What is Firewalld: Complete Linux Firewall Management Guide about?

Master firewalld for Linux systems with dynamic firewall management, zones configuration, and advanced network security features explained.

Who should read this article?

This article is perfect for technology professionals, developers, and anyone interested in system administration looking to enhance their skills and knowledge.

How long does it take to read?

This article takes approximately 13 minutes to read and contains 2567 words of expert insights and practical information.

What topics are covered?

This article covers key topics including: Linux, Network Security, firewalld, iptables, system-administration, providing comprehensive insights for technology professionals.

Firewalld: Complete Linux Firewall...

Firewalld: Comprehensive Firewall Management Guide

Introduction to Firewalld

Firewalld is a dynamic firewall management tool for Linux systems that provides a high-level interface for managing netfilter (iptables/nftables) rules. It was designed to simplify firewall configuration while providing advanced features for network security management. Unlike traditional iptables configurations, firewalld allows for runtime changes without breaking existing connections and provides a more user-friendly approach to firewall management.

Architecture and Core Concepts

Dynamic Firewall Management

Firewalld operates as a daemon that manages firewall rules dynamically. This means you can modify firewall rules without restarting the firewall service or losing existing network connections. The daemon communicates with the kernel's netfilter framework through either iptables or nftables backends.

Zones

Zones are the fundamental concept in firewalld that define trust levels for network connections. Each zone has specific rules about what traffic is allowed or denied. Network interfaces and source addresses are assigned to zones, and the zone determines the firewall behavior.

| Zone Name | Description | Default Behavior | |-----------|-------------|------------------| | drop | Lowest trust level | All incoming packets dropped without reply | | block | Low trust level | All incoming connections rejected with icmp-host-prohibited | | public | Default zone for public areas | Only selected incoming connections accepted | | external | For external networks with masquerading | Selected incoming connections accepted, NAT enabled | | dmz | For demilitarized zone systems | Only selected incoming connections accepted | | work | For work environments | More services accepted than public | | home | For home networks | More services accepted than work | | internal | For internal networks | Most services accepted | | trusted | Highest trust level | All network connections accepted |

Services

Services are predefined sets of rules that define the ports and protocols needed for specific applications or services. Firewalld includes numerous predefined services, and you can create custom services as needed.

Rich Rules

Rich rules provide advanced firewall configuration options that go beyond simple service and port management. They allow for complex rule definitions including source/destination matching, logging, and custom actions.

Installation and Setup

Installing Firewalld

`bash

On Red Hat/CentOS/Fedora systems

sudo dnf install firewalld

On Ubuntu/Debian systems

sudo apt update sudo apt install firewalld

On SUSE systems

sudo zypper install firewalld `

Starting and Enabling Firewalld

`bash

Start the firewalld service

sudo systemctl start firewalld

Enable firewalld to start at boot

sudo systemctl enable firewalld

Check the status of firewalld

sudo systemctl status firewalld

Stop firewalld (if needed)

sudo systemctl stop firewalld

Disable firewalld from starting at boot

sudo systemctl disable firewalld `

Initial Configuration Check

`bash

Check if firewalld is running

sudo firewall-cmd --state

Get general information about firewalld configuration

sudo firewall-cmd --list-all

Check the default zone

sudo firewall-cmd --get-default-zone

List all available zones

sudo firewall-cmd --get-zones

List all active zones

sudo firewall-cmd --get-active-zones `

Command-Line Interface: firewall-cmd

The firewall-cmd command is the primary tool for interacting with firewalld. It provides comprehensive functionality for managing firewall rules, zones, services, and advanced configurations.

Basic Command Structure

`bash firewall-cmd [OPTIONS] [COMMAND] `

Common Options

| Option | Description | |--------|-------------| | --zone= | Specify the zone for the command | | --permanent | Make changes permanent (survives reboot) | | --runtime-to-permanent | Save current runtime configuration permanently | | --reload | Reload firewall rules from permanent configuration | | --complete-reload | Complete reload of firewall (breaks connections) | | --timeout= | Set timeout for temporary rules |

Zone Management

Viewing Zone Information

`bash

List all zones with their configurations

sudo firewall-cmd --list-all-zones

Show configuration for a specific zone

sudo firewall-cmd --zone=public --list-all

Get the default zone

sudo firewall-cmd --get-default-zone

List active zones (zones with assigned interfaces or sources)

sudo firewall-cmd --get-active-zones

List all available zones

sudo firewall-cmd --get-zones `

Managing Default Zone

`bash

Set the default zone

sudo firewall-cmd --set-default-zone=home

The default zone is automatically assigned to new network interfaces

Interface and Zone Assignment

`bash

List interfaces in a specific zone

sudo firewall-cmd --zone=public --list-interfaces

Add an interface to a zone temporarily

sudo firewall-cmd --zone=home --add-interface=eth0

Add an interface to a zone permanently

sudo firewall-cmd --zone=home --add-interface=eth0 --permanent

Remove an interface from a zone

sudo firewall-cmd --zone=home --remove-interface=eth0

Change interface zone assignment

sudo firewall-cmd --zone=work --change-interface=eth0 `

Source-Based Zone Assignment

`bash

Add a source IP or network to a zone

sudo firewall-cmd --zone=trusted --add-source=192.168.1.0/24

Add a source permanently

sudo firewall-cmd --zone=trusted --add-source=10.0.0.100 --permanent

Remove a source from a zone

sudo firewall-cmd --zone=trusted --remove-source=192.168.1.0/24

List sources assigned to a zone

sudo firewall-cmd --zone=trusted --list-sources

Change source zone assignment

sudo firewall-cmd --zone=dmz --change-source=192.168.1.100 `

Service Management

Predefined Services

Firewalld comes with many predefined services that correspond to common applications and protocols.

`bash

List all available services

sudo firewall-cmd --get-services

Get information about a specific service

sudo firewall-cmd --info-service=ssh

List services allowed in the default zone

sudo firewall-cmd --list-services

List services in a specific zone

sudo firewall-cmd --zone=public --list-services `

Managing Services in Zones

`bash

Add a service to the default zone temporarily

sudo firewall-cmd --add-service=http

Add a service permanently

sudo firewall-cmd --add-service=https --permanent

Add a service to a specific zone

sudo firewall-cmd --zone=public --add-service=ssh --permanent

Remove a service from a zone

sudo firewall-cmd --zone=public --remove-service=ssh

Add multiple services at once

sudo firewall-cmd --add-service=http --add-service=https --permanent

Check if a service is allowed

sudo firewall-cmd --query-service=ssh `

Common Service Examples

| Service Name | Description | Default Ports | |--------------|-------------|---------------| | ssh | Secure Shell | 22/tcp | | http | HTTP Web Server | 80/tcp | | https | HTTPS Web Server | 443/tcp | | ftp | File Transfer Protocol | 21/tcp | | smtp | Simple Mail Transfer Protocol | 25/tcp | | dns | Domain Name System | 53/tcp, 53/udp | | nfs | Network File System | 2049/tcp | | samba | Samba File Sharing | 139/tcp, 445/tcp | | mysql | MySQL Database | 3306/tcp | | postgresql | PostgreSQL Database | 5432/tcp |

Port and Protocol Management

Managing Individual Ports

`bash

Add a port temporarily

sudo firewall-cmd --add-port=8080/tcp

Add a port permanently

sudo firewall-cmd --add-port=9000/tcp --permanent

Add a port to a specific zone

sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent

Add multiple ports

sudo firewall-cmd --add-port=8000-8010/tcp --permanent

Add UDP port

sudo firewall-cmd --add-port=1194/udp --permanent

Remove a port

sudo firewall-cmd --remove-port=8080/tcp

List open ports

sudo firewall-cmd --list-ports

Query if a port is open

sudo firewall-cmd --query-port=22/tcp `

Port Range Management

`bash

Add a range of ports

sudo firewall-cmd --add-port=5000-5010/tcp --permanent

Add multiple port ranges

sudo firewall-cmd --add-port=6000-6100/tcp --add-port=7000-7100/udp --permanent

Remove a port range

sudo firewall-cmd --remove-port=5000-5010/tcp `

Rich Rules

Rich rules provide advanced firewall functionality with detailed control over packet filtering, logging, and actions.

Rich Rule Syntax

`bash rule [family=""] [source [NOT] [address="

"] [mac=""] [ipset=""]] [destination [NOT] address="

"] [] [log [prefix=""] [level=""] [limit value="rate/duration"]] [audit] [accept|reject|drop] `

Rich Rule Examples

`bash

Allow SSH from specific IP

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent

Block specific IP address

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.50" drop' --permanent

Allow HTTP from specific network with logging

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="http" log prefix="HTTP-ACCESS" level="info" accept' --permanent

Rate limit SSH connections

sudo firewall-cmd --add-rich-rule='rule service name="ssh" log prefix="SSH-Attempt" level="info" limit value="3/m" accept' --permanent

Allow specific port from specific source

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" port protocol="tcp" port="8080" accept' --permanent

Reject with ICMP response

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.0/24" reject type="icmp-host-prohibited"' --permanent

Time-based rule (temporary)

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.200" service name="http" accept' --timeout=3600 `

Managing Rich Rules

`bash

List all rich rules

sudo firewall-cmd --list-rich-rules

List rich rules for specific zone

sudo firewall-cmd --zone=public --list-rich-rules

Remove a rich rule

sudo firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept'

Query a rich rule

sudo firewall-cmd --query-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' `

Advanced Features

Port Forwarding

Port forwarding allows redirecting traffic from one port to another, either locally or to a different host.

`bash

Forward local port to another local port

sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

Forward port to different host

sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.100:toport=80 --permanent

Forward with rich rule (more control)

sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=80 protocol=tcp to-port=8080' --permanent

List port forwards

sudo firewall-cmd --list-forward-ports

Remove port forward

sudo firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=8080 `

Masquerading (NAT)

Masquerading enables Network Address Translation, allowing internal networks to access external networks through the firewall.

`bash

Enable masquerading for a zone

sudo firewall-cmd --zone=external --add-masquerade --permanent

Disable masquerading

sudo firewall-cmd --zone=external --remove-masquerade

Check if masquerading is enabled

sudo firewall-cmd --zone=external --query-masquerade

List zones with masquerading enabled

sudo firewall-cmd --list-all-zones | grep -A 10 -B 2 masquerade `

ICMP Filtering

Internet Control Message Protocol (ICMP) filtering allows control over ping and other ICMP traffic.

`bash

List available ICMP types

sudo firewall-cmd --get-icmptypes

Block ping (echo-request)

sudo firewall-cmd --add-icmp-block=echo-request --permanent

Allow ping in specific zone

sudo firewall-cmd --zone=home --remove-icmp-block=echo-request --permanent

Block all ICMP except specific types

sudo firewall-cmd --add-icmp-block-inversion --permanent sudo firewall-cmd --add-icmp-block=echo-request --permanent

List blocked ICMP types

sudo firewall-cmd --list-icmp-blocks `

Custom Services

Creating Custom Services

`bash

Create a new service definition

sudo firewall-cmd --permanent --new-service=myapp

Set description for the service

sudo firewall-cmd --permanent --service=myapp --set-description="My Custom Application"

Set short description

sudo firewall-cmd --permanent --service=myapp --set-short="MyApp"

Add ports to the service

sudo firewall-cmd --permanent --service=myapp --add-port=8080/tcp sudo firewall-cmd --permanent --service=myapp --add-port=8443/tcp

Add protocols if needed

sudo firewall-cmd --permanent --service=myapp --add-protocol=tcp

Reload to make the service available

sudo firewall-cmd --reload

Add the custom service to a zone

sudo firewall-cmd --zone=public --add-service=myapp --permanent `

Managing Custom Services

`bash

Get information about custom service

sudo firewall-cmd --info-service=myapp

Modify existing service

sudo firewall-cmd --permanent --service=myapp --add-port=9000/tcp

Remove port from service

sudo firewall-cmd --permanent --service=myapp --remove-port=8080/tcp

Delete custom service

sudo firewall-cmd --permanent --delete-service=myapp `

Service Definition Files

Custom services are stored as XML files in /etc/firewalld/services/. Here's an example service definition:

`xml MyApp My Custom Application Service `

Configuration Management

Runtime vs Permanent Configuration

Firewalld maintains two configuration sets: runtime (temporary) and permanent. Understanding the difference is crucial for proper firewall management.

| Configuration Type | Persistence | Command Usage | |-------------------|-------------|---------------| | Runtime | Lost on reload/restart | Default behavior | | Permanent | Survives reload/restart | Add --permanent flag |

Configuration Workflow

`bash

Make temporary changes for testing

sudo firewall-cmd --add-service=http

Test the configuration

If satisfied, make it permanent

sudo firewall-cmd --add-service=http --permanent

Alternative: Save runtime config to permanent

sudo firewall-cmd --runtime-to-permanent

Reload permanent configuration

sudo firewall-cmd --reload

Complete reload (breaks existing connections)

sudo firewall-cmd --complete-reload `

Configuration Files

Firewalld configuration files are stored in specific directories:

| Directory | Purpose | |-----------|---------| | /usr/lib/firewalld/ | Default configurations (system provided) | | /etc/firewalld/ | Custom configurations (user defined) | | /etc/firewalld/zones/ | Zone configuration files | | /etc/firewalld/services/ | Custom service definitions |

Backup and Restore

`bash

Backup firewalld configuration

sudo cp -r /etc/firewalld /etc/firewalld.backup.$(date +%Y%m%d)

Export current configuration

sudo firewall-cmd --list-all-zones > firewall-config-backup.txt

Restore from backup

sudo systemctl stop firewalld sudo cp -r /etc/firewalld.backup.20231201 /etc/firewalld sudo systemctl start firewalld `

Logging and Monitoring

Enabling Logging

`bash

Set log level

sudo firewall-cmd --set-log-denied=all

Available log levels: all, unicast, broadcast, multicast, off

sudo firewall-cmd --get-log-denied

Log specific traffic with rich rules

sudo firewall-cmd --add-rich-rule='rule service name="ssh" log prefix="SSH-LOGIN" level="info" accept' --permanent `

Log Locations

| Log Type | Location | |----------|----------| | Firewalld daemon | /var/log/firewalld | | Kernel messages | /var/log/messages or /var/log/kern.log | | Journal | journalctl -u firewalld |

Monitoring Commands

`bash

View firewalld service logs

sudo journalctl -u firewalld -f

View recent firewall-related kernel messages

sudo dmesg | grep -i firewall

Monitor dropped packets

sudo journalctl -k | grep -i "dropped"

Real-time monitoring of firewall logs

sudo tail -f /var/log/messages | grep -i firewall `

Troubleshooting

Common Issues and Solutions

#### Issue: Service Won't Start `bash

Check service status

sudo systemctl status firewalld

Check for configuration errors

sudo firewall-cmd --check-config

View detailed logs

sudo journalctl -u firewalld -n 50 `

#### Issue: Rules Not Working `bash

Verify rule is applied

sudo firewall-cmd --list-all

Check if rule is permanent

sudo firewall-cmd --list-all --permanent

Reload configuration

sudo firewall-cmd --reload `

#### Issue: Connection Problems After Changes `bash

Check active zones

sudo firewall-cmd --get-active-zones

Verify interface assignments

sudo firewall-cmd --list-all-zones | grep -A 5 -B 5 interfaces

Temporarily disable firewall for testing

sudo systemctl stop firewalld `

Diagnostic Commands

`bash

Check firewalld state

sudo firewall-cmd --state

Verify configuration syntax

sudo firewall-cmd --check-config

Get complete configuration dump

sudo firewall-cmd --list-all-zones

Show panic mode status

sudo firewall-cmd --query-panic

Enable panic mode (blocks all traffic)

sudo firewall-cmd --panic-on

Disable panic mode

sudo firewall-cmd --panic-off `

Best Practices

Security Best Practices

1. Principle of Least Privilege: Only open ports and services that are absolutely necessary 2. Regular Auditing: Periodically review firewall rules and remove unused ones 3. Logging: Enable appropriate logging for security monitoring 4. Testing: Always test firewall changes in a non-production environment first 5. Documentation: Document all custom rules and their purposes

Configuration Management Best Practices

1. Use Permanent Rules: Always make production rules permanent 2. Backup Configurations: Regular backups of firewall configurations 3. Version Control: Track changes to custom service definitions 4. Consistent Naming: Use descriptive names for custom services and rules 5. Zone Strategy: Develop a clear zone assignment strategy

Performance Considerations

1. Rule Ordering: More specific rules should be placed before general ones 2. Rich Rule Complexity: Avoid overly complex rich rules that impact performance 3. Regular Cleanup: Remove obsolete rules and services 4. Monitor Resource Usage: Watch for high CPU usage from firewall processing

Integration with Other Tools

Ansible Integration

`yaml --- - name: Configure firewalld hosts: all tasks: - name: Install firewalld package: name: firewalld state: present

- name: Start and enable firewalld systemd: name: firewalld state: started enabled: yes

- name: Allow SSH firewalld: service: ssh permanent: yes state: enabled immediate: yes

- name: Allow HTTP and HTTPS firewalld: service: "#" permanent: yes state: enabled immediate: yes loop: - http - https `

NetworkManager Integration

Firewalld integrates with NetworkManager to automatically assign network interfaces to appropriate zones based on connection profiles.

`bash

Set zone for NetworkManager connection

sudo nmcli connection modify "Wired connection 1" connection.zone home

View connection zone assignment

sudo nmcli connection show "Wired connection 1" | grep zone `

This comprehensive guide covers the essential aspects of firewalld management, from basic concepts to advanced configurations. Regular practice with these commands and concepts will help you become proficient in managing Linux firewall security with firewalld.