Firewalls are essential for securing your Linux system from unauthorized access and potential attacks. Among the various tools available, firewalld is a powerful yet user-friendly firewall management solution designed to make configuring and managing firewalls simpler. This guide introduces firewalld and its companion tool, firewall-cmd, breaking down their features and basic usage.
What is Firewalld?
firewalld is a dynamic firewall management tool that provides a way to configure firewall rules without disrupting active connections. It’s widely used on modern Linux distributions like Fedora, Red Hat Enterprise Linux, AlmaLinux, and CentOS.
Key features of firewalld include:
- Dynamic changes: Update firewall rules without restarting services or losing connections.
- Zone-based configuration: Assign different levels of security to network interfaces or connections using zones.
- Support for IPv4, IPv6, and Ethernet bridges.
- Integration with SELinux for added security.
Understanding Zones in Firewalld
Zones are one of the core concepts of firewalld. A zone defines a set of rules that apply to network connections. Each zone represents a level of trust and can be assigned to a network interface or a source IP address.
Here are some common zones:
- Public: Default for external networks. Trust is minimal.
- Home: Suitable for private, trusted networks like your home Wi-Fi.
- Internal: Similar to Home but often used for work environments.
- Work: Trusted for work-related networks.
- Drop: Blocks all incoming connections unless explicitly allowed.
- Trusted: Allows all connections without filtering.
You can view the available zones by running:
firewall-cmd --get-zones
Getting Started with Firewalld
Installation and Starting Firewalld
Most distributions that support firewalld have it pre-installed. If it’s not installed, you can add it using your package manager:
sudo dnf install firewalld # Fedora, RHEL, AlmaLinux, CentOS
sudo apt install firewalld # Debian, Ubuntu
Start the firewalld service and enable it to run at boot:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Check the status to confirm it’s running:
sudo systemctl status firewalld
Introduction to Firewall-CMD
firewall-cmd is the command-line interface for firewalld. It allows you to query, add, modify, and remove firewall rules interactively or in scripts. Changes can be temporary or permanent.
Common Firewall-CMD Commands
Checking the Active Zone
To see which zone is currently applied to your network interface:
firewall-cmd --get-active-zones
Adding Rules
For example, to allow HTTP traffic (port 80) in the public zone:
sudo firewall-cmd --zone=public --add-service=http
To make this rule persistent after a reboot:
sudo firewall-cmd --zone=public --add-service=http --permanent
Removing Rules
To remove a rule, simply replace --add-service with --remove-service:
sudo firewall-cmd --zone=public --remove-service=http --permanent
Listing Current Rules
To view all rules in the active zone:
firewall-cmd --list-all
Practical Example: Allowing SSH
By default, firewalld allows SSH traffic. However, if you find it blocked, you can re-enable it easily.
-
Check the current services allowed in your active zone:
firewall-cmd --list-services -
If
sshis missing, add it:sudo firewall-cmd --zone=public --add-service=ssh --permanent -
Reload the firewall to apply changes:
sudo firewall-cmd --reload
Managing Ports Directly
Instead of using predefined services, you can also open specific ports. For example, to open port 8080:
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload
Similarly, remove it with:
sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
Advanced Configuration
Rich Rules
For more complex configurations, firewalld supports rich rules. These allow fine-grained control over conditions and actions. For example, to allow SSH traffic only from a specific IP:
sudo firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=192.168.1.10/24 service name=ssh accept" --permanent
sudo firewall-cmd --reload
Using the GUI
Some distributions offer firewalld GUIs like firewall-config, which provide a user-friendly way to manage zones and rules. Install it with:
sudo dnf install firewall-config # Fedora, RHEL
sudo apt install firewall-config # Debian, Ubuntu
Summary
firewalld is an IP-level firewall, which operates by filtering traffic based on IP addresses, ports, and protocols. This is distinct from application-level firewalls, which analyze traffic at the application layer to provide deeper inspection.
If you’re interested in understanding how IP-level firewalls compare to application-level firewalls, check out Application-Level Firewalls.
By leveraging zones and dynamic rule updates, firewalld simplifies the process of managing and securing your Linux system. Whether you are configuring basic rules or advanced setups, firewalld and firewall-cmd offer a versatile toolkit for enhancing your network’s security.
For more details, check the official documentation: Firewalld Documentation.