How to configure a firewall on Linux with firewalld
Learn how to install, configure, and use firewalld to restrict or allow a computer's access to services, ports, networks, subnets, and IP addresses.
Firewalld is an open source, host-based firewall that seeks to prevent unauthorized access to your computer. A firewall is usually a minimum requirement by any information security team at any modern organization, but it's also a good idea for general computer use.
Firewalld can restrict access to services, ports, and networks. You can block specific subnets and IP addresses.
As with any firewall, firewalld inspects all traffic traversing the various interfaces on your system. The traffic is allowed or rejected if the source address network matches a rule.
Firewalld uses the concept of zones to segment traffic that interacts with your system. A network interface is assigned to one or more zones, and each zone contains a list of allowed ports and services. A default zone is also available to manage traffic that does not match any zones.
Firewalld is the daemon's name that maintains the firewall policies. Use the
firewall-cmd command to interact with the firewalld configuration.
Check the firewalld configuration
Before getting started, confirm that firewalld is running:
$ sudo firewall-cmd --state
The output is either running or not running. To start your firewall if it's not running, use
$ sudo systemctl --enable --now firewalld
[ Free download: Advanced Linux commands cheat sheet. ]
To view all zones on a system, use the
$ sudo firewall-cmd --get-zones
To display the default zone, use
$ sudo firewall-cmd --get-default-zone
By default, if firewalld is enabled and running and in the public zone, all incoming traffic is rejected except SSH and DHCP.
[ Download the free Linux firewall cheat sheet. ]
Allow a port
To allow traffic from any IP through a specific port, use the
--add-port option along with the port number and protocol:
$ sudo firewall-cmd --add-port=80/tcp
This rule takes effect immediately but only lasts until the next reboot. Add the
--permanent flag to make it persistent:
$ sudo firewall-cmd --add-port=80/tcp --permanent
[ Free eBook: Manage your Linux environment for success. ]
I prefer to reload my firewall after making changes. To reload firewalld and all permanent rules:
$ sudo firewall-cmd --reload
Add a service
There are predefined services you can allow through your firewall. To see all predefined services available on your system:
$ sudo firewall-cmd --get-services
For example, to add the HTTP service to your firewall permanently, enter:
$ sudo firewall-cmd --add-service=http --permanent $ sudo firewall-cmd --reload
Specify traffic by subnet
You can assign traffic coming from a particular subnet to a specific zone (which allows specific ports and services, possibly unique to just that zone).
For example, to assign the network 172.16.1.0/24 to the internal zone and to allow the Jenkins service:
$ sudo firewall-cmd --zone=internal \ --add-source=172.16.1.0/24 --permanent $ sudo firewall-cmd --add-service=jenkins --permanent $ sudo firewall-cmd --reload
List ports and services
You can list all ports and services allowed in the default zone using the
$ sudo firewall-cmd --list-all
To view all settings for all zones, use
$ sudo firewall-cmd --list-all-zones
Know your firewall
A good firewall is an essential feature on modern computer systems, and firewalld is one of the most convenient available. Its commands are intuitive and clear, and its ability to report useful descriptions of its policies makes it easy to understand. Review your firewall settings, and try out some
firewall-cmd commands today.
[ Download now: A sysadmin's guide to Bash scripting. ]
Use semanage, setsebool, and SELinux Troubleshooter to control SELinux policies and specify which files and processes are allowed to interact.
Use the chage command to force users to change their passwords to comply with your password-aging policies.
Learn how to diagnose and address routine SELinux policy violations that may be causing problems with your web server.