3.7.2. Understanding firewalld
A graphical configuration tool, firewall-config, is used to configure firewalld
, which in turn uses iptables tool to communicate with Netfilter in the kernel which implements packet filtering.
To use the graphical firewall-config tool, press the super key and start typing firewall
. The firewall icon will appear. Press enter once it is highlighted. The firewall-config tool appears. You will be prompted for your user password.
The firewall-config tool has drop a down selection menu labeled Current View. This enables selecting between Runtime Configuration and Permanent Configuration mode. Notice that if you select Permanent Configuration, an Edit Services button appears on the right hand side of the Services tab and an Edit ICMP Types button appears on the right hand side of the ICMP Filter tab. The reason these buttons only appear in permanent configuration mode is that runtime changes are limited to enabling or disabling a service. You cannot change a service's parameters in run time mode.
The firewall service provided by firewalld
is dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented, there is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded.
There is also an applet, firewall-applet, which can be used to quickly launch the NetworkManager configuration tab for the network connection in use. From the General tab changes to the assigned firewall zone can be made. This applet is not installed by default in Fedora.
A command line client, firewall-cmd, is provided. It can be used to make permanent and non-permanent run-time changes as explained in man firewall-cmd(1)
. Permanent changes need to be made as explained in man firewalld(1)
.
The configuration for firewalld
is stored in various XML files in /usr/lib/firewalld/
and /etc/firewalld/
. This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations and so on.
Other applications can communicate with firewalld
using D-bus.