How to Set up Firewall Rules with Firewalld

By November 10, 2021Linux

Firewalls and Firewalld

In our series Linux for Network Engineers we have covered the aspect of setting firewall and routing rules on a host at least two ways: iptables and a utility called ufw (uncomplicated firewall). 

If you haven’t realized that there are already multiple ways to skin a cat on Linux, we are adding another firewall utility to our pocket: firewalld.

Firewalld comes from the RHEL/CentOS universe but it’s available on Debian/Ubuntu as well. Both ufw and firewalld make iptables human-friendly and readable. Let’s see how it works with some examples.

Installation

It’s pretty straightforward to install with the following command:

The easy way to install it with the following:

Usage

One feature I like about firewalld is that it has the concept of “zones” inherent. A zone is another word for a collection of firewall rules that you want to group together. 

For example, you can name a zone “home” and in that zone include rules that open certain ports (e.g. ssh), and another named “public” can include rules that block ssh (to prevent unwanted users trying to ssh to your machine) and you can obviously use it when in public unsecure networks. 

Out of the box, here are the available zones:

To see the current zone use:

Like ufw, firewalld has a list of predefined services that you can use to specify rules, and you can get a list of all supported services with:

As you can see, only ssh and the dhcp client are currently allowed.

As a first example, let’s enable http access on host with firewalld as follows:

Now the http port 80 is allowed, but keep in mind that changes like these are not persistent if you restarter the firewalld daemon or reboot the system. Here is what services are listed if you restart the firewalld daemon:

As you can see, http is not listed anymore. To make them permanent, you can do the following:

To remove a service use:

To allow a specific port you can use a rule like the following:

One unique feature of firewalld is enabling panic mode. As the name suggests, if you are panicking that your system is compromised and you want to drop all connections, type:

NOTE: if you are accessing the host remotely through ssh, enabling panic mode will also drop your ssh connection and you will lose access to it. To get access to the machine again you you’d have to reboot the host or get local access and disable panic mode with:

We’ve just scratched the surface of what you can do with firewalld. But in a nutshell, whatever you’d wish for in a firewall utility, you should be able to do it with firewalld. For more details and complete documentation just take a look at https://firewalld.org/documentation/.