Tired of iptables? With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management.
If you use either Rocky Linux or AlmaLinux as your server operating system of choice, you’ll find them as powerful as it is flexible. And thankfully, they are not nearly as complicated as they once were.
Take, for instance, the firewall. Back in the old days, working with the firewall required you get to know the highly complicated iptables utility.
Here’s a sample command for adding an iptables rule:
1 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
This adds a rule to the INPUT chain for incoming TCP traffic on port 22, and uses the recent module to mark the source IP address, updates the rule to drop packets if the rate limit exceeds 4 new connections within 60 seconds.
To be fair, iptables is capable of doing some very complicated things. But with that complication comes the challenge of writing rules that work. It takes a long time to master iptables and most new Linux admins are busy just getting up to speed with the basics of the operating system.
What Is Firewalld?
That’s why the far simpler firewalld is a better place to start. Firewalld is a firewall management tool that provides a dynamically managed firewall that is user-friendly and supports features like network zones. With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management (so long as you’ve installed Rocky Linux with a desktop environment).
Let’s dive in and take our first steps with this powerful firewall tool.
What You Need
To follow along, you’ll need a Linux distribution that uses firewalld (such as Red Hat Enterprise Linux, Rocky Linux, Alma Linux, CentOS Stream, or Fedora) and a user with sudo privileges. That’s it, let’s get to know this firewall system.
Enable the Firewall
Out of the box, you might find the firewall is disabled. Because firewalld runs as a service on your Linux distribution, you can enable it with the help of systemctl like so:
1 sudo systemctl enable --now firewalld
You can then verify the firewall is running with the command:
1 sudo systemctl status firewalld
It should be listed as active (running).
List Currently Active Rules
Next, we’re going to take a look at the currently active rules running in the firewall. This can be done with the command:
1 sudo firewall-cmd --list-all
Notice the command is not firewalld, but firewall-cmd. Firewalld is the daemon (service) and firewall-cmd is the command used to manage the rules.
The output of the above command will look something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps kerberos ntp
ports: 2377/tcp 7946/tcp 7946/udp 4789/udp 10000/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
|
Instead of listing both ports and services simultaneously, you could view them separately with the command:
1 sudo firewall-cmd --list-ports
2 sudo firewall-cmd --list-services
Adding a Service or Port through the Firewall
Let’s say you need to add HTTP (port 80) and SSH (port 22) through the firewall. Before we do that, we have to decide which zone we’ll work with, of which there are nine (drop, block, public, external, internal, dmz, work, home, and trusted). Of those nine, you’ll probably mostly work with these four:
- public – public, untrusted networks
- home – private, trusted networks
- work – same as home, only used for business purposes
- trusted – all connected machines are trusted
For our purposes, we’re going to focus on the public zone because that is generally associated with external connections (WAN). If you’re running a web server, you’ll probably want to allow public traffic through the firewall so it can reach the websites you are serving up.
To make sure you’re using the public zone, use the following command:
1 sudo firewall-cmd --set-default-zone=public
Verify the change with:
1 sudo firewall-cmd --get-active-zones
You should see something like this in the output:
1 public
2 interfaces: enp0s3
To allow port 80 (HTTP) through, issue the command:
1 sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
What that does is add the new rule but it doesn’t automatically activate it. For that, you must reload the firewall with the command:
1 sudo firewall-cmd --reload
Now, if you check the firewalld status, you’ll see HTTP listed. Let’s say you also need HTTPS added to the firewall. Instead of using the port number, we can do so via a service like so:
1 sudo firewall-cmd --zone=public --add-service=https --permanent
Again, reload the firewall with:
1 sudo firewall-cmd --reload
You can do the same thing with SSH (port 22), which can be added with either of the following commands:
1 sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
2 sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
Reload the firewall with:
1 sudo firewall-cmd --reload
Removing a Port or Service from the Firewall
In the same way, you can remove a service or port from the firewall, thereby blocking access to the server. Sticking with our examples, we can remove access via a service with a command like this:
1 sudo firewall-cmd --zone=public --remove-service=https --permanent
We can also remove access via a port like so:
1 sudo firewall-cmd --zone=public --remove-port=443/tcp --permanent
Notice we have to use a protocol (such as tcp) when adding or removing via port numbers, which isn’t required when adding or removing via service. And, remember, any time you modify the firewall, you have run the sudo firewall-cmd –reload command before the changes take effect.
And there you have it, your first steps with the firewalld system. Thankfully, you don’t have to worry about working with the iptables command, which is far more complicated. To learn more about firewalld, check out the official documentation.
- jango, Adenman and tipo
- 3
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.