Security

firewalld now uses nftables as its default backend

With this release, the nftables filtering subsystem becomes the default firewall backend for the firewalld daemon. To change the backend, use the FirewallBackend option in the /etc/firewalld/firewalld.conf file. This change introduces the following differences in behavior when using nftables:

  • iptables rule executions always occur before firewalld rules.

    • DROP in iptables means a packet is never seen by firewalld.

    • ACCEPT in iptables means a packet is still subject to firewalld rules.

  • Direct-rule execution occurs before firewalld generic acceptance of established connections.