Understanding Linux Firewalld

Emmanuel OyiboEmmanuel Oyibo
9 min read

A firewall acts as a security guard for your computer’s network. It monitors the information going in and out, deciding what’s allowed and not. Therefore, understanding the firewall of your Linux system is an essential part of keeping it safe.

Firewalld is a powerful Linux tool that allows you to manage your system’s firewall much easier. It doesn’t matter if you’re new to Linux, Firewalld employs a user-friendly approach and makes understanding network security a walk in the park.

In this article, we’ll break down the basics of Firewalld and show you how to use it to protect your system.

Firewalls: The basics

Firewalls, at their core, act as filters for your network traffic. They examine the data packets trying to enter or leave your system. See them like bouncers at a club –– they have a guest list (or set of rules), that determines who gets in and who stays out.

Let’s briefly examine how firewalls protect your system:

  • Blocking unwanted traffic: Firewalls can prevent malicious programs or hackers from accessing your system.

  • Controlling access: You can set rules to allow only specific types of traffic, giving you control over what application can connect to the internet.

Why Firewalld?

Before now, Linux relied on a tool called iptables for managing firewalls. Although powerful, iptables had the reputation of being too complex, especially for beginners. Firewalld came to change that.

Let’s consider a few reasons why Firewalld is the best choice:

  • User-friendly: Firewalld uses a simpler, intuitive approach to manage your firewall rules.

  • Zones: It introduces the concept of zones. This helps to easily manage security levels for different areas of your network.

Key Concepts

In Firewalld, there are several concepts you need to understand to manage your system’s firewall effectively. Let’s explore the most important ones!

Zones

Zones are a core concept in Firewalld. They allow you to define different security levels for various parts of your network. You can imagine them as virtual compartments where you establish rules for the kind of traffic that’s allowed to flow in and out.

Here is a breakdown:

  • Trust Levels: Each zone represents a specific level of trust you have in the devices and networks within that zone. For example, a “public” zone would have a very low trust level, compared to an “internal” zone containing your home devices.

  • Pre-defined Zones: Firewalld comes with several pre-configured zones to help you get started quickly. These zones include:

    • public: This zone is for networks you don’t trust, like public Wi-Fi hotspots. By default, most incoming traffic is blocked in the public zone to protect your system.

    • dmz (Demilitarized Zone): This zone is designed for servers that are directly exposed to the internet. An example is web servers. You might allow specific services (like web traffic) in the dmz , while keeping most other incoming traffic blocked for enhanced security.

    • internal: This zone is for networks within your home or workplace where you have a higher level of trust in all connected devices. The internal zone is often more permissive than public or dmz , allowing more traffic flow.

    • trusted: This zone is meant for situations where you have complete trust in all the connected devices. By default, all incoming traffic to the trusted zone is allowed.

  • Default Zone: When you kickstart the firewall, one zone is usually designated as the default. New network interfaces (like your Wi-Fi or Ethernet adapter) are typically assigned to this default zone.

  • Active Zone: Each network interface can only belong to one zone at a time. An interface can be switched between zones to adjust the security level it’s under.

  • Customizable Rules: While Firewalld’s preconfigured zones provide a good foundation, you can customize the rules within each zone to further refine your security network.

    These rules define what kind of traffic (incoming or outgoing), on what ports, and from which protocols (like TCP or UDP) are allowed or blocked.

Understanding zones is essential for you to effectively manage your firewall with Firewalld.

Services

Firewalld makes firewall management pretty easy by offering pre-defined configurations for common network services.

Let’s briefly highlight a few things you need to know:

  • Services as Applications: Think of services as the different applications or protocols that use your network to communicate. Some of the most common services include:

    • HTTP/HTTPS is used for web browsing (HTTP: regular web traffic, HTTPS: encrypted web traffic)

    • SSH is used for secure remote access and terminal sessions

    • FTP is used for file transfers

    • DHCP is used for automatic IP address assignment on networks

    • DNS is used for resolving domain names (e.g., turning www.google.com into an IP address)

  • Pre-defined Settings: Instead of dealing with complex firewall rules directly, Firewalld provides pre-built configurations for many of these services. This makes it easy to allow or deny specific services on your network.

  • Enabling and Disabling: You can enable or disable services within specific zones. Doing so allows you to control which applications are allowed to communicate based on the network and trust level you’ve assigned.

  • Customization: If a service you need isn’t included in the pre-defined list, you can still create your custom service definitions to achieve fine-grained control within Firewalld.

With this understanding of services within Firewalld, you can easily adjust your security settings to accommodate the applications you need to use.

Ports

Ports are like doorways on your computer through which specific types of network traffic can enter or leave. Learning how to use ports is essential for fine-tuning your network security with Firewalld.

Let’s briefly take a look at a few things you need to know about ports:

  • Number for Identification: Ports are identified by numbers, typically ranging from 0 to 65535. Well-known services often use standard port numbers:

    • HTTP (web traffic): Port 80

    • HTTPS (encrypted web traffic): Port 443

    • SSH (remote terminal): Port 22

  • Traffic Gateways: When an application on your system needs to send or receive network traffic, it uses a specific port number associated with the type of data it handles.

  • Filtering with Firewalld: Firewalld allows you to open or close specific ports, to control what kind of traffic can pass through. For instance, you might open port 80 to allow web traffic, but keep another port closed to block an undesirable service.

  • Temporary vs. Permanent: When working with ports in Firewalld, remember that you can make changes either temporarily (only until the next reboot or Firewalld reload) or permanently (changes persist across reboots).

Ports let you create precise rules within Firewalld. This allows only the necessary traffic for your applications while blocking potential security risks.

Controlling Your Firewall With firewall-cmd

The firewall-cmd command-line tool is your key to managing Firewalld settings. Let’s explore how to use it to view firewall rules, manage services, work with ports, and apply your changes.

Listing Firewall Rules

To get an overview of your firewall’s current configuration, you’ll want to start by listing the existing rules. Here’s how:

  • Listing All Rules: The command firewall-cmd --list-all provides a full list of rules across all zones. This output can be quite extensive. You need to pay attention to items like which network traffic is targeted (input, output), the enabled services, open ports, and any specific rules that are more complex.

  • Listing Rules for a Specific Zone: To focus on a particular zone, you can use firewall-cmd --zone=<zone_name> --list-all . Replace <zone_name> with the zone of interest, such as public or internal.

Adding and Removing Services

Firewalld makes it easy to control what applications can communicate over the network. Let’s see how to add and remove services within different zones:

  • Adding a Service Permanently: To permanently enable a service within a zone, you can use:

      $ firewall-cmd --zone=<zone_name> --add-service=<service_name> --permanent
    

    Where:

    • <zone_name> is the zone where you want to enable the service.

    • <service_name> is the service you want to enable.

For example:

    $ firewall-cmd --zone=public --add-service=http --permanent

The command above allows web traffic in the public zone.

  • Adding a Service Temporarily: To add a service temporarily means the change will be lost on reboot or reload. All you need to do is to omit the --permanent flag used in the last example:

      $ firewall-cmd --zone=zone_name --add-service=service_name
    
  • Removing Services: You can use --remove-service in the same format as above (i.e, replace --add-service with it).

Working with Ports

To get more precise control over network traffic, you’ll need to manage the ports on your system. Here’s how to open and close them with Firewalld:

  • Opening a Port Permanently: To open a port permanently, you can use the firewall-cmd command as follows:

      $ firewall-cmd --zone=<zone_name> --add-port=<port_number/protocol> --permanent
    

    In the command above, <port_number/protocol> stands for the port you want to add and its protocol (either TCP or UDP).

    For example:

      $ firewall-cmd --zone=internal --add-port=8080/tcp --permanent
    

    In the above example, the port 8080 with a TCP protocol is opened permanently.

  • Opening a Port Temporarily: As with services, remove the --permanent flag from the example above for temporary changes.

  • Closing Ports: You can use --remove-port with the same format as opening a port above.

Reloading Firewalld for Changes to Take Effect

When you make changes using firewall-cmd, you may often need to reload Firewalld for these changes to become active.

Here’s the command:

$ firewall-cmd --reload

After running this command, changes you made that were pending become active.

Managing Firewalld

Firewalld offers important settings to control how you save and apply your firewall rules. Let’s understand the difference between its two main configuration types and explore a user-friendly graphical interface option.

Permanent vs. Runtime Configuration

Firewalld works with two types of configurations to manage your firewall settings:

  • Runtime Configuration: This is the currently active set of rules your firewall is using. Any changes you make here take effect right away but are lost when you restart your system or reload Firewalld. This configuration is used for testing or making quick changes that you might not need to keep.

  • Permanent Configuration: This is the stored set of rules that Firewalld loads when it starts up. Any changes you make here will continue to be used even after restarting your system. You can use this configuration for any changes you want your firewall to use even after a restart. Adding the --permanent flag when using the firewall-cmd command makes the configuration permanent.

Graphical Interface (firewall-config)

If you find the command line a bit daunting, Firewalld offers a tool called firewall-config that lets you manage your firewall with a visual interface.

The tool provides menus and options to adjust zones, enable services, open ports, and more. Also, firewall-config is a good choice if you prefer to see your settings visually instead of typing commands.

However, the graphical interface is usually available on Linux systems that include a desktop environment.

Conclusion

Firewalld is an essential tool for keeping your Linux system safe. By learning about zones, services, ports, and how to save your settings, you’re already making your system more secure.

Security is always changing. So, it’s important to keep learning about Firewalld to make your system even stronger. You can check out the official Firewalld documentation for more details and advanced features.


Thanks for reading! If you found this article helpful (which I bet you did 😉), got a question or spotted an error/typo... do well to leave your feedback in the comment section.

And if you’re feeling generous (which I hope you are 🙂) or want to encourage me, you can put a smile on my face by getting me a cup (or thousand cups) of coffee below. :)

Also, feel free to connect with me via LinkedIn.

10
Subscribe to my newsletter

Read articles from Emmanuel Oyibo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Emmanuel Oyibo
Emmanuel Oyibo

As a budding DevOps engineer and a detail-oriented technical writer, I tackle the ever evolving realm of system automation, deployment, and integration on a regular basis. This blog is my online space where I document my journey, share the interesting things I discover, and untangle the challenging issues I face. My mission is to break down complex technical topics and make them straightforward and engaging. Whether you're deeply involved in tech or just starting to get curious, you're welcome here in my digital nook!