Firewalld

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

firewalld is written in Python. It was intended to be ported to C++, but the porting project was abandoned in January 2015.

Features
firewalld supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Administrators can configure Network Manager to automatically switch zone profiles based on known Wi-Fi (wireless) and Ethernet (wired) networks, but firewalld cannot do this on its own.

Services and applications can use the D-Bus interface to query and configure the firewall. firewalld supports timed rules, meaning the number of connections (or "hits") to a service can be limited globally. There is no support for hit-counting and subsequent connection rejection per source IP; a common technique deployed to limit the impact of brute-force  hacking and distributed denial-of-service attacks.

firewalld's command syntax is similar to but more verbose than other iptables front-ends like Ubuntu's Uncomplicated Firewall (ufw). The command-line interface allows managing firewall rulesets for protocol, ports, source and destination; or predefined services by name.

Services are defined as XML files containing port- and protocol-mappings, and optionally extra information like specifying subnets and listing required Kernel helper modules. The syntax resembles that of systemd's service files. A simple service file for a web server listening on TCP port 443 might look like this:

Forward and output filtering
firewalld v0.9.0 added native support for forward and output forwarding via policy objects. This allows filtering traffic flowing between zones. Policies support most firewalld primitives available to zones: services, ports, forward-ports, masquerade, rich rules, etc.

Limitations
By default firewalld does not block outbound traffic as required by standards such as NIST 800-171 and 800-53. However, an outbound block can be added with a policy.

Graphical front-ends (GUIs)
firewall-config is a graphical front-end that is optionally included with firewalld, with support for most of its features.

firewall-applet is a small status indicator utility that is optionally included with firewalld. It can provide firewall event log notifications as well as a quick way to open firewall-config. firewall-applet was ported from the GTK+ to the Qt framework in the summer of 2015 following the GNOME Desktop’s deprecation of system tray icons.

Adoption
firewalld ships by default on the following Linux distributions:


 * CentOS 7 and newer
 * Fedora 18 and newer
 * OpenSUSE Leap 15 and newer
 * Red Hat Enterprise Linux 7 and newer
 * SUSE Linux Enterprise 15 and newer
 * EndeavourOS Apollo and newer

firewalld is enabled by default in all of these distributions. firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian or Ubuntu.