How to Setup Linux Firewall Using Firewalld
In Linux, a firewall is a service that filters or controls network traffic as it passes to and from a Linux server. The firewall can be configured to allow only desired traffic while blocking other external traffic, ensuring your system’s security.
What is Firewalld?
Firewalld is a firewall management solution for Linux, providing a customizable firewall and D-Bus interface for network traffic control. It uses zones to manage traffic, with each zone having a predefined set of rules. This guide demonstrates setting up Firewalld on RHEL 9.
How to Install and Enable Firewalld
On RHEL-based systems (RHEL, AlmaLinux, CentOS, Rocky Linux, Fedora), Firewalld is typically pre-installed. If it’s not installed, you can install it with:
sudo dnf install firewalld -yFor Ubuntu and Debian systems, use:
sudo apt update
sudo apt install firewalld -yEnable and start Firewalld:
sudo systemctl enable firewalld
sudo systemctl start firewalldTo verify Firewalld is running:
sudo systemctl status firewalldOr check its state:
sudo firewall-cmd --state
Understanding Firewalld Zones
Firewalld uses zones, which are predefined sets of rules dictating which traffic is allowed. Here’s a quick overview:
- block – Drops incoming connections with an error message.
- drop – Drops all incoming connections without reply.
- public – For untrusted networks (default zone).
- external – Used for NAT masquerading, providing private network access.
- internal – Trusted zone for LAN connections.
- dmz – For DMZ servers, with only specific incoming connections allowed.
- work – For workplace LAN environments.
- home – For home LAN environments.
- trusted – Allows all connections.
List all zones with:
sudo firewall-cmd --get-zones
To check the default zone:
firewall-cmd --get-default-zone
Changing Zones for Network Interfaces
By default, all network interfaces are bound to the public zone. You can reassign an interface to a different zone:
sudo firewall-cmd --change-interface=ens160 --zone=internalCheck active zones to confirm:
sudo firewall-cmd --get-active-zones
Adjusting the Default Zone
To change the default zone to work:
sudo firewall-cmd --set-default-zone=workVerify the default zone with:
sudo firewall-cmd --list-all
Managing Firewalld Services
To list all allowed services in active zones:
sudo firewall-cmd --list-all
Listing Supported Services
Display all services supported by Firewalld:
sudo firewall-cmd --get-services
Adding and Removing Services
Enable HTTP service in the public zone:
sudo firewall-cmd --add-service=http --zone=public --permanent
sudo firewall-cmd --reload
Remove HTTP service from the public zone:
sudo firewall-cmd --remove-service=http --zone=public --permanent
sudo firewall-cmd --reloadOpening and Blocking Ports
Open a custom port (e.g., 5000):
sudo firewall-cmd --add-port=5000/tcp --zone=public --permanent
sudo firewall-cmd --reloadConfirm open ports:
sudo firewall-cmd --zone=public --list-ports
To close a port:
sudo firewall-cmd --remove-port=5000/tcp --zone=public --permanent
sudo firewall-cmd --reloadFirewalld is a powerful tool for managing traffic based on zones and services, giving administrators robust options to secure their Linux systems. With Firewalld, you can easily control the flow of network traffic and protect your system’s network interfaces.