Firewalld is a dynamic firewall management tool for Linux systems, providing a user-friendly interface to define rules for controlling network traffic. It offers a high level of flexibility by supporting network zones, services, and ports, allowing administrators to tailor network security according to specific needs. Unlike traditional static firewall tools such as iptables, Firewalld allows for real-time modification of firewall settings without interrupting active connections.
On Hostman, you can buy cloud-based firewall that provides cutting-edge defense tailored for
businesses of all sizes.
Firewalld is often included by default in many Linux distributions like Fedora, CentOS, and RHEL. However, if it’s not installed on your system, you can easily do so using your package manager.
For CentOS/RHEL:
sudo yum install firewalld
For Ubuntu/Debian:
sudo apt install firewalld
After installation, ensure the package is updated to the latest version:
For CentOS/RHEL:
sudo yum update firewalld
For Ubuntu/Debian:
sudo apt update firewalld
Once installed, Firewalld must be started and enabled to automatically start at boot.
Start the Firewalld service:
sudo systemctl start firewalld
Enable Firewalld to start at boot:
sudo systemctl enable firewalld
Check the status of Firewalld:
sudo systemctl status firewalld
The output looks like this:
Firewalld operates around three key concepts: zones, services, and ports.
Zones: Zones define trust levels for incoming traffic. Firewalld comes with predefined zones like public
, home
, internal
, dmz
, and drop. Each zone has specific rules determining how traffic from different network interfaces is handled. For example, traffic in the public zone may be restricted to a few essential services, while traffic in the home zone can allow more access.
Public Zone: This zone is used for networks where you don’t trust other computers on the network (e.g., a café’s Wi-Fi). Traffic is restricted to a few essential services, such as SSH, which allows secure remote access. For example, in the public zone, only SSH (port 22) and HTTPS (port 443) may be allowed, blocking all other incoming requests. You might allow:
sudo firewall-cmd --zone=public --add-service=ssh --add-service=https --permanent
Home Zone: This zone is designed for home networks, where you trust the devices connected. In this zone, you may allow more services like file sharing (SMB or NFS), media servers, and printers, alongside SSH and HTTPS. For example, you could allow:
sudo firewall-cmd --zone=home --add-service=samba --add-service=nfs --add-service=ssh --add-service=https
Internal Zone: This is typically used for networks inside your organization, like a private LAN. It can have even more relaxed rules since it's generally assumed the network is trusted. You might allow database connections (MySQL or PostgreSQL), in addition to file sharing and basic services:
sudo firewall-cmd --zone=internal --add-service=mysql --add-service=postgresql --add-service=samba
DMZ (Demilitarized Zone): This zone is for systems that are exposed to the public internet, but should be isolated from your internal network for security reasons. Services that need to be publicly available, like web servers or FTP, are allowed here, but internal services like file sharing remain restricted. For example:
sudo firewall-cmd --zone=dmz --add-service=http --add-service=ftp
Drop Zone: In the drop zone, all incoming network connections are dropped without any notification, making it the most restrictive zone. This is used when you want to ensure that no communication is allowed except outgoing traffic. For example, if an interface is assigned to this zone, no services are allowed, and all incoming packets are simply discarded:
sudo firewall-cmd --zone=drop --set-target=DROP --permanent
Services: Services represent predefined protocols, such as SSH, HTTP, or DNS, and are defined in XML configuration files. Firewalld can allow or block these services in different zones without having to know specific port numbers.
Ports: Instead of relying on predefined services, administrators can directly open or close specific ports using Firewalld, allowing more granular control over network access.
To assign a zone to a specific interface (e.g., eth0
), you can use the following command:
sudo firewall-cmd --zone=public --change-interface=eth0
In this example, we assign the public zone to the eth0
interface. All rules associated with the public zone (such as blocking non-essential services) will now apply to traffic passing through eth0
.
Let’s walk through an example of assigning different zones to different interfaces based on their network type.
To see which zones are currently assigned to your interfaces, run:
sudo firewall-cmd --get-active-zones
This will display a list of interfaces and the zones currently assigned to them.
If eth0
is your external network interface connected to the internet, you might want to assign it to the public zone to restrict access to only critical services like SSH and HTTPS:
sudo firewall-cmd --zone=public --change-interface=eth0
You can also verify the configuration by listing the current zone settings for eth0
:
sudo firewall-cmd --zone=public --list-all
If eth1
is connected to a trusted internal network (such as a private LAN), you might want to assign it to the internal zone, where more services like file sharing or databases can be allowed:
sudo firewall-cmd --zone=internal --change-interface=eth1
This allows more open access to trusted devices on the network while keeping other external traffic restricted.
With Firewalld, you can allow or deny services and ports using simple commands.
Allowing Services:
To allow a service (like HTTP) in a specific zone (like the public zone):
sudo firewall-cmd --zone=public --add-service=http
Allowing Ports:
To allow specific ports (e.g., port 8080) in the public zone:
sudo firewall-cmd --zone=public --add-port=8080/tcp
Denying Services or Ports:
To remove an allowed service:
sudo firewall-cmd --zone=public --remove-service=http
To remove an allowed port:
sudo firewall-cmd --zone=public --remove-port=8080/tcp
Firewalld has two modes of operation: runtime
and permanent
.
Runtime Configuration: Changes apply immediately but are lost after a reboot or Firewalld restart.
Permanent Configuration: Changes are saved and applied after reboots or service restarts.
By default, commands apply only to the runtime configuration. To make changes permanent, use the --permanent
option.
Making Rules Permanent:
sudo firewall-cmd --zone=public --add-service=http --permanent
After making permanent changes, reload Firewalld to apply them:
sudo firewall-cmd --reload
To verify that your firewall rules are applied correctly, Firewalld provides several commands.
List all active zones:
sudo firewall-cmd --get-active-zones
Check the services and ports allowed in a particular zone:
sudo firewall-cmd --zone=public --list-all
To makeruntime permanent settings:
sudo firewall-cmd --runtime-to-permanent
Least Privilege Access: Only allow services and ports that are absolutely necessary. Close unnecessary ports to minimize attack vectors.
Use Default Drop Policy: Set the default zone to drop or block to deny incoming traffic by default unless explicitly allowed.
Enable Logging: Turn on logging to monitor traffic and detect unusual patterns.
sudo firewall-cmd --set-log-denied=all
Regular Rule Review: Periodically review and update firewall rules to adapt to new services or evolving security requirements.
Segmentation via Zones: Assign different interfaces to different zones based on their trust level, like using the internal zone for a private network and the public zone for external connections.
Firewalld offers a robust and flexible framework for managing Linux firewall rules, allowing you to define policies dynamically using zones, services, and ports. By understanding how to install, configure, and verify Firewalld settings, you can effectively secure your Linux systems (you can try our Linux VPS server). Additionally, following best practices such as limiting access, enabling logging, and routinely reviewing rules will help fortify your firewall defenses against potential threats.