According to the official website of firewalld, “Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.”.
So it’s a tool for managing firewall on Fedora/CentOS/RHEL/Debian/Ubuntu and many other famous Linux operating systems along with iptables. You can find more about firewalld at firewalld.org.
Let’s see how to use firewalld.
Installing firewalld on CentOS/RHEL/Fedora:
The firewalld program should install on CentOS/RHEL/Fedora systems by default.
Installing firewalld on Ubuntu/Debian
By default, firewalld program is not installed on Debian/Ubuntu based systems. But you can easily install it by running the following commands.
surendra@linuxnix$ sudo apt-get update surendra@linuxnix$ sudo apt-get install firewalld
The architecture of firewalld Program:
The firewalld program has two parts.
- The daemon that runs in the background.
- The firewall-cmd command to add, modify, remove firewall rules.
How firewalld works:
The firewalld defines several zones, and each zone has its own interfaces and own rules. The firewall-cmd command can be used to add, modify, remove zones, interfaces from the zones, allow or deny ports for zones.
Benefits of firewalld:
The most significant advantage of firewalld is that firewalld daemon doesn’t have to restart when the configuration is changed. The changes are immediate and can be made at runtime.
View the current firewall settings:
To view the current settings of firewalld, you can use the ‘firewall-cmd’ command as follows.
surendra@linuxnix$ sudo firewall-cmd --list-all public (default, active) interfaces: eno16777760 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
You can see from the output that, the current active zone is called ‘public.’ The ‘public’ zone is activated on the interface ‘eno16777760’. The services enabled on the ‘public’ zone are ‘dhcpv6-client’ and ‘ssh’. You can see that; there are no open ports in ‘public’ zone right now. It has other information as well. But it’s not something we are interested in right now.
Opening a TCP port using firewall-cmd
You can quickly open a TCP port using the firewall-cmd command. For example, if you want to open the TCP port 53, which is the port for domain name service (DNS), run the following command.
surendra@linuxnix$ sudo firewall-cmd --add-port=53/tcp success
The TCP port 53 should be added. You can verify it using the following command.
surendra@linuxnix$ sudo firewall-cmd --list-all public (default, active) interfaces: eno16777760 sources: services: dhcpv6-client ssh ports: 53/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
You can see from the output of the ‘firewall-cmd’ command that the TCP port 53 has been opened. Have a look at important ports in Linux.
Opening a UDP port using firewall-cmd
You can quickly open a UDP port using the firewall-cmd command. For example, if you want to open the UDP port 53, which is the port for domain name service (DNS), run the following command.
surendra@linuxnix$ sudo firewall-cmd --add-port=53/udp success
The UDP port 53 should be added. You can verify it using the following command.
surendra@linuxnix$ sudo firewall-cmd --list-all public (default, active) interfaces: eno16777760 sources: services: dhcpv6-client ssh ports: 53/udp 53/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
You can see from the output of the ‘firewall-cmd’ command that the UDP port 53 has been opened.
Removing a TCP port using firewall-cmd
You can remove a TCP port using firewall-cmd. For example, if you want to remove the TCP port 53 added earlier, run the following command.
surendra@linuxnix$ sudo firewall-cmd --remove-port=53/tcp success
Removing a UDP port using firewall-cmd
You can remove a TCP port using firewall-cmd. For example, if you want to remove the UDP port 53 added earlier, run the following command.
surendra@linuxnix$ sudo firewall-cmd --remove-port=53/udp success
Adding a Service using firewall-cmd
There are predefined services on firewalld. For example, if you want to enable the default HTTP port 80, you can run the following command.
surendra@linuxnix$ sudo firewall-cmd --add-service=http success
The HTTP service should be enabled. You can verify it with the following command.
surendra@linuxnix$ sudo firewall-cmd --list-all public (default, active) interfaces: eno16777760 sources: services: dhcpv6-client http ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
You can see that, HTTP service is enabled.
Removing a Service using firewall-cmd
You can remove a service using the firewall-cmd command. For example, if you want to remove the HTTP service added earlier, run the following command.
surendra@linuxnix$ sudo ffirewall-cmd --remove-service=http success
The HTTP service should be removed. You can verify it with the following command.
surendra@linuxnix$ sudo firewall-cmd --list-all public (default, active) interfaces: eno16777760 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
You can see that, HTTP service is removed.
Blocking a specific IP address using firewall-cmd
If you want to prevent a particular IP address using firewalld, you can do so with rich rules. Rich rules are advanced rules for firewalld. Not everything can be done with firewall-cmd command. So rich controls fill the gap.
You can block the ip address 192.168.17.12 with the following command.
surendra@linuxnix$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.17.112 reject' success
Now the host with the IP address 192.168.17.12 can not connect to this machine anymore.
Unblocking a blocked IP address using firewall-cmd
You can unblock an already blocked IP address using the firewall-cmd command. For example, if you want to unblock the IP address 192.168.17.12, you can do so with the following command.
surendra@linuxnix$ sudo firewall-cmd --remove-rich-rule='rule family=ipv4 source address=192.168.17.112 reject' success
Now you should be able to ping from the host 192.168.17.12.
Adding rules permanently to firewalld
The rules you add using firewall-cmd is temporary. That is, once you restart your computer, the rules will disappear. This is good for the testing purpose. But if you want to make the rules permanent, then you should append ‘–permanent’ parameter to the firewall-cmd command and restart the firewalld daemon.
For example, if you want to enable the HTTPS service permanently, run the following command.
surendra@linuxnix$ sudo firewall-cmd --add-service=https --permanent success
Now to reload the firewalld configuration, run the following command.
surendra@linuxnix$ sudo firewall-cmd --reload success
You can verify the change by running the following command.
surendra@linuxnix$ sudo firewall-cmd --list-all public (default, active) interfaces: eno16777760 sources: services: dhcpv6-client https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
You can see that the HTTPS service is active.
That’s the basics of firewalld. It’s an excellent tool for managing firewalls on Linux. You may go to the official website of firewalld to learn more about the firewalld program.
Latest posts by Surendra Anne (see all)
- Docker: How to copy files to/from docker container - June 30, 2020
- Anisble: ERROR! unexpected parameter type in action:
Fix - June 29, 2020 - FREE: JOIN OUR DEVOPS TELEGRAM GROUPS - August 2, 2019
- Review: Whizlabs Practice Tests for AWS Certified Solutions Architect Professional (CSAP) - August 27, 2018
- How to use ohai/chef-shell to get node attributes - July 19, 2018
