firewalld 0.7.5 release

A new release of firewalld, version 0.7.5, is available.

This is a bug fix only release.

Alexander Bokovoy (1):

  • fix: update dynamic DCE RPC ports in freeipa-trust service

Eric Garver (30):

  • fix(systemd): Conflict with nftables.service
  • fix(direct): rule in a zone chain
  • test(direct): rule in a zone chain
  • fix(client): addService needs to reduce tuple size
  • test(dbus): zone: fix false failure due to list order
  • test(dbus): zone: fix zone runtime functional test title
  • fix(doc): dbus: signatures for zone tuple based APIs
  • fix(config): bool values in dict based import/export
  • fix(dbus): service: don’t cleanup config for old set APIs
  • fix(ipset): flush the set if IndividiualCalls=yes
  • fix(firewall-offline-cmd): remove instances of “[P]” in help text
  • docs: replace occurrences of the term blacklist with denylist

Phil Sutter (1):

  • fix: core: rich: Catch ValueError on non-numeric priority values

Vrinda Punj (3):

  • docs(README): add libxslt for doc generation
  • fix(cli): add –zone is an invalid option with –direct
  • fix(cli): add ipset type hash:mac is incompatible with the family parameter

Source available here:


firewalld 0.8.3 release

A new release of firewalld, version 0.8.3, is available.

This is a bug fix only release.

Alexander Bokovoy (1):

  • fix: update dynamic DCE RPC ports in freeipa-trust service

Eric Garver (33):

  • fix: nftables: ipset: port ranges for non-default protocols
  • fix(systemd): Conflict with nftables.service
  • fix(direct): rule in a zone chain
  • fix(client): addService needs to reduce tuple size
  • fix(doc): dbus: signatures for zone tuple based APIs
  • fix(config): bool values in dict based import/export
  • fix(dbus): service: don’t cleanup config for old set APIs
  • fix(ipset): flush the set if IndividiualCalls=yes
  • fix(firewall-offline-cmd): remove instances of “[P]” in help text
  • fix(rich): source mac with nftables backend
  • docs: replace occurrences of the term blacklist with denylist

Phil Sutter (1):

  • fix: core: rich: Catch ValueError on non-numeric priority values

Vrinda Punj (3):

  • docs(README): add libxslt for doc generation
  • fix(cli): add –zone is an invalid option with –direct
  • fix(cli): add ipset type hash:mac is incompatible with the family parameter

Source available here:


Intra Zone Forwarding

A new feature, intra zone forwarding, is coming to firewalld. This feature allows packets to freely forward between interfaces or sources with in a zone.

Why is it needed?

One axiom of zone based firewalls is that traffic with in a zone can flow from interface (or source) to interface (or source). The zone specifies the trust level of all those interfaces and sources. If they have the same trust level then they can communicate unencumbered. Firewalld has lacked this functionality until now.

What does it look like?

This feature doesn’t bring many CLI additions. Only a couple knobs to enable or disable it for the zone.

Lets say we have our home zone with two interfaces: dummy1, and dummy2

# firewall-cmd --zone=home --add-interface=dummy1 --add-interface=dummy2

Now let’s enable intra zone forwarding.

# firewall-cmd --zone=home --add-forward

This results in the following nftables rules being added to the zone.

table inet firewalld {
    chain filter_FWDI_home_allow {
        oifname "dummy1" accept
        oifname "dummy2" accept
    }
}

The rules say: if the packet is destined to the any interface in the zone home then go ahead and accept it.

If we were to add another interface or source to the home zone then we will see it show up in the ruleset as well.

# firewall-cmd --zone=home --add-source 10.10.10.0/24

And the result:

table inet firewalld {
    chain filter_FWDI_home_allow {
        oifname "dummy1" accept
        oifname "dummy2" accept
        ip daddr 10.10.10.0/24 accept
    }
}

Doesn’t this already happen?

Some zones use a --set-target of ACCEPT. Those zones immediately accept all forwarded traffic. As such, the new --add-forward option has no effect for them.

For all others --set-target values forwarded traffic is dropped by default. This includes all stock zones except trusted.

Caveats

When enabled in the default zone, intra zone forwarding can only be applied to the interfaces and sources that have been explicitly added to the current default zone. It can not use a catch-all for all outgoing interfaces as this would allow packets to forward to an interface or source assigned to a different zone.

Default value

By default, all currently shipped zone definitions and user created zones have forward disabled. This is done as to not introduce any surprising behavioral changes.

In the future this may change. It may make sense to enable by default in at least these zones: internal, home, and work.

Contributed By

This feature was initially contributed by github user @danc86 in pull request #586.


firewalld 0.7.4 release

A new release of firewalld, version 0.7.4, is available.

This is a bug fix only release.

However, it does reintroduce the zone drifting bug as a feature. This behavior is disabled by default.

  • improvement: build: add an option to disable building documentation
  • Typo in firewall-config(1)
  • Fix typo in TFTP service description
  • doc: README: add note about language translations
  • fix: rich: source/dest only matching with mark action
  • feat: AllowZoneDrifting config option
  • feat: nftables: support AllowZoneDrifting=yes
  • feat: ipXtables: support AllowZoneDrifting=yes
  • test: verify AllowZoneDrifting=yes
  • fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting
  • fix: add logrotate policy
  • fix: tests: regenerate testsuite if …/{cli,python}/*.at changes
  • doc: direct: add CAVEATS section
  • fix: checkIP6: strip leading/trailing square brackets
  • fix: nftables: remove square brackets from IPv6 addresses
  • fix: ipXtables: remove square brackets from IPv6 addresses
  • fix: nftables: zone dispatch with multidimensional ipsets
  • fix: ipset: destroy runtime sets on reload/stop
  • fix: port: support querying sub ranges
  • fix: source_port: support querying sub ranges
  • doc: specify accepted characters for object names
  • fix: doc: address copy/paste mistakes in short/description
  • fix: configure: atlocal: quote variable values
  • fix: nftables: allow set intervals with concatenations
  • doc: clarify –set-target values “default” vs “reject”

Source available here:


firewalld 0.8.2 release

A new release of firewalld, version 0.8.2, is available.

This is a big fix only release.

However, it does reintroduce the zone drifting bug as a feature. This behavior is disabled by default.

  • improvement: build: add an option to disable building documentation
  • Typo in firewall-config(1)
  • Fix typo in TFTP service description
  • doc: README: add note about language translations
  • fix: rich: source/dest only matching with mark action
  • feat: AllowZoneDrifting config option
  • feat: nftables: support AllowZoneDrifting=yes
  • feat: ipXtables: support AllowZoneDrifting=yes
  • fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting
  • fix: add logrotate policy
  • doc: direct: add CAVEATS section
  • fix: checkIP6: strip leading/trailing square brackets
  • fix: nftables: remove square brackets from IPv6 addresses
  • fix: ipXtables: remove square brackets from IPv6 addresses
  • fix: nftables: ipset types using “port”
  • fix: nftables: zone dispatch with multidimensional ipsets
  • fix: ipset: destroy runtime sets on reload/stop
  • fix: port: support querying sub ranges
  • fix: source_port: support querying sub ranges
  • doc: specify accepted characters for object names
  • fix: doc: address copy/paste mistakes in short/description
  • fix: configure: atlocal: quote variable values
  • fix: nftables: allow set intervals with concatenations
  • doc: clarify –set-target values “default” vs “reject”

Source available here: