Zone Priorities

Apr 10, 2023 • Eric Garver

Introduction

Firewalld gained a new feature called Zone Priorities. This allows the user to control the order in which packets are classified into zones.

What It Looks Like

The zone priority can be set using command line option --set-priority. Similar to policies and rich rules, a lower priority value has higher precedence. e.g. -10 occurs before 100

# firewall-cmd --permanent --zone internal --set-priority -10

# firewall-cmd --permanent --zone internal --get-priority
-10

# firewall-cmd --permanent --info-zone internal
internal
  target: default
  ingress-priority: -10    <--- new field
  egress-priority: -10     <--- new field
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

This will guarantee that packets are consider for the internal zone before other zones.

We can see this is the generated nftables rules.

chain filter_INPUT_POLICIES {
        iifname "dummy0" jump filter_IN_policy_allow-host-ipv6
        iifname "dummy0" jump filter_IN_internal     <--------- before ipset source @block_country in "drop" zone
        iifname "dummy0" reject with icmpx admin-prohibited
        ip saddr @block_country jump filter_IN_policy_allow-host-ipv6
        ip saddr @block_country jump filter_IN_drop
        ip saddr @block_country drop
        jump filter_IN_policy_allow-host-ipv6
        jump filter_IN_public
        reject with icmpx admin-prohibited
}

Control Ingress and Egress Independently

Using --set-priority will set the priority for both ingress and egress classification. This is sufficient for most use cases. However, they may be set independently with --set-ingress-priority and --set-egress-priority.

# firewall-cmd --permanent --zone internal --set-ingress-priority -10
# firewall-cmd --permanent --zone internal --set-egress-priority 100

# firewall-cmd --permanent --info-zone internal
internal (active)
  target: default
  ingress-priority: -10
  egress-priority: 100
  icmp-block-inversion: no
  interfaces: dummy0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Previous Behavior

Prior to this feature users had to rely on firewalld’s undocumented behavior of classification. It was impossible to classify interfaces before sources.

That order is roughly:

source based, i.e. --add-source
- these are sorted by zone name
interface based, i.e. --add-interface

When zone priorities are equal then classification uses this legacy behavior.

Summary

It’s now possible to customize packet classification in firewalld using zone option --set-priority.

firewalld 1.2.0 release

Jul 1, 2022 • Eric Garver

A new release of firewalld, version 1.2.0, is available.

This is a feature release. It also includes all bug fixes since v1.1.0.

git shortlog --no-merges --grep "^feat" v1.1.0..v1.2.0

Adrian Freihofer (1):

feat(firewalld): add new –log-target parameter

BrennanPaciorek (1):

feat(service): add snmptls, snmptls-trap services

Donald Yandt (1):

feat(service): add IPFS service

Eric Garver (1):

feat(fw): startup failsafe

Matyáš Kroupa (2):

feat(service): Add kubelet-readonly
feat(service): Add secure version of k8s controller-plane components

Olav Reinert (1):

feat(bash): completion of policy-related commands

Pat Riehecky (2):

feat(service): add checkmk agent service
feat(service): add netdata service

Poorchop (1):

feat(service): add ident

Robotic-Brain (1):

feat(service): Add service port definitions for ausweisapp2

Subhendu Ghosh (1):

feat(service): add prometheus node-exporter

beta-tester (1):

feat(service): add gpsd

hos7ein (1):

feat(service): add CrateDB

nl6720 (2):

feat(service): add ps3netsrv service
feat(service): add Kodi JSON-RPC and EventServer services

Source available here:

Tarball: firewalld-1.2.0.tar.gz
SHA256: 28fd90e88bda0dfd460f370f353474811b2e295d7eb27f0d7d18ffa3d786eeb7
Complete changelog on github: 1.1.0 to 1.2.0

Release Container Images

Mar 25, 2022 • Eric Garver

Introduction

Firewalld releases are now additionally distributed as an OCI container image. This image is usable on any Linux distribution with docker (or podman) and Linux kernel >= 5.3.

This image is self contained. The firewalld configuration lives inside the container. It does not integrate with host services (e.g. NetworkManager).

It provides a very convenient and risk-free way to trial firewalld.

Starting the container

The container can be started in one command:

# docker run -d --network host --privileged \
             --name my-firewalld quay.io/firewalld/firewalld

This will pull (download) the image from quay.io if the image is not already in the local cache.

The --network host means the container will run in the default network namespace and thus make firewall changes affecting the entire host.

Making firewall changes

To make changes to firewalld running inside the container docker exec must be used.

For example, to list all the settings in the default zone:

# docker exec my-firewalld firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Shell alias for convenience

The above is a long command. It can be made more convenient with a shell alias.

# alias my-firewall-cmd='docker exec my-firewalld firewall-cmd'

Then use the alias:

# my-firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

What it looks like on the host

As started above, the container runs in the default network namespace. This means we should see the changes in the host’s nftables output.

# my-firewall-cmd --add-service https
success

# nft list ruleset |grep 443
                tcp dport 443 ct state { new, untracked } accept

Saving the container and firewalld’s configuration

The modified container can be saved to an image like any other container. This is useful if you want to save your precious firewalld container and configuration.

# docker commit my-firewalld my-firewalld
sha256:2923f03657ee877b55a72f80f6211c7065328a47b247c05fd3a0f09dcea67fc3

# docker image list
REPOSITORY                    TAG       IMAGE ID       CREATED          SIZE
my-firewalld                  latest    2923f03657ee   2 seconds ago    247MB
quay.io/firewalld/firewalld   latest    b0d3f2666c4f   4 hours ago      246MB

Optional: Store firewalld’s configuration on the host

An alternative to storing the configuration inside the container is to use a volume mount to store it on the host. This has the major advantage that the container can be upgraded to a new release of the container image while keeping your firewalld configuration intact.

To accomplish you must start the container with a volume mount.

# docker run -d -v /etc/firewalld:/etc/firewalld
             --network host --privileged \
             --name my-firewalld quay.io/firewalld/firewalld

Otherwise, usage is the same as described above.

Summary

The container image provides a low effort way to get started with firewalld while also being easy to manage.

firewalld 1.1.0 release

Feb 25, 2022 • Eric Garver

A new release of firewalld, version 1.1.0, is available.

This is a feature release. It also includes all bug fixes since v1.0.0.

$ git shortlog --grep "^feat" 3c7e9c98e8222a918c2bb7353b32075843cdc661..v1.1.0

Christoph Muellner (1):

feat(service): Add jellyfin service

Eric Garver (3):

feat(build): distribute an OCI container image
feat(policy): support OUTPUT forward ports
feat: config check improvements

Juan Orti Alcaine (1):

feat(service): add http3

Marcos Mello (1):

feat(service): add service definition for WS-Discovery Client

Nigel Jewell (2):

feat(service): add service definition for WS-Discovery
feat(service): add service definition for AFP

TorontoMedia (1):

feat(rich): Support nflog target and add log attribute errors/checks

proletarius101 (1):

feat(service): add ZeroTier service

Source available here:

Tarball: firewalld-1.1.0.tar.gz
SHA256: ffab4bbe30d829e3a6a6a029ac4a6307073785c301368b3d8a7f523876037ff9
Complete changelog on github: 1.0.0 to 1.1.0

firewalld 1.0.1 release

Aug 12, 2021 • Eric Garver

A new release of firewalld, version 1.0.1, is available.

This is a bug fix only release.

$ git shortlog --grep "^fix" v1.0.0..v1.0.1

Eric Garver (1):

fix(firewalld): keep linux capability CAP_SYS_MODULE

Marcos Mello (1):

fix(service): UPnP Client: actually allow SSDP traffic

Neal Gompa (1):

fix(config): Fix RPM macros to test if firewall-cmd is executable

Source available here:

Tarball: firewalld-1.0.1.tar.gz
SHA256: 35a89949e527cd7fc863574b2eceb80f99092cca838c79c4c1fce2228a01eb09
Complete changelog on github: 1.0.0 to 1.0.1