Linux firewall using firewalld

SAKET KUMARSAKET KUMAR
5 min read

Introduction

Firewalls are an essential component of network security, especially in Linux-based systems. In this guide, we will explore how to set up and configure firewalld, a powerful and flexible firewall management tool that is the default in many Linux distributions, including CentOS, Fedora, and RHEL. By the end of this guide, you'll have a solid understanding of how to use firewalld to protect your system from unwanted network traffic.

What is firewalld?

Firewalld is a front-end management tool for iptables, which is used to configure and manage the firewall on Linux-based systems. It provides an easier-to-use interface for managing firewall rules, zones, and services. Unlike iptables, which uses command-line syntax, firewalld uses the concept of zones, allowing users to define different levels of trust for network connections.

Key Features of firewalld:

  • Dynamic management: Changes take effect immediately without restarting the firewall.

  • Zones: Predefined sets of rules that apply based on the level of trust for different networks.

  • Services: Pre-configured services like HTTP, SSH, etc., can be enabled or disabled with simple commands.

  • IPv4 & IPv6 support: Works for both IPv4 and IPv6 networks.

Installing firewalld

Before using firewalld, you need to ensure it’s installed on your system. Most modern Linux distributions come with it pre-installed. To check if it's already installed, use:

firewall-cmd --state

If firewalld is not installed, you can install it using your package manager. Here are commands for a few common Linux distros:

For Ubuntu/Debian:

sudo apt-get install firewalld

For CentOS/RHEL:

sudo yum install firewalld

For Fedora:

sudo dnf install firewalld

Once installed, enable and start the firewalld service:

sudo systemctl enable firewalld
sudo systemctl start firewalld

Understanding Zones in firewalld

A zone in firewalld is a collection of rules that define the level of trust for network connections. For example, the “home” zone might be used for trusted local networks, while the “public” zone might be used for untrusted networks. You can assign different interfaces (e.g., eth0, wlan0) to different zones to control the level of access.

Here are some common firewalld zones:

  • drop: Only allows outgoing traffic; all incoming traffic is dropped.

  • block: Similar to drop but replies with an ICMP unreachable message.

  • public: For use in untrusted networks, only essential services allowed.

  • home: For trusted local networks, more services can be allowed.

  • internal: A zone for trusted internal networks.

To view your current zones, run:

sudo firewall-cmd --get-zones

To view the active zone:

sudo firewall-cmd --get-active-zones

Basic firewalld Commands

Let's dive into some of the basic firewalld commands you'll need to get started.

1. Check firewalld status:

sudo firewall-cmd --state

2. View current active rules and zones:

sudo firewall-cmd --list-all

3. Add a service to a zone:

For example, to allow SSH (port 22) through the public zone:

sudo firewall-cmd --zone=public --add-service=ssh

4. Remove a service from a zone:

sudo firewall-cmd --zone=public --remove-service=ssh

5. Allow a port through the firewall:

To allow incoming traffic on port 8080:

sudo firewall-cmd --zone=public --add-port=8080/tcp

6. Permanent changes:

To make changes persistent across reboots, use the --permanent flag:

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

After making permanent changes, you need to reload the firewall for them to take effect:

sudo firewall-cmd --reload

Managing Services and Ports

Firewalld allows you to configure access to predefined services and custom ports easily.

Managing Services:

Services are predefined configurations for common services like HTTP, FTP, and SSH. You can list all available services:

sudo firewall-cmd --get-services

To add a service to a zone:

sudo firewall-cmd --zone=public --add-service=http

Opening Specific Ports:

If a service isn’t available by default, you can open specific ports:

sudo firewall-cmd --zone=public --add-port=8080/tcp

To make this permanent:

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

To block ICMP Incoming traffic :

From below command no one can ping you.

firewall-cmd  --add-icmp-block-inversion

To forward a port on another port :

A Port 80 is forwarded to port 8080 from below code

firewall-cmd  --zone=public  --add-forward-port=port=80:proto=tcp:toport=8080  --permanent

How to create a new zone :

A new myoffice named zone is created

firewall-cmd  --permanent  --new-zone=myoffice

To change/set interface of a zone :

To change network interface of zone public to eth0

firewall-cmd  --zone=public  --change-interface=eth0

Advanced firewalld Configuration

While basic firewalld management is simple, you can also configure more advanced features, such as rich rules and direct rules.

Rich Rules:

Rich rules offer more flexibility for complex configurations. For example, you can allow connections from a specific IP address:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept'

This allows connections from the IP address 192.168.1.100 to pass through the firewall.

Direct Rules:

Direct rules allow you to bypass firewalld's abstraction and add raw iptables rules:

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 192.168.1.100 -j ACCEPT

Troubleshooting and Logs

If something isn't working as expected, firewalld provides useful logging for troubleshooting.

To enable logging for dropped packets, use:

sudo firewall-cmd --set-log-denied=all

Logs can be found in /var/log/messages or /var/log/firewalld depending on your distribution.

Conclusion

Firewalld is a powerful and user-friendly tool for managing firewalls on Linux systems. It’s ideal for users who prefer simplicity over raw iptables management while maintaining flexibility. With its zone-based configuration and support for dynamic changes, firewalld makes managing your Linux firewall a breeze.

By following this guide, you should now have a basic understanding of how to install, configure, and manage firewalld on your Linux system. As you get more comfortable, you can explore advanced features like rich and direct rules for more granular control over your network security.

0
Subscribe to my newsletter

Read articles from SAKET KUMAR directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxfirewalldSecuritynetworking

Written by

SAKET KUMAR
SAKET KUMAR