Automatic Helper Assignment

With kernel 4.7 and up the automatic helper assignment in kernel has been turned off by default. Netfilter conntrack helpers like for example nf_conntrack_ftp now need to be used in a different way. See Secure use of iptables and connection tracking helpers for more information.

The new AutomaticHelpers configuration setting has been added to firewalld.conf:

# AutomaticHelpers
# For the secure use of iptables and connection tracking helpers it is
# recommended to turn AutomaticHelpers off. But this might have side effects on
# other services using the netfilter helpers as the sysctl setting in
# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
# With the system setting, the default value set in the kernel or with sysctl
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system

firewalld is now checking the /proc/sys/net/netfilter/nf_conntrack_helper kernel setting at start. With AutomaticHelpers set to system, this is the default, firewalld will use the actual setting in the kernel. This could wither be the default in the kernel itself or has been set using sysctl.

If automatic helper assignment is turned off, firewalld will create rules in the PREROUTING chain of the raw table to enable the helper for the zone, where it is used. For this it uses the helper settings defined in the new helpers. These are the nf_conntrack_ module that provides the helper, the optional family if a helper could only be used for IPv4 or IPv6 and also the ports. The helper will only listen on the ports defined in the helper configuration. If there is a need to modify these ports, then it is possible to create an adapted configruaiton either with the GUI or command line tools or by copying the file to /etc/firewalld/helpers. If you want to change the protocol, please make sure that the helper is able to use this protocol. There is only a limited amount of helpers that are abel to handle more than one protocol.

Here is an eample of the ftp helper added by enabling the ftp service in the public zone:

# iptables -t raw -S | grep CT
-A PRE_public_allow -p tcp -m tcp --dport 21 -j CT --helper ftp

A new backend has been added, the D-Bus interface has been extended, also the GUI and command line tools and the documentation.


firewalld 0.4.3.3 release

The new firewalld version 0.4.3.3 is available as a security and bug fix release for version 0.4.3.

The main changes are

Fixes CVE-2016-5410

Any locally logged in user, could add and remove tracked passthrough rules and could set ipset entries. On top of this the policy to get zone, service, .. settings and also the log denied value is more strict now.

Standard error is now used for errors and warnings

Errors and warnings can now simply be skipped for example while getting the default zone with the command line client by piping stderr to /dev/null.

Several fixes for use in change roots

The command line use in change roots is not resulting in trace backs anymore. The client class, NetworkManager backend and also the command line clients have been adapted for this.

Systemd service file changes

The systemd service has been changed that firewalld gets started before the network-pre.target and before multi-user.target.

Fixed translations in firewall-config

The translations in firewall-config hve not been correct at all times. The gettext textdomain was not set property which resulted in missing translations in the code.

Command line clients

Several error return code fixes have been added to fix the behavior with single and sequence options.


The new firewalld version 0.4.3.3 is available here:


firewalld 0.4.3.2 release

The new firewalld version 0.4.3.2 is available as a bug fix only release for version 0.4.3.

The main changes are

Fix regression with unavailable optional commands

When a command is not available, new implementation to run a program raises an unexpected error which is not being handled by the callers. An emulation of the old behaviour has been added to fix this regression.

Revert to individual calls on missing restore commands

If iptables is available but not iptables-restore, then the transaction model was not able to apply firewall rules. With this change, individual calls will be used for missing restore commands. This applies to iptables, ip6tables and also ebtables.

Only ask for authentication once for add and remove options

With the use of the command backend a not authorized user was asked two times to authenticate for a query and later for the add or remove action that are done internally. With sequence options, the user was asked two times the number of options.

New RH-Satellite-6 service

The service has been included finally in the release. It does not need to be added in RHEL now.


The new firewalld version 0.4.3.2 is available here:


firewalld 0.4.3.1 release

The new firewalld version 0.4.3.1 is available as a bug fix only release for version 0.4.3.

The main changes are

Fixes missing ICMP rules for some zones

The zone specific ICMP rules for ICMP block inversion have been missing in zones with bindings, that are defined in the zone configuration file.

Fixes issue with running programs using Python3

With using Python3 for firewalld, firewall rules have not been applied in some cases without an error message.

Splits up source and destination address lists for transaction

A direct rule could contain source and destination address lists. iptables splits them up to only contain one source and one destination address at maximum. This is also needed in firewalld especially with the transaction model that uses the restore commands.

Completed firewallctl and firewallctl man page

The firewallctl command line tool and also the man page of firewallctl have been completed.

There are also other bug fixes.


The new firewalld version 0.4.3.1 is available here:


firewalld 0.4.3 release

The new firewalld version 0.4.3 is available with mostly bug fixes and some usability enhancements.

The main changes are

Add and remove several ipset entries with firewall-config

The graphical configuration tool firewall-config now also has the ability to add and remove ipset entries loaded from a file. This is the same as the the command line options –add-entries-from-file and –remove-entries-from-file. This is possible in the runtime and also to the permanent environment.

Create backup on removal of zones, services, ipsets and icmptypes

The configuration of a zone, service, ipset or icmptype is now preserved in a backup file on removal. The backup file has an additional “.old” extension. This makes it possible to manually undo removals.

Additional information zone handling with NetworkManager and ifcfg files

With version 0.4.2 the zone handling with NetworkManager and ifcfg files has ben changed to be more expected. Information about this hndling has been added to the firewalld and zone man pages.

Sequence options in all command line utilities

All command line utilities now support sequence options. It is now for example simply possible to add, remove and query several services in a zone.

New firewallctl command line utility

The new command line utility is an addition to the existing firewall-cmd and firewall-offline-cmd tools. It provides an other interface with shorter names.

Updated and new services

The high-availability service now also opens the port 5403/tcp for corosync-qnetd.

The new services are: kshell, rsh, ganglia-master and ganglia-client

Test suite enhancements

There are other bug fixes and also code clean ups.


The new firewalld version 0.4.3 is available here: