How to Set up Firewall Rules with Firewalld

Firewalls and Firewalld

In our series Linux for Network Engineers we have covered the aspect of setting firewall and routing rules on a host at least two ways: iptables and a utility called ufw (uncomplicated firewall). 

If you haven’t realized that there are already multiple ways to skin a cat on Linux, we are adding another firewall utility to our pocket: firewalld.

Firewalld comes from the RHEL/CentOS universe but it’s available on Debian/Ubuntu as well. Both ufw and firewalld make iptables human-friendly and readable. Let’s see how it works with some examples.

Installation

It’s pretty straightforward to install with the following command:

The easy way to install it with the following:

apt install firewalld

Usage

One feature I like about firewalld is that it has the concept of “zones” inherent. A zone is another word for a collection of firewall rules that you want to group together. 

For example, you can name a zone “home” and in that zone include rules that open certain ports (e.g. ssh), and another named “public” can include rules that block ssh (to prevent unwanted users trying to ssh to your machine) and you can obviously use it when in public unsecure networks. 

Zones

Out of the box, here are the available zones:

netbeez$ firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
…

To see the current zone use:

netbeez$  firewall-cmd --get-default-zone
public

Firewalld Services

Like ufw, firewalld has a list of predefined services that you can use to specify rules, and you can get a list of all supported services with:

netbeez$  firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

As you can see, only ssh and the dhcp client are currently allowed.

HTTP service

As a first example, let’s enable http access on host with firewalld as follows:

netbeez$ firewall-cmd --zone=public --add-service=http
success
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client http

Now the http port 80 is allowed, but keep in mind that changes like these are not persistent if you restarter the firewalld daemon or reboot the system. Here is what services are listed if you restart the firewalld daemon:

netbeez$ systemctl restart firewalld
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client

As you can see, http is not listed anymore. To make them permanent, you can do the following:

netbeez$ firewall-cmd --permanent --add-service=http
success
netbeez$ systemctl restart firewalld
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client http

Remove a service

To remove a service use:

netbeez$ firewall-cmd --remove-service=http
success
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client

Custom rule

To allow a specific port you can use a rule like the following:

netbeez$ firewall-cmd --add-port=20018/tcp
success
netbeez$ firewall-cmd --list-ports
20018/tcp

Panic mode

One unique feature of firewalld is enabling panic mode. As the name suggests, if you are panicking that your system is compromised and you want to drop all connections, type:

netbeez$ firewall-cmd --panic-on

NOTE: if you are accessing the host remotely through ssh, enabling panic mode will also drop your ssh connection and you will lose access to it. To get access to the machine again you you’d have to reboot the host or get local access and disable panic mode with:

netbeez$ firewall-cmd --panic-off
success

Conclusion

We’ve just scratched the surface of what you can do with firewalld. But in a nutshell, whatever you’d wish for in a firewall utility, you should be able to do it with firewalld. For more details and complete documentation just take a look at https://firewalld.org/documentation/.

decoration image

Get your free trial now

Monitor your network from the user perspective

You can share

Twitter Linkedin Facebook

Let's keep in touch

decoration image