Security
firewalld now uses nftables as its default backend
With this release, the nftables
filtering subsystem becomes the default firewall backend for the firewalld
daemon.
To change the backend, use the FirewallBackend
option in the /etc/firewalld/firewalld.conf
file.
This change introduces the following differences in behavior when using nftables
:
-
iptables
rule executions always occur beforefirewalld
rules.-
DROP
iniptables
means a packet is never seen byfirewalld
. -
ACCEPT
iniptables
means a packet is still subject tofirewalld
rules.
-
-
Direct-rule execution occurs before
firewalld
generic acceptance of established connections.
For more information, see https://firewalld.org/2018/07/nftables-backend and https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables.
Want to help? Learn how to contribute to Fedora Docs ›