Security
firewalld now uses nftables as its default backend
With this release, the nftables filtering subsystem becomes the default firewall backend for the firewalld daemon. To change the backend, use the FirewallBackend option in the /etc/firewalld/firewalld.conf file. This change introduces the following differences in behavior when using nftables:
- 
iptablesrule executions always occur beforefirewalldrules.- 
DROPiniptablesmeans a packet is never seen byfirewalld.
- 
ACCEPTiniptablesmeans a packet is still subject tofirewalldrules.
 
- 
- 
Direct-rule execution occurs before firewalldgeneric acceptance of established connections.
For more information, see https://firewalld.org/2018/07/nftables-backend and https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables.
Want to help? Learn how to contribute to Fedora Docs ›