FirewallD
Introduction
FirewallD is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables:
- FirewallD uses zones and services instead of chain and rules.
- It manages rulesets dynamically, allowing updates without breaking existing sessions and connections.
FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD.
Install
#
sudo yum install firewalld # [CentOS 7/RHEL 7]
sudo dnf install firewalld # [CentOS 8/RHEL 8/Fedora]
sudo zypper install firewalld # [openSUSE Leap]
# Autostart the service
systemctl enable firewalld
systemctl restart firewalld
Firewalld Zones
$ firewall-cmd --get-zones
block dmz drop external home internal public trusted work
- block: Any incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are allowed.
- dmz: Used for computers located in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
- drop: Any incoming connections are dropped without any notification. Only outgoing connections are allowed.
- external: For use on external networks with NAT masquerading enabled when your system acts as a router. Only selected incoming connections are allowed.
- home: Used for home network and other computers on the same networks are mostly trusted. Only selected incoming connections are accepted.
- internal: For use on internal networks, and other systems on the network are generally trusted. Only selected incoming connections are accepted.
- public: For use in public areas, but you should not trust the other computers on networks. Only selected incoming connections are accepted.
- trusted: All network connections are accepted.
- work: For use in work areas, and other computers on the same networks are mostly trusted. Only selected incoming connections are accepted.
Firewalld Services
$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd bacula bacula-client bgp..
Firewalld Runtime and Permanent Settings
Firewalld uses two separate configurations namely runtime, and permanent:
- Runtime Configuration: The runtime configuration will not be persistent on system reboots, and the firewalld service stop. It means the runtime configuration are not automatically saved to the permanent configuration.
- Permanent Configuration: The permanent configuration is stored in configuration files and will be loaded and becomes a new runtime configuration across every reboot or service reload/restart. Note that, to make the changes permanent you need to use the –permanent option with firewall-cmd.
Enabling Firewalld
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
# To check the status of firewalld
$ sudo firewall-cmd --state
Zone Management
How to use
# verify the default config and zones
firewall-cmd --get-default-zone
# List information for all zones
firewall-cmd --list-all-zones
# List allowed services
firewall-cmd --zone=work --list-services
# Remove the SSH service from the default zone ( public)
firewall-cmd --permanent --remove-service=ssh
# Create the zone, allow the SSH service and the source IPs
firewall-cmd --permanent --new-zone=SSHZONE
firewall-cmd --permanent --zone=SSHZONE --add-source=[I.P.]
firewall-cmd --permanent --zone=SSHZONE --add-service=ssh
# Reload the firewall to take effect and make the zone active
firewall-cmd --reload