How to Set up Firewall Rules with Firewalld

By November 10, 2021Linux

Firewalls and Firewalld

In our series Linux for Network Engineers we have covered the aspect of setting firewall and routing rules on a host at least two ways: iptables and a utility called ufw (uncomplicated firewall). 

If you haven’t realized that there are already multiple ways to skin a cat on Linux, we are adding another firewall utility to our pocket: firewalld.

Firewalld comes from the RHEL/CentOS universe but it’s available on Debian/Ubuntu as well. Both ufw and firewalld make iptables human-friendly and readable. Let’s see how it works with some examples.

Installation

It’s pretty straightforward to install with the following command:

The easy way to install it with the following:

apt install firewalld

Usage

One feature I like about firewalld is that it has the concept of “zones” inherent. A zone is another word for a collection of firewall rules that you want to group together. 

For example, you can name a zone “home” and in that zone include rules that open certain ports (e.g. ssh), and another named “public” can include rules that block ssh (to prevent unwanted users trying to ssh to your machine) and you can obviously use it when in public unsecure networks. 

Out of the box, here are the available zones:

netbeez$ firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

…

To see the current zone use:

netbeez$  firewall-cmd --get-default-zone
public

Like ufw, firewalld has a list of predefined services that you can use to specify rules, and you can get a list of all supported services with:

netbeez$  firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

As you can see, only ssh and the dhcp client are currently allowed.

As a first example, let’s enable http access on host with firewalld as follows:

netbeez$ firewall-cmd --zone=public --add-service=http
success
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client http

Now the http port 80 is allowed, but keep in mind that changes like these are not persistent if you restarter the firewalld daemon or reboot the system. Here is what services are listed if you restart the firewalld daemon:

netbeez$ systemctl restart firewalld
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client

As you can see, http is not listed anymore. To make them permanent, you can do the following:

netbeez$ firewall-cmd --permanent --add-service=http
success
netbeez$ systemctl restart firewalld
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client http

To remove a service use:

netbeez$ firewall-cmd --remove-service=http
success
netbeez$ firewall-cmd --list-services
ssh dhcpv6-client

To allow a specific port you can use a rule like the following:

netbeez$ firewall-cmd --add-port=20018/tcp
success
netbeez$ firewall-cmd --list-ports
20018/tcp

One unique feature of firewalld is enabling panic mode. As the name suggests, if you are panicking that your system is compromised and you want to drop all connections, type:

netbeez$ firewall-cmd --panic-on

NOTE: if you are accessing the host remotely through ssh, enabling panic mode will also drop your ssh connection and you will lose access to it. To get access to the machine again you you’d have to reboot the host or get local access and disable panic mode with:

netbeez$ firewall-cmd --panic-off
success

We’ve just scratched the surface of what you can do with firewalld. But in a nutshell, whatever you’d wish for in a firewall utility, you should be able to do it with firewalld. For more details and complete documentation just take a look at https://firewalld.org/documentation/.