Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time

Build status Integration status Source status

FirewallD - A firewall daemon with D-Bus interface providing a dynamic firewall

firewalld provides a dynamically managed firewall with support for network or firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add ip*tables and ebtables rules directly.


To check out the source repository, you can use:

git clone

This will create a local copy of the repository.

The contributor code of conduct can be found in

Language Translations

Firewalld uses GNU gettext for localization support. Translations can be done using Fedora's Weblate instance. Translations are periodically merged into the main firewalld repository.


These are the runtime dependencies:

  linux >= 5.3
  python3-nftables >= 0.9.4

Note: python2 is not supported.

Optional Dependencies

These dependencies may enhance firewalld's functionality, but they are not required.

  python3-capng (libcap-ng-python3)

Working With The Source Repository

In addition to the runtime dependencies some others are needed to build from source:

  desktop-file-utils: /usr/bin/desktop-file-install
  glib2: /usr/bin/glib-compile-schemas
  glib2-devel: /usr/share/aclocal/gsettings.m4

To be able to create man pages and documentation from docbook files:


Use the usual autoconf/automake incantation to generate makefiles


You can use a specific python interpreter by passing the PYTHON variable. This is also used by the testsuite.

./configure PYTHON=/path/to/python3



to create the documentation and to update the po files.


make check

to run the testsuite. Tests are run inside network namespaces and do not interfere with the host's running firewalld. They can also be run in parallel by passing flags to autotest.

make check TESTSUITEFLAGS="-j4"

The testsuite also uses keywords to allow running a subset of tests that exercise a specific area. For example:

make check TESTSUITEFLAGS="-k rich -j4"


  24: rich rules audit                                ok
  25: rich rules priority                             ok
  26: rich rules bad                                  ok
  53: rich rules audit                                ok
  23: rich rules good                                 ok
  55: rich rules bad                                  ok
  74: remove forward-port after reload                ok

You can get a list of tests and keywords

make -C src/tests check TESTSUITEFLAGS="-l"

Or just the keywords

make -C src/tests check TESTSUITEFLAGS="-l" \
  |awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
  |tr ' ' '\n' |sort |uniq

There are integration tests. Currently this includes NetworkManager. These may be destructive to the host. Run them in a disposable VM or container.

make check-integration

There is also a check-container target that will run the testsuite inside various podman/docker containers. This is useful for coverage of multiple distributions. It also runs tests that may be destructive to the host such as integration tests.

make check-container TESTSUITEFLAGS="-j4"

OCI Container Image

As part of the dist build target an OCI container image is generated. This is distributed alongside the normal release tarball. It can be used to run firewalld from a container. The containerized firewalld will not integrate with the host (e.g. podman, libvirt, NetworkManager).

To manually load the container image into your environment:

podman load -i .../path/to/firewalld-oci-<ver>.tar

To fetch the image from

podman pull<ver>

where <ver> is optional, the latest version will be used if omitted.

To start the daemon/container:

podman run -d --network host --privileged \
              --name my-firewalld firewalld

Firewalld's configuration will live inside the container. Therefore users may want to occasionally podman commit the image.

Using firewalld's CLI should be done via podman exec after the daemon/container has been started:

podman exec my-firewalld firewall-cmd ...

Container Integration with Host

The same container image can be used to integrate with the host's running NetworkManager, podman, libvirt, etc. This requires the host to have a dbus policy for firewalld.

A dbus policy can be obtained from the firewalld source code tree at location config/FirewallD.conf.

cp config/FirewallD.conf /usr/share/dbus-1/system.d/FirewallD.conf

Once the dbus policy is in place the container could be started as such:

podman run -d -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
              --network host --privileged \
              --name my-firewalld firewalld \
              firewalld --nofork --nopid

The only addition are: volume mount, explicit CMD.

The some approach can be use to store firewalld's configuration files on the host.

podman run -d -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket \
              -v /etc/firewalld:/etc/firewalld \
              --network host --privileged \
              --name my-firewalld firewalld \
              firewalld --nofork --nopid

RPM package

For Fedora and RHEL based distributions, there is a spec file in the source repo named firewalld.spec. This should be usable for Fedora versions >= 16 and RHEL >= 7.



Report a bug:

Git repo browser:

Git repo:


Mailing lists

For usage:

For development:

Directory Structure

Directory Content
config/ Configuration files
config/icmptypes/ Predefined ICMP types
config/services/ Predefined services
config/zones/ Predefined zones
config/ipsets/ Predefined ipsets
doc/ Documentation
doc/man/ Base directory for man pages
doc/man/man1/ Man(1) pages
doc/man/man5/ Man(5) pages
po/ Translations
shell-completion/ Base directory for auto completion scripts
src/ Source tree
src/firewall/ Import tree for the service and all applications
src/icons/ Icons in the sizes: 16, 22, 24, 32, 48 and scalable
src/tests/ Testsuite