From RHEL 7.0 to RHEL 7.2, Firewalld didn’t really evolve (v0.3.9.7 -> v0.3.9.14). It was mainly a matter of bug fixes.
As usual with RedHat, Systemd already showed it, new Firewalld features are triggered by backport difficulties: as new bugs are found, fixes are applied but, at some point, this becomes too difficult to maintain, upgrade to a complete new software version is necessary, bringing a new set of features as an additional bonus.
The new version of Firewalld (v0.4.3.2) included in RHEL 7.3 comes with the following features:
- performance improvements: Firewalld starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously.
- ebtables support: tables of rules similar to iptables but for Ethernet frames, ebtables, are now supported and can be used in direct chains and rules.
- better zone management: zone settings (connections, interfaces and sources) can be specified in NetworkManager, in Firewalld or in the ifcfg files.
- ipset support: ability to create a set of IP addresses or networks used as zone sources, within rich and direct rules.
- MAC address management: ability to specify a MAC address to define a source.
- new firewall-cmd options: –info-zone displays details about a given zone, –info-service about a given service and –info-ipset about a given ipset.
- easier troubleshooting: with the new LogDenied directive in the /etc/firewalld/firewalld.conf file, the user can easily debug and log denied packets.
As usual, the Firewalld dedicated page has been updated with the new available features and lots of details.