This article covers the installation, configuration, and maintenance of FirewallD on Linux systems. It guides you through the setup process, explains how to manage zones and services, and provides tips for creating custom rules. You'll also learn about advanced features like rich rules and ICMP types, as well as best practices for maintaining your firewall configuration.
Installing FirewallD
Prerequisites
FirewallD works with these Linux distributions:
| Distribution | Version |
|---|---|
| Red Hat Enterprise Linux (RHEL) | 7 and later |
| CentOS | 7 and later |
| Fedora | All versions |
| Rocky Linux | All versions |
| AlmaLinux | All versions |
| openSUSE | All versions |
Check if iptables is active on your system:
systemctl status iptablesIf iptables is active, stop and disable it to avoid conflicts with FirewallD.
Installation Steps
To install FirewallD on RHEL-based systems:
-
Install FirewallD:
sudo yum install firewalld -y -
Stop and mask the iptables service:
sudo systemctl stop iptables sudo systemctl mask iptables -
Start and enable the FirewallD service:
sudo systemctl start firewalld sudo systemctl enable firewalld -
Check FirewallD status:
sudo systemctl status firewalldThis command should show that FirewallD is active and running.
-
Reload FirewallD after making changes:
sudo firewall-cmd --reload
Additional Configuration
After installation, you can set up FirewallD for your needs. This can include:
- Setting up zones
- Adding services to zones
- Creating custom rules
- Configuring port forwarding
To list all FirewallD zones:
sudo firewall-cmd --get-zonesTo view the default zone:
sudo firewall-cmd --get-default-zoneReload FirewallD after making changes to apply them.
Tip: Verify FirewallD Configuration
After installing and configuring FirewallD, it's important to verify that your rules are working as expected. You can use the following command to list all the rules in the active zones:
sudo firewall-cmd --list-allThis command will display all the active zones, their interfaces, services, ports, and any custom rules you've added. Reviewing this output helps ensure that your firewall is set up correctly and provides the intended protection for your system.
Configuring FirewallD
Managing Zones
FirewallD uses zones to manage network trust levels. Zones group network interfaces and sources based on trust. Here's how to work with zones:
| Command | Description |
|---|---|
firewall-cmd --get-zones |
List zones |
firewall-cmd --set-default-zone=internal |
Set default zone to "internal" |
firewall-cmd --get-zone-of-interface=eth0 |
Check zone of a network interface |
Zone management:
-
Change zone of an interface:
firewall-cmd --zone=home --change-interface=eth0 -
Get active zones:
firewall-cmd --get-active-zones
Tip: Zone Selection
Choose the right zone for your network interfaces. For example, use the "public" zone for internet-facing interfaces and "internal" for local network interfaces to apply appropriate security levels.
Working with Services
FirewallD uses services to group network ports and protocols. This simplifies firewall management by letting you enable or disable sets of rules.
| Command | Description |
|---|---|
firewall-cmd --get-services |
List services |
firewall-cmd --zone=public --add-service=http |
Add HTTP service to public zone |
Create a custom service:
-
Copy an existing service file as a template:
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/myservice.xml -
Edit the new file:
vi /etc/firewalld/services/myservice.xml -
Change the service name, description, and port numbers as needed.
-
Reload FirewallD to recognize the new service:
firewall-cmd --reload
Managing Rules
FirewallD lets you add, remove, and modify firewall rules. Here's how to manage rules:
| Command | Description |
|---|---|
firewall-cmd --add-service=https |
Add HTTPS service |
firewall-cmd --remove-service=https |
Remove HTTPS service |
firewall-cmd --permanent --add-source=192.168.1.0/24 |
Allow traffic from 192.168.1.0/24 network |
firewall-cmd --add-port=8080/tcp |
Open TCP port 8080 |
Rule management:
-
Add a rule to forward port 80 to 8080:
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 -
Remove a port forwarding rule:
firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=8080
Example: Block an IP Address
To block traffic from a specific IP address, use the following command:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" reject'Replace "192.168.1.100" with the IP address you want to block.
Persistent Changes and Reloading
To make changes persist across reboots, use the --permanent option with your commands. After making changes, reload FirewallD:
firewall-cmd --reloadAdvanced FirewallD Usage
Rich Rules
Rich rules in FirewallD give you more control over firewall settings. They let you create complex rules with multiple conditions and actions. Rich rules are more flexible than basic port and service rules.
To add a rich rule, use the --add-rich-rule option with firewall-cmd. Here are some examples:
| Rule Type | Command |
|---|---|
| Allow HTTP access from a specific IP | firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="http" accept' |
| Limit SSH connections to 3 per minute from a network | firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept limit value="3/m"' |
| Forward port 80 to 8080 for a specific IP | firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.10" forward-port port="80" protocol="tcp" to-port="8080"' |
To remove a rich rule, replace --add-rich-rule with --remove-rich-rule and use the same rule definition.
Tip: Log Rich Rule Matches
To log matches for a rich rule, add the 'log' option to your rule. For example:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" log prefix="HTTP ACCESS: " level="info" limit value="3/m" accept'This rule logs HTTP access from the specified network, with a custom prefix and info level, limited to 3 log entries per minute.
ICMP Types
ICMP (Internet Control Message Protocol) is used for network diagnostics and error reporting. FirewallD lets you control which ICMP types are allowed or blocked.
To list supported ICMP types:
firewall-cmd --get-icmptypesThis command shows all ICMP types that FirewallD can manage, such as echo-request (ping), echo-reply, and destination-unreachable.
To configure ICMP rules:
| Action | Command |
|---|---|
| Allow ping in the public zone | firewall-cmd --zone=public --add-icmp-block-inversion --add-icmp-block=echo-request |
| Block all ICMP traffic except echo-request | firewall-cmd --zone=public --add-icmp-block-inversion firewall-cmd --zone=public --remove-icmp-block=echo-request |
| Remove ICMP blocking for echo-reply | firewall-cmd --zone=public --remove-icmp-block=echo-reply |
Use the --permanent option if you want these changes to persist after a reboot, and always reload FirewallD after making changes:
firewall-cmd --reloadExample: Troubleshooting Rule Order
Suppose you have a rich rule to block all traffic from 192.168.1.100, but you also have a service rule allowing HTTP traffic. If you find that 192.168.1.100 can still access your HTTP server, it's because the rich rule is evaluated first. To fix this, you would need to create a more specific rich rule to deny HTTP traffic from that IP:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="http" reject'This example shows how understanding the rule processing flow can help in troubleshooting and creating more effective firewall configurations.
Maintaining FirewallD
Reloading and Applying Changes
To apply changes to FirewallD, you need to reload the configuration. Here are the key commands:
| Command | Description |
|---|---|
sudo firewall-cmd --reload |
Applies changes to the runtime configuration |
sudo firewall-cmd --runtime-to-permanent |
Saves the runtime configuration to the permanent configuration |
To apply a change and make it permanent in one step:
- Use the
--permanentoption with your command - Reload FirewallD
Example:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reloadMonitoring FirewallD
Regular monitoring of FirewallD helps maintain system security. Here's how to check its status and list active configurations:
| Command | Purpose |
|---|---|
sudo systemctl status firewalld |
Shows if FirewallD is active, enabled, or disabled |
sudo firewall-cmd --list-all-zones |
Displays all zones and their configurations |
sudo firewall-cmd --get-active-zones |
Lists active zones and their interfaces |
sudo firewall-cmd --list-all |
Shows services, ports, and rules for the active zone |
sudo journalctl -u firewalld |
Displays FirewallD log entries for troubleshooting |
Best Practices for FirewallD Maintenance
- Schedule regular firewall audits to review your FirewallD configuration
- Remove unused rules and services to keep your firewall simple
- Document all changes made to the firewall configuration
- Test new rules in a non-production environment before applying them to live systems
- Keep FirewallD and its dependencies updated to the latest stable versions
- Use version control for your firewall configuration files
- Implement a change management process for firewall modifications
Tip: Automated Firewall Testing
Consider using automated firewall testing scripts. These can regularly check if your firewall is working as expected, alerting you to any differences or unexpected changes in behavior.
