firewalld speed up

Since end of last year firewalld supports to use the restore commands of iptables, ip6tables and ebtables.This means that rules do not need to get applied one by one, but in bigger chunks. This results for example in a nice speed up of the firewalld start, reload, restart and stop.

The default rules are applied using these commands in one. The changes for example for services, ports etc. are applied per service, port etc. to be able to give feedback per item. Enabling or disabling single ports are therefore not sped up by this, but services using several ports are.

The use of the restore commands is also the base to be able to add direct rule sets, that are applied in one step as a whole.

The new setting IndividualCalls has been introduced to disable the use of the restore commands and to use iptables, ip6tables and ebtables individual calls per rule.

There are two limitations with using the restore commands:

  • The restore commands in the iptables package need to extended to use the locking mechanism in xtables and ebtables to prevent clashes with concurrent calls of ip*tables and ebtables. Enabling IndividualCalls in the firewalld configuration file is helping here, but disables the use of the restore commands.
  • The error reporting is a not as verbose as with single commands. An enhancement here is possible, but not to the same extend as with single calls.

MAC address support

The MAC support branch has been merged into master and will be available with the nest version. This will be version 0.4.0 and is planned to be released in the next days.

You can use MAC addresses for zone bindings and also in rich rules. Here are two examples using the command line client:

firewall-cmd --zone=work --add-source=00:11:22:33:44:55
firewall-cmd --zone=work --add-rich-rule='rule source mac=11:22:33:44:55:66 drop'

With this it is simply possible to add filters using MAC addresses. firewall-config also is able to handle MAC addresses.


ipset support

The support for ipsets has been added to the git repo of firewalld and will be available with the nest version. This will be version 0.4.0 and is planned to be released in the next days.

With ipsets it is simple to create black or white lists for ip, network or mac address. An ipset can simply be used to bind zones to or also in rich rules. Witht he use in rich rules also more complex rules can be created.

The advantage of using ipsets is that it is not needed to add a rule per IP address that needs to be black listed in the example. There is only one rule added to the firewall to use the ipset for black listing. The matching against the set entries is a lot faster.

Here is an example for a blcklist creation using an ipset for IPv4:

To create the ipset blacklist for IPv4:

firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip

Reload to make the ipset usable in runtime environment:

firewall-cmd --reload

Add runtime only entries to the blacklist:

firewall-cmd --ipset=blacklist --add-entry=192.168.1.4
firewall-cmd --ipset=blacklist --add-entry=192.168.1.6
firewall-cmd --ipset=blacklist --add-entry=192.168.1.8
firewall-cmd --ipset=blacklist --add-entry=192.168.1.10

Add a rich rule in the default zone for dropping all entries on the blacklist:

firewall-cmd --add-rich-rule='rule source ipset=blacklist drop'

To create the ipset blacklist6 for IPv6:

firewall-cmd --permanent --new-ipset=blacklist6 --type=hash:ip --option=family=inet6

The option family needs to be set to inet6 to make sure that the ipset is using IPv6 addresses.

Reload to make the ipset usable in runtime environment:

firewall-cmd --reload

Add runtime only entries to the blacklist6:

firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0004
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0006
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0008
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0010

Add a rich rule in the default zone for dropping all entries on the blacklist6:

firewall-cmd --add-rich-rule='rule source ipset=blacklist6 drop'

firewall-config also is able to handle MAC addresses.

There is one limitation with ipset usage in firewalld though:

If the timeout option is used for an ipset, then it will not be possible to list the entries of the ipset with firewalld as the timeout is directly done in kernel space and adding additional timers for each entry could result in a high load of firewalld.


11th Netfilter Workshop

Thomas Woerner has been at the 11th Netfilter Workshop (22th-26th June 2015. Budapest, Hungary) to discuss firewalld, the use of netfilter and also nftables integration.

The slides are available here: nfws2015-firewalld


firewalld 0.3.14.2 release

The new firewalld version 0.3.14.2 is available as a bug fix only release for version 0.3.14. It provides a small fix for the applet and firewall-config to only honour active connections from NetworkManager, an adapted firewall-applet man page and a QSettings fix.


The new firewalld version 0.3.14.2 is available here: