Fedora 18 and Firewalld

When Sperical Cow hits the digital shelves sometime in late October or early November, users will have to get used to a new firewall management application. Sperical Spherical Cow is, of course the code-name for Fedora 18, the next stable release of Fedora.

On current versions of Fedora, the firewall management application is system-config-firewall, a static firewall application that requires a refresh of the firewall with any rule change. The new application will provide a dynamic system that will not require a refresh or reload of the firewall, even after a rule change.

The new kid on the block is called Firewalld, and it is made up of a daemon with a D-BUS interface – firewalld; a command line interface – firewall-cmd; a graphical management interface – firewall-config; and a desktop applet – firewall-applet. Most of the work has been done, but not all the parts are working, at least in the just released Fedora 18 Alpha that I tested.

In this alpha release, Firewalld is installed and running, but firewall-applet is not installed. This, for example, is the interface for firewall-config. It does not work, so I could not mess with it. But you can tell that the final product will be easy to manage.

With Firewalld and coupled with NetworkManager, you will be able to utilize network zones on your system. The Shields Up/Down interface, which you start from the firewall applet, makes it easy to manage configured zones.
Firewalld Shields

This is a screen shot of the firewall-applet. The options are self-explanatory.
Firewalld Applet

What the applet looks like when network traffic is blocked.
Firerwalld Panic Mode

Here is an excerpt from the Fedora wiki what Firewalld really brings to the table:

The dynamic firewall mode with firewalld will make it possible to change firewall settings without the need to restart the firewall and will make persistent connections possible.

This is for example very useful for services, that need to add additional firewall rules. libvirtd is one of them and also openvpn in the future. With the static firewall model these rules are lost if the firewall gets modified or restarted. The firewall daemon holds the current configuration internally and is able to modify the firewall without the need to recreate the complete firewall configuration; it is also able to restore the configuration in a service restart and reload case.

Another use case for the dynamic firewall mode is printer discovery. For this the discovery program will be started locally that sends out a broadcast message. It will most likely get an answer from an unknown address (the new printer). This answer will be filtered by the firewall, because the answer is not related to the broadcast and the port of the program that was sending out the message is dynamic and therefore a fixed rule can not be created for this. With the dynamic firewall mode a time limited rule could be requested by the discovery program to allow the receipt of the answer.

Related Posts

How Fedora protects your data with full disk encryption Disk encryption in one of the most overlooked and underused security tools in computing. When most people think about securing a computer or the opera...
Fedora 15 LXDE review Fedora 15 LXDE is a Fedora 15 Spin, an alternate edition of Fedora, “tailored for various types of users via hand-picked application sets and other cu...
Disk encryption on Fedora 13 Disk encryption is one very important tool that you can use to enhance the physical security posture of our computer, and Fedora is the only distribut...
4 third-party repositories to enable on Fedora 19 Because of licensing reasons, the Fedora project only ships Free Software applications with any Fedora release. To gain access to those applications t...
How to use fedora-tools image for Fedora Atomic Host Fedora Atomic Host is a container-native version of the Fedora distribution. It is one of several operating systems expressly designed for running con...
Going Paranoid on Fedora 13 A Paranoid, or 5-star, security rating is the highest physical security rating that you can achieve on your computer. It entails enabling a set of OS-...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


  1. How to disable firewalld?

  2. Pingback: Links 22/9/2012: September Catchup | Techrights

  3. sp: spherical cow

Leave a Comment

Your email address will not be published. Required fields are marked *