firewalld 1.2.0 release

Jul 1, 2022 • Eric Garver

A new release of firewalld, version 1.2.0, is available.

This is a feature release. It also includes all bug fixes since v1.1.0.

git shortlog --no-merges --grep "^feat" v1.1.0..v1.2.0

Adrian Freihofer (1):

  • feat(firewalld): add new –log-target parameter

BrennanPaciorek (1):

  • feat(service): add snmptls, snmptls-trap services

Donald Yandt (1):

  • feat(service): add IPFS service

Eric Garver (1):

  • feat(fw): startup failsafe

Matyáš Kroupa (2):

  • feat(service): Add kubelet-readonly
  • feat(service): Add secure version of k8s controller-plane components

Olav Reinert (1):

  • feat(bash): completion of policy-related commands

Pat Riehecky (2):

  • feat(service): add checkmk agent service
  • feat(service): add netdata service

Poorchop (1):

  • feat(service): add ident

Robotic-Brain (1):

  • feat(service): Add service port definitions for ausweisapp2

Subhendu Ghosh (1):

  • feat(service): add prometheus node-exporter

beta-tester (1):

  • feat(service): add gpsd

hos7ein (1):

  • feat(service): add CrateDB

nl6720 (2):

  • feat(service): add ps3netsrv service
  • feat(service): add Kodi JSON-RPC and EventServer services

Source available here:

Release Container Images

Mar 25, 2022 • Eric Garver

Introduction

Firewalld releases are now additionally distributed as an OCI container image. This image is usable on any Linux distribution with docker (or podman) and Linux kernel >= 5.3.

This image is self contained. The firewalld configuration lives inside the container. It does not integrate with host services (e.g. NetworkManager).

It provides a very convenient and risk-free way to trial firewalld.

Starting the container

The container can be started in one command:

# docker run -d --network host --privileged \
             --name my-firewalld quay.io/firewalld/firewalld

This will pull (download) the image from quay.io if the image is not already in the local cache.

The --network host means the container will run in the default network namespace and thus make firewall changes affecting the entire host.

Making firewall changes

To make changes to firewalld running inside the container docker exec must be used.

For example, to list all the settings in the default zone:

# docker exec my-firewalld firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Shell alias for convenience

The above is a long command. It can be made more convenient with a shell alias.

# alias my-firewall-cmd='docker exec my-firewalld firewall-cmd'

Then use the alias:

# my-firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

What it looks like on the host

As started above, the container runs in the default network namespace. This means we should see the changes in the host’s nftables output.

# my-firewall-cmd --add-service https
success

# nft list ruleset |grep 443
                tcp dport 443 ct state { new, untracked } accept

Saving the container and firewalld’s configuration

The modified container can be saved to an image like any other container. This is useful if you want to save your precious firewalld container and configuration.

# docker commit my-firewalld my-firewalld
sha256:2923f03657ee877b55a72f80f6211c7065328a47b247c05fd3a0f09dcea67fc3

# docker image list
REPOSITORY                    TAG       IMAGE ID       CREATED          SIZE
my-firewalld                  latest    2923f03657ee   2 seconds ago    247MB
quay.io/firewalld/firewalld   latest    b0d3f2666c4f   4 hours ago      246MB

Optional: Store firewalld’s configuration on the host

An alternative to storing the configuration inside the container is to use a volume mount to store it on the host. This has the major advantage that the container can be upgraded to a new release of the container image while keeping your firewalld configuration intact.

To accomplish you must start the container with a volume mount.

# docker run -d -v /etc/firewalld:/etc/firewalld
             --network host --privileged \
             --name my-firewalld quay.io/firewalld/firewalld

Otherwise, usage is the same as described above.

Summary

The container image provides a low effort way to get started with firewalld while also being easy to manage.

firewalld 1.1.0 release

Feb 25, 2022 • Eric Garver

A new release of firewalld, version 1.1.0, is available.

This is a feature release. It also includes all bug fixes since v1.0.0.

$ git shortlog --grep "^feat" 3c7e9c98e8222a918c2bb7353b32075843cdc661..v1.1.0

Christoph Muellner (1):

  • feat(service): Add jellyfin service

Eric Garver (3):

  • feat(build): distribute an OCI container image
  • feat(policy): support OUTPUT forward ports
  • feat: config check improvements

Juan Orti Alcaine (1):

  • feat(service): add http3

Marcos Mello (1):

  • feat(service): add service definition for WS-Discovery Client

Nigel Jewell (2):

  • feat(service): add service definition for WS-Discovery
  • feat(service): add service definition for AFP

TorontoMedia (1):

  • feat(rich): Support nflog target and add log attribute errors/checks

proletarius101 (1):

  • feat(service): add ZeroTier service

Source available here:

firewalld 1.0.1 release

Aug 12, 2021 • Eric Garver

A new release of firewalld, version 1.0.1, is available.

This is a bug fix only release.

$ git shortlog --grep "^fix" v1.0.0..v1.0.1

Eric Garver (1):

  • fix(firewalld): keep linux capability CAP_SYS_MODULE

Marcos Mello (1):

  • fix(service): UPnP Client: actually allow SSDP traffic

Neal Gompa (1):

  • fix(config): Fix RPM macros to test if firewall-cmd is executable

Source available here:

firewalld 1.0.0 release

Jul 22, 2021 • Eric Garver

A new release of firewalld, version 1.0.0, is available.

Major version bump

This release is also a major version bump. It includes breaking and behavioral changes. Please read the blog post.

This is also a feature release. It includes all bug fixes since v0.9.0.

Highlights include:

  • Reduced dependencies
  • Intra-zone forwarding by default
  • NAT rules moved to inet family (reduced rule set)
  • Default target is now similar to reject
  • ICMP blocks and block inversion only apply to input, not forward
  • tftp-client service has been removed
  • iptables backend is deprecated
  • Direct interface is deprecated
  • CleanupModulesOnExit defaults to no (kernel modules not unloaded)

New features

$ git shortlog --grep "^feat.*:" v0.9.0..v1.0.0

Derek Dai (1):

  • feat(rich): support using ipset in destination

Eric Garver (2):

  • feat: add netbios-ns service
  • feat(firewalld): drop linux capabilities

Georg Sauthoff (1):

  • feat(service): Add WireGuard service definition

Pat Riehecky (1):

  • feat(service): Add Kubernetes definitions

Paul Laufer (1):

  • feat(config): add CleanupModulesOnExit configuration option

Vrinda Punj (3):

  • feat(rich): add XML parsing/CLI parsing for tcp-mss-clamp
  • feat(rich): add backend translation for tcp-mss-clamp
  • feat(service): add galera service Fixes: rhbz1696260

张龙涛 (2):

  • feat(shell-completion): Add zsh completion of policy
  • feat(shell-completion/zsh): add sub option for –policy

Breaking changes

$ git shortlog --grep "BREAKING CHANGE" v0.9.0..v1.0.0

Eric Garver (9):

  • build(configure): require python >= 3.6
  • chore(zone): enable intra-zone forwarding by default for new zones
  • chore(zone): enable intra-zone forwarding by default for shipped zones
  • docs(README): clarify dependencies
  • improvement(nftables): use inet family for nat rules
  • fix(zone): target: default is now similar to reject
  • improvement(zone): icmp_block: now only applies to INPUT
  • improvement(zone): icmp_block_inversion: now only applies to INPUT
  • chore: remove broken tftp-client service

Source available here: