Firewalld is a dynamic firewall management tool that provides a more flexible way to manage firewall settings on Linux systems. It simplifies the process of configuring firewalls compared to traditional tools like iptables, offering an easier-to-use interface while maintaining robust security features. Firewalld is available by default on several Linux distributions, including Fedora, CentOS, Red Hat Enterprise Linux, and others. This guide provides an introduction to Firewalld, its key concepts, and how to use it effectively.
What is Firewalld?
Firewalld is a front-end interface for iptables
and nftables
, which are the underlying firewall mechanisms in Linux systems. While these traditional tools require manual rule creation and management, Firewalld provides a simpler way to create, modify, and manage firewall rules dynamically. Its primary advantage lies in its ability to change settings without needing to restart the firewall service or disrupt active network connections.
Key Concepts in Firewalld
Before diving into how to use Firewalld, it’s essential to understand some key concepts that form the basis of its operation.
1. Zones
Zones are a central concept in Firewalld and represent different levels of trust for network connections. Each zone can be configured with its own set of firewall rules, and network interfaces can be assigned to specific zones based on their security needs.
Firewalld includes several predefined zones, such as:
- Public: Suitable for use in public areas like airports and cafes where security is a top priority.
- Private: Used for trusted networks, such as your home or office network.
- Trusted: All incoming connections are allowed. This should only be used for highly trusted networks.
- Block: Incoming connections are dropped without any response.
- Drop: Similar to Block, but silently drops all incoming traffic.
- Internal: Used for trusted internal networks, allowing more relaxed firewall rules.
You can also create custom zones based on your specific requirements.
2. Services
Services in Firewalld represent a set of predefined firewall rules for specific network services, such as HTTP, FTP, or SSH. Instead of manually configuring ports and protocols, Firewalld allows you to enable or disable services with a simple command. This makes it easier to manage firewall rules without needing to understand every technical detail of the underlying service.
3. Rich Rules
Rich rules are advanced rules in Firewalld that provide more granular control over traffic filtering. They allow the use of specific conditions such as IP addresses, protocols, and ports. Rich rules are useful when you need more complex configurations that go beyond what’s available through the default zone-based rules.
4. Runtime vs. Permanent Configuration
Firewalld allows you to make changes either at runtime or permanently. Runtime changes are immediate but lost when the system restarts, while permanent changes persist across reboots.
- Runtime Configuration: Immediate, but temporary.
- Permanent Configuration: Long-lasting but only applied after a reload or reboot.
This separation allows you to test changes before committing them permanently.
Installing Firewalld
If Firewalld is not installed on your system by default, you can easily install it using the package manager for your Linux distribution. For example:
- On RHEL/CentOS/Fedora:
- On Debian/Ubuntu:
After installation, start the Firewalld service and enable it to run at startup:
Basic Firewalld Commands
Here are some common Firewalld commands to help you get started.
1. Check Firewalld Status
To check if Firewalld is running, use:
If it’s running, you will see running
as the output.
2. List Active Zones
To see which zones are active and which network interfaces are assigned to them, run:
3. Set Default Zone
If you want to set a default zone for new network connections, you can do so with:
4. Add Services to a Zone
You can allow a service (like SSH or HTTP) within a zone using the following command:
To make this change permanent, use the --permanent
flag:
5. Open Specific Ports
If you need to open specific ports rather than enabling predefined services, you can do so with:
Make it permanent by adding --permanent
as before.
6. Remove Services or Ports
To remove a service or port from a zone, use the --remove-service
or --remove-port
commands: