Introduction
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
Firewalld service management
- To start the service and enable FirewallD on boot :
sudo systemctl start firewalld sudo systemctl enable firewalld
- To stop and disable it :
sudo systemctl stop firewalld sudo systemctl disable firewalld
- Check the firewall status :
sudo firewall-cmd --state
- To view the status of the FirewallD daemon :
sudo systemctl status firewalld
- Example output :
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-08-08 15:11:24 IST; 23h ago
Docs: man:firewalld(1)
Main PID: 2577 (firewalld)
CGroup: /system.slice/firewalld.service
└─2577 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
- To reload a FirewallD configuration :
sudo firewall-cmd --reload
Zones
Zones are pre-constructed rulesets for various trust levels you would likely have for a given location or scenario (e.g. home, public, trusted, etc.). Different zones allow different network services and incoming traffic types while denying everything else. After enabling FirewallD for the first time, Public will be the default zone.
Zones can also be applied to different network interfaces. For example, with separate interfaces for both an internal network and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on external zone. Any interface not explicitly set to a specific zone will be attached to the default zone.
- To view the default zone:
sudo firewall-cmd --get-default-zone
- To change the default zone:
sudo firewall-cmd --set-default-zone=internal
- To see the zones used by your network interface(s):
sudo firewall-cmd --get-active-zones
- To get all configurations for a specific zone:
sudo firewall-cmd --zone=public --list-all
Example output:
public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client http ports: 12345/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
- To get all configurations for all zones:
sudo firewall-cmd --list-all-zones
Example output:
trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ... work target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Services
Sources
Benefits of using firewalld
Changes can be done immediately in the runtime environment. No restart of the service or daemon is needed. The separation of the runtime and permanent configuration makes it possible to do evaulation and tests in runtime. The runtime configuration is only valid up to the next service reload and restart or to a system reboot. Then the permanent configuration will be loaded again. With the runtime environment it is possible to use runtime for settings that should only be active for a limited amount of time. If the runtime configuration has been used for evaluation, and it is complete and working, then it is possible to save this configuration to the permanent environment.
Sources
FirewallD can allow traffic based on predefined rules for specific network services. You can create your own custom service rules and add them to any zone. The configuration files for the default supported services are located at /usr/lib/firewalld/services and user-created service files would be in /etc/firewalld/services.
- To view the default available services:
sudo firewall-cmd --get-services
- As an example, to enable or disable the HTTP service:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --remove-service=http --permanent
Sources
digitalocean.com
firewalld.org
linode.com
