Firewalld is front-end controller for iptables and nftables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. The name Firewalld adheres to the Unix convention of naming system daemons by appending the leter “d”.
Firewalld is easier to manage and configure than iptables. It offer a very flexible way to handle the firewall management compared to iptables. There are no long series of chains, jumps, accepts and denies that you need to memorize to get Firewalld up and running.
It manages rulesets dynamically, allowing updates without breaking existing sessions and connections. Changes can be done immediately in the runtime environment. No restart of the service or daemon is needed.
The firewalld service uses zones to control the firewall access. Zones are preconstructed rule sets for various trust levels. You likely have a zone for a given location or scenario, such as home, public, or trusted. Different zones enable different network services and incoming traffic types while denying everything else.
Firewalld 1.0 is a major version bump. It includes breaking and behavioral changes.
What’s new in Firewalld 1.0
Above all, the most notable changes in this release is dropping of Python 2 support and support for intra-zone forwarding by default. It is important to note that from now on the default target is similar to reject.
Firewalld 1.0 is also a feature release. It includes all bug fixes since v0.9.0.
- Reduced dependencies
- Intra-zone forwarding by default
- NAT rules moved to inet family
- Default target is now similar to reject
- ICMP blocks and block inversion only apply to input, not forward
- tftp-client service has been removed
- iptables backend is deprecated
- Direct interface is deprecated
- CleanupModulesOnExit defaults to no
For more information about all changes in Firewalld 1.0, you can refer to the official announcement.