=inet6

The option family needs to be set to inet6 to make sure that the ipset is using IPv6 addresses.

Reload to make the ipset usable in runtime environment:

firewall-cmd --reload

Add runtime only entries to the blacklist6:

firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0004
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0006
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0008
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0010

Add a rich rule in the default zone for dropping all entries on the blacklist6:

firewall-cmd --add-rich-rule='rule source ipset=blacklist6 drop'

firewall-config also is able to handle MAC addresses.

There is one limitation with ipset usage in firewalld though:

If the timeout option is used for an ipset, then it will not be possible to list the entries of the ipset with firewalld as the timeout is directly done in kernel space and adding additional timers for each entry could result in a high load of firewalld.

11th Netfilter Workshop

Jun 29, 2015 • Thomas Woerner

Thomas Woerner has been at the 11th Netfilter Workshop (22th-26th June 2015. Budapest, Hungary) to discuss firewalld, the use of netfilter and also nftables integration.

The slides are available here: nfws2015-firewalld

firewalld 0.3.14.2 release

Jun 16, 2015 • Thomas Woerner

The new firewalld version 0.3.14.2 is available as a bug fix only release for version 0.3.14. It provides a small fix for the applet and firewall-config to only honour active connections from NetworkManager, an adapted firewall-applet man page and a QSettings fix.

The new firewalld version 0.3.14.2 is available here:

Tarball: firewalld-0.3.14.2.tar.gz
SHA256: c8e2c9be589d540f198c858c93b0f634777e0452d819ad09c252426c8c5b64c5
Source repository on github: v0.3.14.2
Complete changelog on github: 0.3.14.1 to 0.3.14.2

firewalld 0.3.14.1 release

Jun 12, 2015 • Thomas Woerner

The new firewalld version 0.3.14.1 is available as a bug fix only release for version 0.3.14. It provides a small fix for the new firewall-applet to make it work also if auto started by KDE5.

The new firewalld version 0.3.14.1 is available here:

Tarball: firewalld-0.3.14.1.tar.gz
SHA256: 092eef855b1cd32380c170cef82d06643a36312867ca4b65b24e9da1ee4cc235
Source repository on github: v0.3.14.1
Complete changelog on github: 0.3.14 to 0.3.14.1

firewalld 0.3.14 release

Jun 12, 2015 • Thomas Woerner

The new firewalld version 0.3.14 is available with several enhancements and bug fixes.

The main changes are

Enabled the use of firewalld without firewalld.conf

Firewalld can now be used without a firewalld.conf file in /etc/firewalld. The fall back settings are used in this case.

ebtables support

ebtables is now supported and can be used in direct chains and rules.

Rich Language

Masquerading with a destination address is now possible. Forwarding rules are now limited to new connections.

Reload with direct rules

The issue while reloading with permanent direct rules has been fixed.

firewall-applet

The applet has been ported over to Qt4 as the StatusIcon support in Gtk3 has been deprecated. The port to a Gnome only applet is not possible as it would only be usable in Gnome3. The gtk upstream proposed solution to port back to gtk2 is also not possible, as gtk2 is a dead end and will not be usable together with dbus and polkit in Python.

The Qt4 applet did not need work a rounds or tweaks as the former Gtk3 version to make it work in different desktop environments like Gnome, KDE4, KDE5, Mate, Xfce and others.

Python 3 support

Additional bindings sub package for Python3. There are now python-firewall and python3-firewall.

Migration to github

The source repository is now hosted at github.

There are also some optimizations and build environment fixes.

The new firewalld version 0.3.14 is available here:

Tarball: firewalld-0.3.14.tar.gz
SHA256: 72c4b60b3b7d2d30a30084cf239fd5782edeab877b44605a4c2611cd9c0e8cba
Source repository on github: v0.3.14
Complete changelog on github: 0.3.13 to 0.3.14