Understanding Linux Firewalld
A firewall acts as a security guard for your computer’s network. It monitors the information going in and out, deciding what’s allowed and not. Therefore, understanding the firewall of your Linux system is an essential part of keeping it safe.
Firewalld is a powerful Linux tool that allows you to manage your system’s firewall much easier. It doesn’t matter if you’re new to Linux, Firewalld employs a user-friendly approach and makes understanding network security a walk in the park.
In this article, we’ll break down the basics of Firewalld and show you how to use it to protect your system.
Firewalls: The basics
Firewalls, at their core, act as filters for your network traffic. They examine the data packets trying to enter or leave your system. See them like bouncers at a club –– they have a guest list (or set of rules), that determines who gets in and who stays out.
Let’s briefly examine how firewalls protect your system:
Blocking unwanted traffic: Firewalls can prevent malicious programs or hackers from accessing your system.
Controlling access: You can set rules to allow only specific types of traffic, giving you control over what application can connect to the internet.
Why Firewalld?
Before now, Linux relied on a tool called iptables
for managing firewalls. Although powerful, iptables
had the reputation of being too complex, especially for beginners. Firewalld came to change that.
Let’s consider a few reasons why Firewalld is the best choice:
User-friendly: Firewalld uses a simpler, intuitive approach to manage your firewall rules.
Zones: It introduces the concept of zones. This helps to easily manage security levels for different areas of your network.
Key Concepts
In Firewalld, there are several concepts you need to understand to manage your system’s firewall effectively. Let’s explore the most important ones!
Zones
Zones are a core concept in Firewalld. They allow you to define different security levels for various parts of your network. You can imagine them as virtual compartments where you establish rules for the kind of traffic that’s allowed to flow in and out.
Here is a breakdown:
Trust Levels: Each zone represents a specific level of trust you have in the devices and networks within that zone. For example, a “public” zone would have a very low trust level, compared to an “internal” zone containing your home devices.
Pre-defined Zones: Firewalld comes with several pre-configured zones to help you get started quickly. These zones include:
public
: This zone is for networks you don’t trust, like public Wi-Fi hotspots. By default, most incoming traffic is blocked in thepublic
zone to protect your system.dmz
(Demilitarized Zone): This zone is designed for servers that are directly exposed to the internet. An example is web servers. You might allow specific services (like web traffic) in thedmz
, while keeping most other incoming traffic blocked for enhanced security.internal
: This zone is for networks within your home or workplace where you have a higher level of trust in all connected devices. Theinternal
zone is often more permissive thanpublic
ordmz
, allowing more traffic flow.trusted
: This zone is meant for situations where you have complete trust in all the connected devices. By default, all incoming traffic to thetrusted
zone is allowed.
Default Zone: When you kickstart the firewall, one zone is usually designated as the default. New network interfaces (like your Wi-Fi or Ethernet adapter) are typically assigned to this default zone.
Active Zone: Each network interface can only belong to one zone at a time. An interface can be switched between zones to adjust the security level it’s under.
Customizable Rules: While Firewalld’s preconfigured zones provide a good foundation, you can customize the rules within each zone to further refine your security network.
These rules define what kind of traffic (incoming or outgoing), on what ports, and from which protocols (like TCP or UDP) are allowed or blocked.
Understanding zones is essential for you to effectively manage your firewall with Firewalld.
Services
Firewalld makes firewall management pretty easy by offering pre-defined configurations for common network services.
Let’s briefly highlight a few things you need to know:
Services as Applications: Think of services as the different applications or protocols that use your network to communicate. Some of the most common services include:
HTTP/HTTPS
is used for web browsing (HTTP
: regular web traffic,HTTPS
: encrypted web traffic)SSH
is used for secure remote access and terminal sessionsFTP
is used for file transfersDHCP
is used for automatic IP address assignment on networksDNS
is used for resolving domain names (e.g., turning www.google.com into an IP address)
Pre-defined Settings: Instead of dealing with complex firewall rules directly, Firewalld provides pre-built configurations for many of these services. This makes it easy to allow or deny specific services on your network.
Enabling and Disabling: You can enable or disable services within specific zones. Doing so allows you to control which applications are allowed to communicate based on the network and trust level you’ve assigned.
Customization: If a service you need isn’t included in the pre-defined list, you can still create your custom service definitions to achieve fine-grained control within Firewalld.
With this understanding of services within Firewalld, you can easily adjust your security settings to accommodate the applications you need to use.
Ports
Ports are like doorways on your computer through which specific types of network traffic can enter or leave. Learning how to use ports is essential for fine-tuning your network security with Firewalld.
Let’s briefly take a look at a few things you need to know about ports:
Number for Identification: Ports are identified by numbers, typically ranging from
0
to65535
. Well-known services often use standard port numbers:HTTP
(web traffic): Port80
HTTPS
(encrypted web traffic): Port443
SSH
(remote terminal): Port22
Traffic Gateways: When an application on your system needs to send or receive network traffic, it uses a specific port number associated with the type of data it handles.
Filtering with Firewalld: Firewalld allows you to open or close specific ports, to control what kind of traffic can pass through. For instance, you might open port
80
to allow web traffic, but keep another port closed to block an undesirable service.Temporary vs. Permanent: When working with ports in Firewalld, remember that you can make changes either temporarily (only until the next reboot or Firewalld reload) or permanently (changes persist across reboots).
Ports let you create precise rules within Firewalld. This allows only the necessary traffic for your applications while blocking potential security risks.
Controlling Your Firewall With firewall-cmd
The firewall-cmd
command-line tool is your key to managing Firewalld settings. Let’s explore how to use it to view firewall rules, manage services, work with ports, and apply your changes.
Listing Firewall Rules
To get an overview of your firewall’s current configuration, you’ll want to start by listing the existing rules. Here’s how:
Listing All Rules: The command
firewall-cmd --list-all
provides a full list of rules across all zones. This output can be quite extensive. You need to pay attention to items like which network traffic is targeted (input, output), the enabled services, open ports, and any specific rules that are more complex.Listing Rules for a Specific Zone: To focus on a particular zone, you can use
firewall-cmd --zone=<zone_name> --list-all
. Replace<zone_name>
with the zone of interest, such aspublic
orinternal
.
Adding and Removing Services
Firewalld makes it easy to control what applications can communicate over the network. Let’s see how to add and remove services within different zones:
Adding a Service Permanently: To permanently enable a service within a zone, you can use:
$ firewall-cmd --zone=<zone_name> --add-service=<service_name> --permanent
Where:
<zone_name>
is the zone where you want to enable the service.<service_name>
is the service you want to enable.
For example:
$ firewall-cmd --zone=public --add-service=http --permanent
The command above allows web traffic in the public
zone.
Adding a Service Temporarily: To add a service temporarily means the change will be lost on reboot or reload. All you need to do is to omit the
--permanent
flag used in the last example:$ firewall-cmd --zone=zone_name --add-service=service_name
Removing Services: You can use
--remove-service
in the same format as above (i.e, replace--add-service
with it).
Working with Ports
To get more precise control over network traffic, you’ll need to manage the ports on your system. Here’s how to open and close them with Firewalld:
Opening a Port Permanently: To open a port permanently, you can use the
firewall-cmd
command as follows:$ firewall-cmd --zone=<zone_name> --add-port=<port_number/protocol> --permanent
In the command above,
<port_number/protocol>
stands for the port you want to add and its protocol (either TCP or UDP).For example:
$ firewall-cmd --zone=internal --add-port=8080/tcp --permanent
In the above example, the port
8080
with a TCP protocol is opened permanently.Opening a Port Temporarily: As with services, remove the
--permanent
flag from the example above for temporary changes.Closing Ports: You can use
--remove-port
with the same format as opening a port above.
Reloading Firewalld for Changes to Take Effect
When you make changes using firewall-cmd
, you may often need to reload Firewalld for these changes to become active.
Here’s the command:
$ firewall-cmd --reload
After running this command, changes you made that were pending become active.
Managing Firewalld
Firewalld offers important settings to control how you save and apply your firewall rules. Let’s understand the difference between its two main configuration types and explore a user-friendly graphical interface option.
Permanent vs. Runtime Configuration
Firewalld works with two types of configurations to manage your firewall settings:
Runtime Configuration: This is the currently active set of rules your firewall is using. Any changes you make here take effect right away but are lost when you restart your system or reload Firewalld. This configuration is used for testing or making quick changes that you might not need to keep.
Permanent Configuration: This is the stored set of rules that Firewalld loads when it starts up. Any changes you make here will continue to be used even after restarting your system. You can use this configuration for any changes you want your firewall to use even after a restart. Adding the
--permanent
flag when using thefirewall-cmd
command makes the configuration permanent.
Graphical Interface (firewall-config)
If you find the command line a bit daunting, Firewalld offers a tool called firewall-config
that lets you manage your firewall with a visual interface.
The tool provides menus and options to adjust zones, enable services, open ports, and more. Also, firewall-config
is a good choice if you prefer to see your settings visually instead of typing commands.
However, the graphical interface is usually available on Linux systems that include a desktop environment.
Conclusion
Firewalld is an essential tool for keeping your Linux system safe. By learning about zones, services, ports, and how to save your settings, you’re already making your system more secure.
Security is always changing. So, it’s important to keep learning about Firewalld to make your system even stronger. You can check out the official Firewalld documentation for more details and advanced features.
Thanks for reading! If you found this article helpful (which I bet you did 😉), got a question or spotted an error/typo... do well to leave your feedback in the comment section.
And if you’re feeling generous (which I hope you are 🙂) or want to encourage me, you can put a smile on my face by getting me a cup (or thousand cups) of coffee below. :)
Also, feel free to connect with me via LinkedIn.
Subscribe to my newsletter
Read articles from Emmanuel Oyibo directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Emmanuel Oyibo
Emmanuel Oyibo
As a budding DevOps engineer and a detail-oriented technical writer, I tackle the ever evolving realm of system automation, deployment, and integration on a regular basis. This blog is my online space where I document my journey, share the interesting things I discover, and untangle the challenging issues I face. My mission is to break down complex technical topics and make them straightforward and engaging. Whether you're deeply involved in tech or just starting to get curious, you're welcome here in my digital nook!