How to configure firewalld rules in Linux

The firewall is essential for controlling the flow of network traffic in and out of the Linux server.

It enables users to control incoming network traffic on host machines by defining a set of firewall rules.

It must be enabled on production servers facing the Internet, to protect those servers from unauthorized access.

This is one of those security features that ensures your system security at network level.

In this guide, we’ll show you how to add, remove, enable, and disable firewalld rules & zones.

What is FirewallD?

firewalld” is the firewall daemon. It provides a dynamically managed firewall that comes with an extremely powerful filtering system called Netfilter, provided by the Linux kernel.

It offers various functions for packet filtering, network address translation, and port translation, which provides the functionality to control network packets like incoming, outgoing or forwarded.

FirewallD uses the concepts of zones and services, whereas iptables uses chain and rules. “FirewallD” offer a very flexible way to handle the firewall management compared to iptables.

Every zone can be configured in specified criteria to accept or deny some services or ports based on your requirement and it can be associated with one or more network interfaces.

The default zone will be set to the public, and the associated network interfaces are attached do it.

firewalld has a two layer design:

  • Core layer: The core layer is responsible for handling the configuration and the back ends like iptables, ip6tables, ebtables and ipset.
  • D-Bus layer: The firewalld D-Bus interface is the primary way to alter and create the firewall configuration.

Firewalld Zones

Usually firewalld comes with a set of pre-configured zones. Below are the zones provided by FirewallD. Run the below command to list the zones:

$ firewall-cmd --get-zones

block dmz drop external home internal public trusted work
  • block: Any incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are allowed.
  • dmz: Used for computers located in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
  • drop: Any incoming connections are dropped without any notification. Only outgoing connections are allowed.
  • external: For use on external networks with NAT masquerading enabled when your system acts as a router. Only selected incoming connections are allowed.
  • home: Used for home network and other computers on the same networks are mostly trusted. Only selected incoming connections are accepted.
  • internal: For use on internal networks, and other systems on the network are generally trusted. Only selected incoming connections are accepted.
  • public: For use in public areas, but you should not trust the other computers on networks. Only selected incoming connections are accepted.
  • trusted: All network connections are accepted.
  • work: For use in work areas, and other computers on the same networks are mostly trusted. Only selected incoming connections are accepted.

Firewalld services

Firewalld services configuration are predefined services that are automatically loaded if a service is installed/enabled. It contains information of a service entry for firewalld such as ports, modules and destination addresses.

To list available service modules, run the below command:

$ firewall-cmd --get-services

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd bacula bacula-client bgp..

Firewalld Runtime and Permanent Settings

Firewalld uses two separate configurations namely runtime, and permanent:

  • Runtime Configuration: The runtime configuration will not be persistent on system reboots, and the firewalld service stop. It means the runtime configuration are not automatically saved to the permanent configuration.
  • Permanent Configuration: The permanent configuration is stored in configuration files and will be loaded and becomes a new runtime configuration across every reboot or service reload/restart. Note that, to make the changes permanent you need to use the –permanent option with firewall-cmd.

Installing and Enabling FirewallD in Linux

Firewalld is installed by default on CentOS 7/8, RHEL 7/8, Fedora, SUSE/openSUSE 15, but if it is not installed on your system, you can install it as follows:

$ sudo yum install firewalld     [CentOS 7/RHEL 7]
$ sudo dnf install firewalld     [CentOS 8/RHEL 8/Fedora]
$ sudo zypper install firewalld  [openSUSE Leap]

Once that installation is completed, you need to start and enable firewalld using the below commands:

$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

To check the status of firewalld, run the below command:

$ sudo firewall-cmd --state

Zone Management

Firewalld provides different levels of security for each zone, and the public zone is set as a default zone.

To view the default zone, run the below command:

$ sudo firewall-cmd --get-default-zone
public

To view the zone configuration of the default zone, run the below command and you don’t need to mention the zone name because it is the default zone. The below output shows that the public zone is active and set as default, which is associated with wlan0 & eth0 interface. ssh and dhcp client services were currently allowed for communication.

Make a Note: By default, all the active interfaces will be assigned to the default zone.

firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 wlan0
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Zone interface can be easily changed by using the combination of options “–zone” and “–change-interface”. For example, to assign the ‘eth0’ interface to ‘home’ zone, run the below command:

$ sudo firewall-cmd --zone=home --change-interface=eth0

To view all active zones, run the below command: (It shows active zones and associated interfaces)

$ sudo firewall-cmd --get-active-zones
home
interfaces: eth0
public
interfaces: wlan0

To change the default zone, use the following format. For instance, to change the default zone to home, run the below command:

$ sudo firewall-cmd --set-default-zone=home

To print the specific zone configuration, run the below command: (this output shows list of allowed rules, ports and services)

$ firewall-cmd --zone=home --list-all

home (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh mdns samba-client dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

To get a list of all the available zones, run the below command:

$ sudo firewall-cmd --get-zones

To find out which zone is associated with the eth0 interface, run the below command:

$ firewall-cmd --get-zone-of-interface=eth0
home

To create a new zone, use the following command. For instance, to create a new zone named “daygeek”, run:

$ sudo firewall-cmd --permanent --new-zone=daygeek
success

To migrate runtime settings to permanent, run:

$ sudo firewall-cmd --runtime-to-permanent

Opening and Closing a Port

Ports are logical devices that enable an operating system to receive and send network traffic as well as forward it to specific system services associated with it.

Opening a specific port allows the user to access the system from outside, which represents a security risk. Hence, only open the required port for certain services when it’s necessary.

To get a list of allowed ports in the current zone, run the below command:

$ sudo firewall-cmd --list-ports

Add a port to the allowed ports to open it for incoming traffic:

$ sudo firewall-cmd --add-port=port_number/port_type

For instance, the following command will open port 80 for current zone:

$ sudo firewall-cmd --permanent --add-port=80/tcp
success

Similarly, to remove a specific port from the allowed ports, run the below command:

$ sudo firewall-cmd --remove-port=80/tcp

You can confirm whether the port has been added or removed each time using the following command:

$ sudo firewall-cmd --list-ports

Run the following command if you want to open port for a specific zone. For example, the following command will open port 80 for home zone:

$ sudo firewall-cmd --permanent --zone=home --add-port=80/tcp

Similarly, to remove a specific port for a specific zone from the allowed ports, run:

$ sudo firewall-cmd --zone=home --remove-port=80/tcp

You can confirm whether the port has been added or removed each time for a specific zone using the following command:

$ sudo firewall-cmd --zone=home --list-ports

Adding and Removing Services in Firewalld

Firewalld services configuration are predefined services that are automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. It contains information of a service entry for firewalld, such as ports, modules and destination addresses.

The predefined services are located in the ‘/usr/lib/firewalld/services’ directory.

Service configuration follows the same model as port management, but you don’t need to remember any ports, and you can allow all together in one go.

For example, execute the following command to allow samba service to ‘home’ zone. samba service required following set of ports to be enabled: ‘139 and 445 TCP’ and ‘137 and 138 UDP’.

When you add the ‘samba’ service, all the ports will be activated at the same time, because all the port information is in the samba service configuration, while all the samba ports will be activated manually when the samba service is allowed through the port management option.

$ sudo firwall-cmd --permanent --zone=home --add-service=samba
succes

To remove samba service, run the below command:

$ sudo firewall-cmd --permanent --zone=home --remove-service=ftp

You can confirm whether the service has been added or removed each time using the following command:

$ sudo firewall-cmd --zone=home --list-services

To get more information about the samba service, run the below command:

$ firewall-cmd --zone=home --info-service=samba

To add multiple services at once, execute the following command. For instance, to add http, & https services, run the below command:

$ sudo firwall-cmd --permanent --zone=home --add-service={http,https}

Port Forwarding with Firewalld

Port forwarding is a way of forwarding any incoming network traffic from one port to another internal port or to an external port on another machine.

You should know the following three things before you redirect traffic from one port to another port, or another address:

  • On which port the packets are arriving
  • What protocol is used
  • Where you want to redirect them

Note: Port forwarding requires masquerading. Enable masquerading for the desired zone using the command shown below. Masquerading acts as router (NAT – network address translation) and can be used to connect a small LAN with the Internet.

To enable IP masquerading, enter the following command:

$ sudo firewall-cmd --permanent --zone=external --add-masquerade

To check if IP masquerading is enabled for the external zone, run the below command:

$ sudo firewall-cmd --zone=external --query-masquerade

To redirect a port to another port on the same system, run the below command:

(Example scenario: redirect all packets of port 80 to port 8080)

$ sudo firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=8080

To forward traffic to another server, run the below command:

(Example scenario: redirect all packets of port 80 to port 8080 on a server with IP 10.0.0.75)

$ sudo firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.0.0.75

To allow traffic from a specific source (subnet), for example, to only allow connections to your server from a specific subnet, run the below command:

$ sudo firewall-cmd --permanent --zone=home --add-source=192.168.1.0/24

Rich Rules with Firewalld

Rich language allows you to create more complex firewall rules in an easy to understand way but the rich rules are difficult to remember so, navigate to the ‘man firewalld.richlanguage’ and find the examples.

General rule structure for Rich Rule

rule
  [source]
  [destination]
  service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
  [log]
  [audit]
  [accept|reject|drop|mark]

To allow IPv4 connections from address 192.168.0.0/24, run the below command:

$ sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" accept'

To allow IPv4 connections from address 192.168.0.0/24 for ssh service, run below command:

$ sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="ssh" log prefix="ssh" level="info" accept'

Similarly using port option:

$ sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=22 protocol=tcp accept'

To deny IPv4 traffic from host 192.0.2.0 for ssh service, run:

$ sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=22 protocol=tcp reject'

Note: To remove any rich rules, use the ‘–remove-rich-rule’ option instead of ‘–add-rich-rule’.

To list Rich Rules in the public zone, run:

$ sudo firewall-cmd --zone=public --list-rich-rules

Direct Rules for Firewalld

Direct rules are similar to iptables command, which are useful for users who are familiar with iptables command. Alternatively, you can edit the rules in the ‘/etc/firewalld/direct.xml’ file and reload the firewall to make those rules active. The direct rule is mainly used by services or applications to add specific firewall rules.

The following direct rule will open port 8080 on the server.

$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j ACCEPT

$ sudo firewall-cmd --reload

To list Direct Rules in the current zone, run:

$ sudo firewall-cmd --direct --get-all-rules

Conclusion

In this guide, you have learnt the complete usage of firewalld such as zones, allow/deny service and port, port forwarding, Rich Rules, direct rules, etc,.

If you have any questions, please feel free to add your comments below, and we will address them at the earliest. Happy Learning!

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

3 Comments on “How to configure firewalld rules in Linux”

Leave a Reply