firewalld - A firewall daemon with D-BUS interface providing a dynamic firewall (test version)

Thomas Woerner twoerner at
Thu Dec 23 16:03:56 UTC 2010


as discussed some time ago, I worked on the proof of concept 
implementation of firewalld. FirewallD is a service daemon with a D-BUS 
interface that provides a dynamic managed firewall.

For more information on firewalld, please have a look at:

About this version:

This is mostly the proof of concept implementation with some changes and 
is feature complete for F-15 as a firewalld preview version. It will not 
be enabled per default and will also not get installed per default. The 
system-config-firewall with static firewall model will still be the 
default firewall solution for Fedora 15.

What this firewalld version can do:

- It supports most of the firewall features system-config-firewall had,
   but there are three limitations:

   1) custom firewall rule files (iptables save format) are not
      supported and most likely will never be, but there is support for
      custom rules (limited functionality).

   2) sysctl changes for ip_forward are not done, yet.

   3) There are no permanent firewall settings, this means that all
      settings are lost after a service restart or reboot. Permanent
      firewall settings will be added later on.

- The firewall daemon manages the firewall dynamically. This means that
   changes are done without recreating the whole firewall. Also there is
   no need to reload all firewall modules anymore. Firewall helpers are
   loaded and unloaded if needed.

- A simple tray applet (firewall-applet) shows the status of the public
   firewall and is makes it simple to enable and disable firewall
   services. The applet does not show firewall configuration settings
   done with the libvirt interface.

- firewall-cmd is the command line client that makes it possible to
   enable, disable, query and list firewall features. firewall-cmd is
   also not able to show firewall settings of the libvirt interface.

- There is an rule and chain interface for libvirt, but the PolicyKit
   policy is not in place, yet.

What this version can not do (future features):

- firewall-config, the firewall configuration utility, is not functional
- System vs. User/Session configuration
- Zone support
- NetworkManager firewall rule support

firewalld made it into a fedorahosted repo at:


The fedoraproject wiki page at
exists and will get more updates soon. The feature request page for 
Fedora 15 is also up to date:

For test packages, please have a look at

firewalld has a requirement for system-config-firewall-1.2.28. This 
version has checks for an active firewalld in the tools.

Please have a look at
for the Fedora 15 packages of this version. It is usable on fedora 
versions < 15.

How To Test
- Install firewalld and firewall-applet
- Start the firewalld service
- Start the tray applet firewall-applet
- Use firewall-cmd to enable for example ssh:
	firewall-cmd --enable --service=ssh
- Enable samba for 10 seconds:
	firewall-cmd --enable --service=samba --timeout=10
- Enable ipp-client:
	firewall-cmd --enable --service=ipp-client
- Disable ipp-client:
	firewall-cmd --disable --service=ipp-client
- To restore your static firewall with lokkit again simply use:
	lokkit --enabled

You can also use the D-BUS interface directly. This is required for 
libvirt (and later on also NetworkManager). The D-BUS interface 
documentation is work in progress and will be added later on.

Comments and additional information is highly welcome.

Thanks in advance,

Thomas Woerner
Software Engineer            Phone: +49-711-96437-310
Red Hat GmbH                 Fax  : +49-711-96437-111
Hauptstaetterstr. 58         Email: Thomas Woerner <twoerner at>
D-70178 Stuttgart            Web  :

More information about the devel mailing list