source: archive/firewalld.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY firewalld-download-http "https://github.com/firewalld/firewalld/releases/download/v&firewalld-version;/firewalld-&firewalld-version;.tar.gz">
  <!ENTITY firewalld-download-ftp  " ">
  <!ENTITY firewalld-md5sum        "644a8970b43fcf875178ae3bec640db4">
  <!ENTITY firewalld-size          "1.6 MB">
  <!ENTITY firewalld-buildsize     "19 MB (additionall 2 MB for tests)">
  <!ENTITY firewalld-time          "less than 0.1 SBU (add 6.2 SBU for tests)">
]>

<sect1 id="firewalld" xreflabel="firewalld-&firewalld-version;">
  <?dbhtml filename="firewalld.html"?>


  <title>firewalld-&firewalld-version;</title>

  <indexterm zone="firewalld">
    <primary sortas="a-firewalld">firewalld</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to firewalld</title>

    <para>
      The <application>firewalld</application> package provides a dynamically
      managed firewall with support for network or firewall zones to define the
      trust level of network connections or interfaces. It has support for
      IPv4, IPv6 firewall settings and for ethernet bridges and a separation of
      runtime and permanent configuration options. It also provides an
      interface for services or applications to add nftables or iptables and
      ebtables rules directly.
    </para>

    &lfs90_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&firewalld-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&firewalld-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &firewalld-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &firewalld-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &firewalld-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &firewalld-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">firewalld Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="nftables"/>,
      and <xref linkend="python-slip"/>
    </para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended">
      <xref linkend="DocBook"/>,
      <xref linkend="iptables"/>, and
      <xref linkend="libxslt"/> (for building the manual pages)
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="gtk3" role="runtime"/> (runtime only, required for
      <application>fireall-config</application>),
      <xref linkend="qt5" role="runtime"/> (runtime only, required for 
      <application>fireall-applet</application>), and
      <ulink url="https://netfilter.org/projects/ipset/index.html">ipset</ulink>
      for ipset support (only when used with iptables)
    </para>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/firewalld"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of firewalld</title>

    <para>
      Install <application>firewalld</application> by
      running the following commands:
    </para>

<screen revision="systemd"><userinput>PYTHON=/usr/bin/python3           \
    ./configure --sysconfdir=/etc \
                --without-ipset   &amp;&amp;
make</userinput></screen>

<screen revision="sysv"><userinput>PYTHON=/usr/bin/python3           \
    ./configure --sysconfdir=/etc \
                --without-ipset   \
                --disable-systemd &amp;&amp;
make</userinput></screen>

    <para>
      The testsuite for <application>firewalld</application> is very dependent
      on the running kernel and system configuration. It requires
      <application>ipset</application> as well as both backends, and all
      supported kernel options available.
    </para>

    <para>
      If the above conditions are met, run the testsuite as the
      <systemitem class="username">root</systemitem> user with the command
      <command>make -C src check</command>. Any test failures are likely the
      result of an incomplete configuration. Failed tests will give a detailed
      failure status at
      <filename>src/test/testsuite.dir/&lt;###&gt;/testsuite.log</filename>.
    </para>

    <para revision="sysv">
      Prevent installation of the distributed firewalld init script with the
      following command:
    </para>

<screen revision="sysv"><userinput>sed '/^am__append_3/,+1d' -i config/Makefile</userinput></screen>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>--without-ipset</parameter>: This switch disables use of the
      <command>ipset</command> utility. Omit if it is installed.
    </para>

    <para revision="sysv">
      <parameter>--disable-systemd</parameter>: This command prevents
      installation of <application>systemd</application> services.
    </para>

    <para>
      <option>--without-{ip{,6},eb}tables{,-restore}</option>: These switches
      disable <application>iptables</application> support and are required if
      you wish to build without iptables support.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring firewalld</title>

    <sect3 id="firewalld-conf">
      <title>Config Files</title>

      <para>
        <filename>/etc/firewall/applet.conf</filename>,
        <filename>/etc/firewalld/firewalld.conf</filename>,
        and <filename>/etc/sysconfig/firewalld</filename>
      </para>

      <indexterm zone="firewalld firewalld-conf">
        <primary sortas="e-etc-firewalld.conf">/etc/firewalld/firewalld.conf</primary>
      </indexterm>

      <para>
        Configuration of <application>firewalld</application> is generally done
        without modification of the above configuration files using the
        <command>firewall-cmd</command> command. Within the above configuration
        files you can set daemon behavior only. E.g.: whether runtime rules are
        retained on restart, which firewall backend to use (default is
        nftables), or whether to turn on debugging.
      </para>

      <para>
        Detailed documentation is provided by the
        <application>firewalld</application> developers at
        <ulink url="https://firewalld.org/documentation/"/>.
      </para>

    </sect3>

    <sect3 id="firewalld-init">
      <title><phrase revision="sysv">Init Script</phrase>
             <phrase revision="systemd">Systemd Unit</phrase></title>

      <para revision="sysv">
        If you need to run the <command>firewalld</command> daemon at system
        startup, install the <filename>/etc/rc.d/init.d/firewalld</filename>
        init script included in the
        <xref linkend="bootscripts"/> package using the following command:
      </para>

      <para revision="systemd">
        If you need to run the <command>firewalld</command> daemon at system
        startup, enable the previously installed
        <filename>firewalld.service</filename> unit with the following command:
      </para>

      <indexterm zone="firewalld firewalld-init">
        <primary sortas="f-firewalld">firewalld</primary>
      </indexterm>

<screen role="root" revision="sysv"><userinput>make install-firewalld</userinput></screen>

<screen role="root" revision="systemd"><userinput>systemctl enable firewalld</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          firewall-applet, firewall-cmd, firewall-config, firewall-offline-cmd,
          and firewalld
        </seg>
        <seg>
          None
        </seg>
        <seg>
          /etc/firewalld,
          /etc/firewall,
          /usr/lib/firewalld, and
          /usr/lib/python-&python3-version;/site-packages/firewall
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="firewall-applet">
        <term><command>firewall-applet</command></term>
        <listitem>
          <para>
            is a tray applet using QSettings backend.
          </para>
          <indexterm zone="firewalld firewall-applet">
            <primary sortas="b-firewall-applet">firwall-applet</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="firewall-cmd">
        <term><command>firewall-cmd</command></term>
        <listitem>
          <para>
            is the primary command line frontend.
          </para>
          <indexterm zone="firewalld firewall-cmd">
            <primary sortas="b-firewall-cmd">firewall-cmd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="firewall-config">
        <term><command>firewall-config</command></term>
        <listitem>
          <para>
            is a GUI configuration tool using GTK+-3.
          </para>
          <indexterm zone="firewalld firewall-config">
            <primary sortas="b-firewall-config">firewall-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="firewall-offline-cmd">
        <term><command>firewall-offline-cmd</command></term>
        <listitem>
          <para>
            is a command line client used for permanent configuration while
            firewalld is not running.
          </para>
          <indexterm zone="firewalld firewall-offline-cmd">
            <primary sortas="b-firewall-offline-cmd">firewall-offline-cmd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="firewalld-daemon">
        <term><command>firewalld</command></term>
        <listitem>
          <para>
            is the Dynamic Firewall Manager daemon.
          </para>
          <indexterm zone="firewalld firewalld-daemon">
            <primary sortas="b-firewalld">firewalld</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>