A beginner's guide to firewalld in Linux
Our world has never been more connected than it is right now. Every person, business, government, etc. uses the web to communicate, exchange currency and data, and generally go through the motions of daily life and operations. However, these connections are not inherently safe, and because of this, we have to put defensive measures in place to keep our location, information, and money protected. In times past, when someone wanted to secure their possessions, they erected gates and fences to keep intruders at a distance. Today, we accomplish these same goals with the use of firewalls. Most Linux systems made use of the
iptables utility, however, a new technology was on the horizon.
With the introduction of the Red Hat Enterprise Linux 7.0 (RHEL) in 2011, iptables was superceded as
firewalld was born. At its core,
firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on a set of defined rules applied against incoming/outgoing packets.
All about zones
Firewalld provides different levels of security for different connection zones. A zone is associated with at least one network interface (
eth0, for example). We see the preconfigured zones by using the following command:
[tcarrigan@server ~]$ firewall-cmd --get-zones block dmz drop external home internal libvirt public trusted work
As you see, the zones listed by default are:
NOTE: I am using a RHEL 8.2 virtual machine for this demo.
Generally, the default rule of a firewall is to deny everything and only allow specific exceptions to pass through for needed services.
Many times, it is helpful to see what services are associated with a given zone. To display this information, use the following command:
Note that if you do not specify a zone, the default zone is queried. Here, the default zone is the
[tcarrigan@server ~]$ firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 sources: services: cockpit dhcpv6-client mountd nfs rpc-bind ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
If you wish to specify a zone, you simply add
For example, to see the
external zone, use the following:
[tcarrigan@server ~]$ firewall-cmd --zone=external --list-all external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
If, for some reason, you wanted to change the default zone, you can easily do so by using the following command:
Allow and deny by service
Now, the good thing about firewalls is that they keep our networks safe. The bad thing is that there is no "one-size fits all" firewall that fits every situation. Because of this, firewalls are customized to fit the exact needs of the situation that they are employed in. For example, if I need to allow FTP (File Transfer Protocol) transfers in the
external zone so that I can move a file over port 21, I might use something like this:
firewall-cmd --zone=external --add-service=ftp
Here is the actual example from my VM:
[tcarrigan@server ~]$ sudo firewall-cmd --zone=external --add-service=ftp [sudo] password for tcarrigan: success
We see that the daemon returned success, so we should have the FTP service allowed in the
external zone. To verify this, we need to check the
external zone services list:
[tcarrigan@server ~]$ firewall-cmd --zone=external --list-services ftp ssh
But, what happens when we reload the firewall configuration?
[tcarrigan@server ~]$ sudo firewall-cmd --reload success [tcarrigan@server ~]$ firewall-cmd --zone=external --list-all external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
The new allow rule doesn't survive the reinitialization of the
firewalld configuration. To ensure that our new rule persists, we need to add the
--permanent option. The new command is:
# firewall-cmd --permanent --zone=external --add-service=ftp
Once you use the
permanent command, you need to reload the configuration for the changes to take hold.
To remove a service, we make one small change to the syntax. Here, I am going to remove the FTP service from the
external zone permanently:
[tcarrigan@server ~]$ sudo firewall-cmd --permanent --zone=external --remove-service=ftp Warning: NOT_ENABLED: ftp success
We see that the system warns me that FTP has been disabled and that the operation was a success.
Allow and deny by port
Now, what happens when you need to allow traffic over a non-standard port? Imagine you have a backup service that needs to run over a dedicated UDP port. How would you add this exception to your zone? The syntax is very user friendly and is only slightly different from what we used for services. To add a port to your zone configuration, use the following:
[tcarrigan@server ~]$ sudo firewall-cmd --permanent --zone=external --add-port=60001/udp success
We check the allowed ports with the following command:
[tcarrigan@server ~]$ sudo firewall-cmd --zone=external --list-ports 60001/udp
And to remove the port rule, you guessed it... simply switch
[tcarrigan@server ~]$ sudo firewall-cmd --permanent --zone=external --remove-port=60001/udp success
If, after reading this article, you're wondering what to do with the information, I highly recommend firing up your favorite VM (RHEL, Fedora, CentOS, etc.) and start experimenting with the commands above. The best way to learn is to get hands-on experience. If you found this content interesting, keep an eye on Enable Sysadmin for part two, where you'll dive into creating custom zones and more advanced rule creation.
[ Make network management easy. Check out Network automation for everyone, a free book from Red Hat. ]