How to configure a firewall on Linux with firewalld

Firewalld is an open source, host-based firewall that seeks to prevent unauthorized access to your computer. A firewall is usually a minimum requirement by any information security team at any modern organization, but it's also a good idea for general computer use.

Firewalld can restrict access to services, ports, and networks. You can block specific subnets and IP addresses.

As with any firewall, firewalld inspects all traffic traversing the various interfaces on your system. The traffic is allowed or rejected if the source address network matches a rule.

Firewalld uses the concept of zones to segment traffic that interacts with your system. A network interface is assigned to one or more zones, and each zone contains a list of allowed ports and services. A default zone is also available to manage traffic that does not match any zones.

Firewalld is the daemon's name that maintains the firewall policies. Use the firewall-cmd command to interact with the firewalld configuration.

Check the firewalld configuration

Before getting started, confirm that firewalld is running:

$ sudo firewall-cmd --state

The output is either running or not running. To start your firewall if it's not running, use systemctl:

$ sudo systemctl --enable --now firewalld

[ Free download: Advanced Linux commands cheat sheet. ]

View zones

To view all zones on a system, use the --get-zones option:

$ sudo firewall-cmd --get-zones

To display the default zone, use --get-default-zone:

$ sudo firewall-cmd --get-default-zone

By default, if firewalld is enabled and running and in the public zone, all incoming traffic is rejected except SSH and DHCP.

[ Download the free Linux firewall cheat sheet. ]

Allow a port

To allow traffic from any IP through a specific port, use the --add-port option along with the port number and protocol:

$ sudo firewall-cmd --add-port=80/tcp

This rule takes effect immediately but only lasts until the next reboot. Add the --permanent flag to make it persistent:

$ sudo firewall-cmd --add-port=80/tcp --permanent

[ Free eBook: Manage your Linux environment for success. ]

Reload firewalld

I prefer to reload my firewall after making changes. To reload firewalld and all permanent rules:

$ sudo firewall-cmd --reload

Add a service

There are predefined services you can allow through your firewall. To see all predefined services available on your system:

$ sudo firewall-cmd --get-services

For example, to add the HTTP service to your firewall permanently, enter:

$ sudo firewall-cmd --add-service=http --permanent 

$ sudo firewall-cmd --reload

Specify traffic by subnet

You can assign traffic coming from a particular subnet to a specific zone (which allows specific ports and services, possibly unique to just that zone).

For example, to assign the network 172.16.1.0/24 to the internal zone and to allow the Jenkins service:

$ sudo firewall-cmd --zone=internal \
--add-source=172.16.1.0/24 --permanent

$ sudo firewall-cmd --add-service=jenkins --permanent 

$ sudo firewall-cmd --reload

List ports and services

You can list all ports and services allowed in the default zone using the --list-all option:

$ sudo firewall-cmd --list-all

To view all settings for all zones, use --list-all-zones:

$ sudo firewall-cmd --list-all-zones

Know your firewall

A good firewall is an essential feature on modern computer systems, and firewalld is one of the most convenient available. Its commands are intuitive and clear, and its ability to report useful descriptions of its policies makes it easy to understand. Review your firewall settings, and try out some firewall-cmd commands today.

[ Download now: A sysadmin's guide to Bash scripting. ]