How to use firewalld on a network namespace?

I’m currently using Fedora 36.
I created a new network namespace called wireguard with the wg0 interface using these commands:

ip netns add wireguard
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set wg0 netns wireguard
ip -n wireguard addr add x.x.x.x/32 dev wg0
ip -n wireguard addr add xxxx:xxxx:xxxx:xxxx::x:xxxx/128 dev wg0
ip -n wireguard link set wg0 up
ip -n wireguard route add default dev wg0

I followed this article to set up the network namespace:

Everything works, but the article says:

Similarly to the DNS settings, you’ll also want to load separate firewall rules, since the new namespace isn’t firewalled.

I’m using firewalld as my firewall and can’t figure out how I can firewall this network namespace using it. What do I need to do?

1 Like

Thank you very much for the reply.

So if I can’t use firewalld in the namespace what would be the best way on fedora to add a custom firewall for this? I’m not knowledgeable on firewalls which is why I was hoping to use one of the firewalld preset zones.

Edit: I looked at other firewall options and found nftables and on the nftables wiki it has this Simple ruleset for a dual-stack IPv4/IPv6 workstation listed.

flush ruleset

table inet filter {
        chain input {
                 type filter hook input priority 0; policy drop;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise IPv6 connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept



If I run this with

sudo ip netns exec wireguard nft -f 

Would that be enough to secure the namespace while not interfering with my main firewall?

1 Like

There is a GUI for fiewalld, I this might help you better to configure it ?!

manafirewall in software if you use gnome.