Jump to content
  • Firewalld: An Easier Way to Manage Linux Firewalls

    aum

    • 529 views
    • 6 minutes
     Share


    • 529 views
    • 6 minutes

    Tired of iptables? With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management.

     

    If you use either Rocky Linux or AlmaLinux as your server operating system of choice, you’ll find them as powerful as it is flexible. And thankfully, they are not nearly as complicated as they once were.

     

    Take, for instance, the firewall. Back in the old days, working with the firewall required you get to know the highly complicated iptables utility.

    Here’s a sample command for adding an iptables rule:

     

    1 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

     

    This adds a rule to the INPUT chain for incoming TCP traffic on port 22, and uses the recent module to mark the source IP address, updates the rule to drop packets if the rate limit exceeds 4 new connections within 60 seconds.

     

    To be fair, iptables is capable of doing some very complicated things. But with that complication comes the challenge of writing rules that work. It takes a long time to master iptables and most new Linux admins are busy just getting up to speed with the basics of the operating system.

     

    What Is Firewalld?


    That’s why the far simpler firewalld is a better place to start. Firewalld is a firewall management tool that provides a dynamically managed firewall that is user-friendly and supports features like network zones. With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management (so long as you’ve installed Rocky Linux with a desktop environment).

     

    Let’s dive in and take our first steps with this powerful firewall tool.

     

    What You Need

     

    To follow along, you’ll need a Linux distribution that uses firewalld (such as Red Hat Enterprise Linux, Rocky Linux, Alma Linux, CentOS Stream, or Fedora) and a user with sudo privileges. That’s it, let’s get to know this firewall system.

     

    Enable the Firewall


    Out of the box, you might find the firewall is disabled. Because firewalld runs as a service on your Linux distribution, you can enable it with the help of systemctl like so:

     

    1 sudo systemctl enable --now firewalld

     

    You can then verify the firewall is running with the command:


    1 sudo systemctl status firewalld

     

    It should be listed as active (running).

     

    List Currently Active Rules


    Next, we’re going to take a look at the currently active rules running in the firewall. This can be done with the command:

     

    1 sudo firewall-cmd --list-all

     

    Notice the command is not firewalld, but firewall-cmd. Firewalld is the daemon (service) and firewall-cmd is the command used to manage the rules.

     

    The output of the above command will look something like this:

     

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp0s3
      sources:
      services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps kerberos ntp
      ports: 2377/tcp 7946/tcp 7946/udp 4789/udp 10000/tcp
      protocols:
      forward: yes
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:

     

    Instead of listing both ports and services simultaneously, you could view them separately with the command:

     

    1 sudo firewall-cmd --list-ports
    2 sudo firewall-cmd --list-services

     

    Adding a Service or Port through the Firewall
     

    Let’s say you need to add HTTP (port 80) and SSH (port 22) through the firewall. Before we do that, we have to decide which zone we’ll work with, of which there are nine (drop, block, public, external, internal, dmz, work, home, and trusted). Of those nine, you’ll probably mostly work with these four:

     

    • public – public, untrusted networks
    • home – private, trusted networks
    • work – same as home, only used for business purposes
    • trusted – all connected machines are trusted


    For our purposes, we’re going to focus on the public zone because that is generally associated with external connections (WAN). If you’re running a web server, you’ll probably want to allow public traffic through the firewall so it can reach the websites you are serving up.

     

    To make sure you’re using the public zone, use the following command:

     

    1 sudo firewall-cmd --set-default-zone=public

     

    Verify the change with:


    1 sudo firewall-cmd --get-active-zones

    You should see something like this in the output:


    1  public
    2  interfaces: enp0s3

     

    To allow port 80 (HTTP) through, issue the command:


    1 sudo firewall-cmd --zone=public --add-port=80/tcp --permanent

    What that does is add the new rule but it doesn’t automatically activate it. For that, you must reload the firewall with the command:


    1 sudo firewall-cmd --reload
     

    Now, if you check the firewalld status, you’ll see HTTP listed. Let’s say you also need HTTPS added to the firewall. Instead of using the port number, we can do so via a service like so:


    1 sudo firewall-cmd --zone=public --add-service=https --permanent
     

    Again, reload the firewall with:


    1 sudo firewall-cmd --reload
     

    You can do the same thing with SSH (port 22), which can be added with either of the following commands:


    1 sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
    2 sudo firewall-cmd --zone=public --add-port=22/tcp --permanent


    Reload the firewall with:


    1 sudo firewall-cmd --reload

    Removing a Port or Service from the Firewall


    In the same way, you can remove a service or port from the firewall, thereby blocking access to the server. Sticking with our examples, we can remove access via a service with a command like this:

     

    1 sudo firewall-cmd --zone=public --remove-service=https --permanent
     

    We can also remove access via a port like so:


    1 sudo firewall-cmd --zone=public --remove-port=443/tcp --permanent
     

    Notice we have to use a protocol (such as tcp) when adding or removing via port numbers, which isn’t required when adding or removing via service. And, remember, any time you modify the firewall, you have run the sudo firewall-cmd –reload command before the changes take effect.

     

    And there you have it, your first steps with the firewalld system. Thankfully, you don’t have to worry about working with the iptables command, which is far more complicated. To learn more about firewalld, check out the official documentation.

     

    Source

    • Like 3

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...