📒 

Firewalld is a dynamic firewall management tool that provides a more flexible way to manage firewall settings on Linux systems. It simplifies the process of configuring firewalls compared to traditional tools like iptables, offering an easier-to-use interface while maintaining robust security features. Firewalld is available by default on several Linux distributions, including Fedora, CentOS, Red Hat Enterprise Linux, and others. This guide provides an introduction to Firewalld, its key concepts, and how to use it effectively.

What is Firewalld?

Firewalld is a front-end interface for iptables and nftables, which are the underlying firewall mechanisms in Linux systems. While these traditional tools require manual rule creation and management, Firewalld provides a simpler way to create, modify, and manage firewall rules dynamically. Its primary advantage lies in its ability to change settings without needing to restart the firewall service or disrupt active network connections.

Key Concepts in Firewalld

Before diving into how to use Firewalld, it’s essential to understand some key concepts that form the basis of its operation.

1. Zones

Zones are a central concept in Firewalld and represent different levels of trust for network connections. Each zone can be configured with its own set of firewall rules, and network interfaces can be assigned to specific zones based on their security needs.

Firewalld includes several predefined zones, such as:

  • Public: Suitable for use in public areas like airports and cafes where security is a top priority.
  • Private: Used for trusted networks, such as your home or office network.
  • Trusted: All incoming connections are allowed. This should only be used for highly trusted networks.
  • Block: Incoming connections are dropped without any response.
  • Drop: Similar to Block, but silently drops all incoming traffic.
  • Internal: Used for trusted internal networks, allowing more relaxed firewall rules.

You can also create custom zones based on your specific requirements.

2. Services

Services in Firewalld represent a set of predefined firewall rules for specific network services, such as HTTP, FTP, or SSH. Instead of manually configuring ports and protocols, Firewalld allows you to enable or disable services with a simple command. This makes it easier to manage firewall rules without needing to understand every technical detail of the underlying service.

3. Rich Rules

Rich rules are advanced rules in Firewalld that provide more granular control over traffic filtering. They allow the use of specific conditions such as IP addresses, protocols, and ports. Rich rules are useful when you need more complex configurations that go beyond what’s available through the default zone-based rules.

4. Runtime vs. Permanent Configuration

Firewalld allows you to make changes either at runtime or permanently. Runtime changes are immediate but lost when the system restarts, while permanent changes persist across reboots.

  • Runtime Configuration: Immediate, but temporary.
  • Permanent Configuration: Long-lasting but only applied after a reload or reboot.

This separation allows you to test changes before committing them permanently.

Installing Firewalld

If Firewalld is not installed on your system by default, you can easily install it using the package manager for your Linux distribution. For example:

  • On RHEL/CentOS/Fedora:
    sudo yum install firewalld
  • On Debian/Ubuntu:
    sudo apt-get install firewalld

After installation, start the Firewalld service and enable it to run at startup:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Basic Firewalld Commands

Here are some common Firewalld commands to help you get started.

1. Check Firewalld Status

To check if Firewalld is running, use:

sudo firewall-cmd --state

If it’s running, you will see running as the output.

2. List Active Zones

To see which zones are active and which network interfaces are assigned to them, run:

sudo firewall-cmd --get-active-zones

3. Set Default Zone

If you want to set a default zone for new network connections, you can do so with:

sudo firewall-cmd --set-default-zone=public

4. Add Services to a Zone

You can allow a service (like SSH or HTTP) within a zone using the following command:

sudo firewall-cmd --zone=public --add-service=http

To make this change permanent, use the --permanent flag:

sudo firewall-cmd --zone=public --add-service=http --permanent

5. Open Specific Ports

If you need to open specific ports rather than enabling predefined services, you can do so with:

sudo firewall-cmd --zone=public --add-port=8080/tcp

Make it permanent by adding --permanent as before.

6. Remove Services or Ports

To remove a service or port from a zone, use the --remove-service or --remove-port commands:

sudo firewall-cmd --zone=public --remove-service=http
sudo firewall-cmd --zone=public --remove-port=8080/tcp