firewalld 1.2.0 release
A new release of firewalld, version 1.2.0, is available.
This is a feature release. It also includes all bug fixes since v1.1.0.
git shortlog --no-merges --grep "^feat" v1.1.0..v1.2.0
Adrian Freihofer (1):
- feat(firewalld): add new –log-target parameter
BrennanPaciorek (1):
- feat(service): add snmptls, snmptls-trap services
Donald Yandt (1):
- feat(service): add IPFS service
Eric Garver (1):
- feat(fw): startup failsafe
Matyáš Kroupa (2):
- feat(service): Add kubelet-readonly
- feat(service): Add secure version of k8s controller-plane components
Olav Reinert (1):
- feat(bash): completion of policy-related commands
Pat Riehecky (2):
- feat(service): add checkmk agent service
- feat(service): add netdata service
Poorchop (1):
- feat(service): add ident
Robotic-Brain (1):
- feat(service): Add service port definitions for ausweisapp2
Subhendu Ghosh (1):
- feat(service): add prometheus node-exporter
beta-tester (1):
- feat(service): add gpsd
hos7ein (1):
- feat(service): add CrateDB
nl6720 (2):
- feat(service): add ps3netsrv service
- feat(service): add Kodi JSON-RPC and EventServer services
Source available here:
- Tarball: firewalld-1.2.0.tar.gz
- SHA256: 28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7
- Complete changelog on github: 1.1.0 to 1.2.0
Release Container Images
Introduction
Firewalld releases are now additionally distributed as an OCI container image. This image is usable on any Linux distribution with docker (or podman) and Linux kernel >= 5.3.
This image is self contained. The firewalld configuration lives inside the container. It does not integrate with host services (e.g. NetworkManager).
It provides a very convenient and risk-free way to trial firewalld.
Starting the container
The container can be started in one command:
# docker run -d --network host --privileged \
--name my-firewalld quay.io/firewalld/firewalld
This will pull (download) the image from quay.io if the image is not already in the local cache.
The --network host
means the container will run in the default network
namespace and thus make firewall changes affecting the entire host.
Making firewall changes
To make changes to firewalld running inside the container docker exec
must be used.
For example, to list all the settings in the default zone:
# docker exec my-firewalld firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Shell alias for convenience
The above is a long command. It can be made more convenient with a shell alias.
# alias my-firewall-cmd='docker exec my-firewalld firewall-cmd'
Then use the alias:
# my-firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
What it looks like on the host
As started above, the container runs in the default network namespace. This means we should see the changes in the host’s nftables output.
# my-firewall-cmd --add-service https
success
# nft list ruleset |grep 443
tcp dport 443 ct state { new, untracked } accept
Saving the container and firewalld’s configuration
The modified container can be saved to an image like any other container. This is useful if you want to save your precious firewalld container and configuration.
# docker commit my-firewalld my-firewalld
sha256:2923f03657ee877b55a72f80f6211c7065328a47b247c05fd3a0f09dcea67fc3
# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
my-firewalld latest 2923f03657ee 2 seconds ago 247MB
quay.io/firewalld/firewalld latest b0d3f2666c4f 4 hours ago 246MB
Optional: Store firewalld’s configuration on the host
An alternative to storing the configuration inside the container is to use a volume mount to store it on the host. This has the major advantage that the container can be upgraded to a new release of the container image while keeping your firewalld configuration intact.
To accomplish you must start the container with a volume mount.
# docker run -d -v /etc/firewalld:/etc/firewalld
--network host --privileged \
--name my-firewalld quay.io/firewalld/firewalld
Otherwise, usage is the same as described above.
Summary
The container image provides a low effort way to get started with firewalld while also being easy to manage.
firewalld 1.1.0 release
A new release of firewalld, version 1.1.0, is available.
This is a feature release. It also includes all bug fixes since v1.0.0.
$ git shortlog --grep "^feat" 3c7e9c98e8222a918c2bb7353b32075843cdc661..v1.1.0
Christoph Muellner (1):
- feat(service): Add jellyfin service
Eric Garver (3):
- feat(build): distribute an OCI container image
- feat(policy): support OUTPUT forward ports
- feat: config check improvements
Juan Orti Alcaine (1):
- feat(service): add http3
Marcos Mello (1):
- feat(service): add service definition for WS-Discovery Client
Nigel Jewell (2):
- feat(service): add service definition for WS-Discovery
- feat(service): add service definition for AFP
TorontoMedia (1):
- feat(rich): Support nflog target and add log attribute errors/checks
proletarius101 (1):
- feat(service): add ZeroTier service
Source available here:
- Tarball: firewalld-1.1.0.tar.gz
- SHA256: ffab4bbe30d829e3a6a6a029ac4a6307073785c301368b3d8a7f523876037ff9
- Complete changelog on github: 1.0.0 to 1.1.0
firewalld 1.0.1 release
A new release of firewalld, version 1.0.1, is available.
This is a bug fix only release.
$ git shortlog --grep "^fix" v1.0.0..v1.0.1
Eric Garver (1):
- fix(firewalld): keep linux capability CAP_SYS_MODULE
Marcos Mello (1):
- fix(service): UPnP Client: actually allow SSDP traffic
Neal Gompa (1):
- fix(config): Fix RPM macros to test if firewall-cmd is executable
Source available here:
- Tarball: firewalld-1.0.1.tar.gz
- SHA256: 35a89949e527cd7fc863574b2eceb80f99092cca838c79c4c1fce2228a01eb09
- Complete changelog on github: 1.0.0 to 1.0.1
firewalld 1.0.0 release
A new release of firewalld, version 1.0.0, is available.
Major version bump
This release is also a major version bump. It includes breaking and behavioral changes. Please read the blog post.
This is also a feature release. It includes all bug fixes since v0.9.0.
Highlights include:
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family (reduced rule set)
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no (kernel modules not unloaded)
New features
$ git shortlog --grep "^feat.*:" v0.9.0..v1.0.0
Derek Dai (1):
- feat(rich): support using ipset in destination
Eric Garver (2):
- feat: add netbios-ns service
- feat(firewalld): drop linux capabilities
Georg Sauthoff (1):
- feat(service): Add WireGuard service definition
Pat Riehecky (1):
- feat(service): Add Kubernetes definitions
Paul Laufer (1):
- feat(config): add CleanupModulesOnExit configuration option
Vrinda Punj (3):
- feat(rich): add XML parsing/CLI parsing for tcp-mss-clamp
- feat(rich): add backend translation for tcp-mss-clamp
- feat(service): add galera service Fixes: rhbz1696260
张龙涛 (2):
- feat(shell-completion): Add zsh completion of policy
- feat(shell-completion/zsh): add sub option for –policy
Breaking changes
$ git shortlog --grep "BREAKING CHANGE" v0.9.0..v1.0.0
Eric Garver (9):
- build(configure): require python >= 3.6
- chore(zone): enable intra-zone forwarding by default for new zones
- chore(zone): enable intra-zone forwarding by default for shipped zones
- docs(README): clarify dependencies
- improvement(nftables): use inet family for nat rules
- fix(zone): target: default is now similar to reject
- improvement(zone): icmp_block: now only applies to INPUT
- improvement(zone): icmp_block_inversion: now only applies to INPUT
- chore: remove broken tftp-client service
Source available here:
- Tarball: firewalld-1.0.0.tar.gz
- SHA256: 4c2ced8d2007d4a4aaf8a3f1ccc2e3a8c4089e60061f767a2992e867cfbe9ca0
- Complete changelog on github: 0.9.0 to 1.0.0