firewalld - A firewall daemon with D-BUS interface providing a dynamic firewall (test version)

Thomas Woerner twoerner at
Sun Jan 2 11:14:22 UTC 2011

On 12/27/2010 08:06 PM, nodata wrote:
> On 23/12/10 17:03, Thomas Woerner wrote:
>> Hello,
>> as discussed some time ago, I worked on the proof of concept
>> implementation of firewalld. FirewallD is a service daemon with a D-BUS
>> interface that provides a dynamic managed firewall.
>> For more information on firewalld, please have a look at:
>> About this version:
>> This is mostly the proof of concept implementation with some changes and
>> is feature complete for F-15 as a firewalld preview version. It will not
>> be enabled per default and will also not get installed per default. The
>> system-config-firewall with static firewall model will still be the
>> default firewall solution for Fedora 15.
>> What this firewalld version can do:
>> - It supports most of the firewall features system-config-firewall had,
>>      but there are three limitations:
>>      1) custom firewall rule files (iptables save format) are not
>>         supported and most likely will never be, but there is support for
>>         custom rules (limited functionality).
>>      2) sysctl changes for ip_forward are not done, yet.
>>      3) There are no permanent firewall settings, this means that all
>>         settings are lost after a service restart or reboot. Permanent
>>         firewall settings will be added later on.
>> - The firewall daemon manages the firewall dynamically. This means that
>>      changes are done without recreating the whole firewall. Also there is
>>      no need to reload all firewall modules anymore. Firewall helpers are
>>      loaded and unloaded if needed.
>> - A simple tray applet (firewall-applet) shows the status of the public
>>      firewall and is makes it simple to enable and disable firewall
>>      services. The applet does not show firewall configuration settings
>>      done with the libvirt interface.
>> - firewall-cmd is the command line client that makes it possible to
>>      enable, disable, query and list firewall features. firewall-cmd is
>>      also not able to show firewall settings of the libvirt interface.
>> - There is an rule and chain interface for libvirt, but the PolicyKit
>>      policy is not in place, yet.
>> What this version can not do (future features):
>> - firewall-config, the firewall configuration utility, is not functional
>> - System vs. User/Session configuration
>> - Zone support
>> - NetworkManager firewall rule support
>> firewalld made it into a fedorahosted repo at:
>> 	git://
>> The fedoraproject wiki page at
>> exists and will get more updates soon. The feature request page for
>> Fedora 15 is also up to date:
>> For test packages, please have a look at
>> firewalld has a requirement for system-config-firewall-1.2.28. This
>> version has checks for an active firewalld in the tools.
>> Please have a look at
>> for the Fedora 15 packages of this version. It is usable on fedora
>> versions<   15.
>> How To Test
>> - Install firewalld and firewall-applet
>> - Start the firewalld service
>> - Start the tray applet firewall-applet
>> - Use firewall-cmd to enable for example ssh:
>> 	firewall-cmd --enable --service=ssh
>> - Enable samba for 10 seconds:
>> 	firewall-cmd --enable --service=samba --timeout=10
>> - Enable ipp-client:
>> 	firewall-cmd --enable --service=ipp-client
>> - Disable ipp-client:
>> 	firewall-cmd --disable --service=ipp-client
>> - To restore your static firewall with lokkit again simply use:
>> 	lokkit --enabled
>> You can also use the D-BUS interface directly. This is required for
>> libvirt (and later on also NetworkManager). The D-BUS interface
>> documentation is work in progress and will be added later on.
>> Comments and additional information is highly welcome.
>> Thanks in advance,
>> Thomas
> Hi,
> First of all thanks for making this work on the command line first and
> gui second.
> Can I ask a stupid question? Does dbus have the kind of performance
> necessary to support this type of application?
> Thanks.

I have done tests here and the performance of D-BUS is good. The biggest 
amount of time was used to add or remove rules or to load or unload 
netfilter kernel helpers.

D-BUS is used to submit requests to the firewalld. If there are too many 
requests that they can not be handled by D-BUS in a reasonable time, 
then this could be bad usage of firewalld. Firewall changes should not 
happen all day long.


More information about the devel mailing list