1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
|
[](https://github.com/firewalld/firewalld/actions/workflows/testsuite.yml?query=event%3Apush+workflow%3Atestsuite)
[](https://github.com/firewalld/firewalld/actions?query=event%3Apush+workflow%3Aintegration-testsuite)
[](https://github.com/firewalld/firewalld/actions?query=event%3Apush+workflow%3Asource-checks)
FirewallD - A firewall daemon with D-Bus interface providing a dynamic firewall
====================
firewalld provides a dynamically managed firewall with support for network or
firewall zones to define the trust level of network connections or interfaces.
It has support for IPv4, IPv6 firewall settings and for ethernet bridges and a
separation of runtime and permanent configuration options. It also provides an
interface for services or applications to add ip*tables and ebtables rules
directly.
Development
-----------
To check out the source repository, you can use:
```sh
git clone https://github.com/firewalld/firewalld.git
```
This will create a local copy of the repository.
The contributor code of conduct can be found in [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
Language Translations
---------------------
Firewalld uses GNU gettext for localization support. Translations can be done
using [Fedora's Weblate instance][1]. Translations are periodically merged into
the main firewalld repository.
[1]: https://translate.stg.fedoraproject.org/projects/firewalld/
Dependencies
------------
These are the runtime dependencies:
```
linux >= 5.3
python >= 3.8
python3-dbus
python3-gobject
python3-nftables >= 0.9.4
```
**Note**: python2 is _not_ supported.
Optional Dependencies
---------------------
These dependencies may enhance firewalld's functionality, but they are not
required.
```
ebtables
ipset
iptables
polkit
python3-capng (libcap-ng-python3)
```
Working With The Source Repository
----------------------------------
In addition to the runtime dependencies some others are needed to build from
source:
```
desktop-file-utils: /usr/bin/desktop-file-install
gettext
intltool
glib2: /usr/bin/glib-compile-schemas
glib2-devel: /usr/share/aclocal/gsettings.m4
systemd-units
pytest
```
To be able to create man pages and documentation from docbook files:
```
docbook-style-xsl
libxslt
```
Use the usual autoconf/automake incantation to generate makefiles
```sh
./autogen.sh
./configure
```
You can use a specific python interpreter by passing the PYTHON variable. This
is also used by the testsuite.
```sh
./configure PYTHON=/path/to/python3
```
Use
```sh
make
```
to create the documentation and to update the po files.
Use
```sh
make check
```
to run the testsuite. Tests are run inside network namespaces and do not
interfere with the host's running firewalld. They can also be run in parallel
by passing flags to autotest.
```sh
make check TESTSUITEFLAGS="-j4"
```
The testsuite also uses keywords to allow running a subset of tests that
exercise a specific area.
For example:
```sh
make check TESTSUITEFLAGS="-k rich -j4"
```
Output:
```sh
24: rich rules audit ok
25: rich rules priority ok
26: rich rules bad ok
53: rich rules audit ok
23: rich rules good ok
55: rich rules bad ok
74: remove forward-port after reload ok
```
You can get a list of tests and keywords
```sh
make -C src/tests check TESTSUITEFLAGS="-l"
```
Or just the keywords
```sh
make -C src/tests check TESTSUITEFLAGS="-l" \
|awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
|tr ' ' '\n' |sort |uniq
```
There are integration tests. Currently this includes NetworkManager. These may
be _destructive_ to the host. Run them in a disposable VM or container.
```sh
make check-integration
```
There is also a check-container target that will run the testsuite inside
various podman/docker containers. This is useful for coverage of multiple
distributions. It also runs tests that may be destructive to the host such as
integration tests.
```sh
make check-container TESTSUITEFLAGS="-j4"
```
OCI Container Image
-------------------
As part of the `dist` build target an OCI container image is generated. This is
distributed alongside the normal release tarball. It can be used to run
firewalld from a container. The containerized firewalld will _not_ integrate
with the host (e.g. podman, libvirt, NetworkManager).
To manually load the container image into your environment:
```sh
podman load -i .../path/to/firewalld-oci-<ver>.tar
```
To fetch the image from quay.io:
```sh
podman pull quay.io/firewalld/firewalld:<ver>
```
where `<ver>` is optional, the latest version will be used if omitted.
To start the daemon/container:
```sh
podman run -d --network host --privileged \
--name my-firewalld firewalld
```
Firewalld's configuration will live inside the container. Therefore
users may want to occasionally `podman commit` the image.
Using firewalld's CLI should be done via podman exec after the
daemon/container has been started:
```sh
podman exec my-firewalld firewall-cmd ...
```
### Container Integration with Host
The same container image can be used to integrate with the host's running
NetworkManager, podman, libvirt, etc. This requires the host to have a dbus
policy for firewalld.
A dbus policy can be obtained from the firewalld source code tree at location
`config/FirewallD.conf`.
```sh
cp config/FirewallD.conf /usr/share/dbus-1/system.d/FirewallD.conf
```
Once the dbus policy is in place the container could be started as such:
```sh
podman run -d -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
--network host --privileged \
--name my-firewalld firewalld \
firewalld --nofork --nopid
```
The only addition are: volume mount, explicit CMD.
The some approach can be use to store firewalld's configuration files on the
host.
```sh
podman run -d -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
-v /etc/firewalld:/etc/firewalld \
--network host --privileged \
--name my-firewalld firewalld \
firewalld --nofork --nopid
```
RPM package
-----------
For Fedora and RHEL based distributions, there is a spec file in the source
repo named firewalld.spec. This should be usable for Fedora versions >= 16 and
RHEL >= 7.
Links
-----
Homepage: http://firewalld.org
Report a bug: https://github.com/firewalld/firewalld/issues
Git repo browser: https://github.com/firewalld/firewalld
Git repo: https://github.com/firewalld/firewalld.git
Documentation: http://firewalld.org/documentation/
Mailing lists
-------------
For usage: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org/
For development: https://lists.fedorahosted.org/archives/list/firewalld-devel@lists.fedorahosted.org/
Directory Structure
-------------------
| Directory | Content |
| ----------------- | ----------------------------------------------------- |
| config/ | Configuration files |
| config/icmptypes/ | Predefined ICMP types |
| config/services/ | Predefined services |
| config/xmlschema/ | XML Schema checks for config files |
| config/zones/ | Predefined zones |
| config/ipsets/ | Predefined ipsets |
| doc/ | Documentation |
| doc/man/ | Base directory for man pages |
| doc/man/man1/ | Man(1) pages |
| doc/man/man5/ | Man(5) pages |
| po/ | Translations |
| shell-completion/ | Base directory for auto completion scripts |
| src/ | Source tree |
| src/firewall/ | Import tree for the service and all applications |
| src/icons/ | Icons in the sizes: 16, 22, 24, 32, 48 and scalable |
| src/tests/ | Testsuite |
|
