Phenquestions
Maintaining network security is key for system admins and configuring the firewall through the command-line is an essential skill to learn. The article will highlight how to manage the firewall with firewall-cmd in the Linux command-line.
A firewall is essentially software that you can configure to control incoming and outgoing network traffic. Firewalls can prevent other users from using network services on a system you are running. Most Linux systems ship with a default firewall. Earlier versions of Linux systems have been using iptables as the daemon for packet filtering. Newer versions of Fedora, RHEL/CentOS, openSUSE ship with Firewalld as the default firewall daemon. You can also install Firewalld in Debian and Ubuntu distros.
I recommend that you use Firewalld instead of iptables. Do not just take my word for it. Learn more from our comprehensive guide on the available open-source firewalls for your Linux system.
Firewalld is a dynamic daemon to manage firewalls with support for network or firewall zones. Firewall zones define network security trust levels of network interfaces, services, or connections. Network security system admins have found Firewalld to work great with IPv4, IPv6, IP sets, and Ethernet bridges. To manage Firewalld, you can use the firewall-cmd terminal command or firewall-config GUI configuration tool.
This guide will utilize the firewall-cmd command to manage network security, and our test environment will be Fedora Workstation 33.
Before we get all technical, let's learn a few network basics.
Network basics
A computer connected to a network is assigned an IP address which is used for routing data. Computers also have ports in the range of 0-65535, which act as connection points at the IP address. Applications might reserve specific ports. Web servers typically reserve port 80 for secure HTTP communications. Essentially port ranges 0 - 1024 are reserved for well-known purposes and the system.
The two main Internet data transfer protocols (TCP & UDP) use these ports during network communication. A host computer establishes a connection between a source IP address and port (port 80 for non-secure HTTP) and the destination address and port.
To manage network security, firewall software can allow or block data transfer or communication based on rules like ports or IP addresses.
Installing Firewalld
Fedora, RHEL/CentOS 7/8, openSUSE
Firewalld is installed by default in Fedora, RHEL/CentOS 7/8, and openSUSE. If not, you can install it using the following command:
# yum install firewalld -y
OR
#dnf install firewalld -y
Debian/Ubuntu
Ubuntu systems ship with the Uncomplicated Firewall by default. To use firewalld, you must enable the universe repository and deactivate the Uncomplicated Firewall.
sudo add-apt-repository universe
sudo apt install firewalld
Deactivate Uncomplicated Firewall:
sudo systemctl disable ufw
Enable firewalld at boot time:
sudo systemctl enable -now firewalld
Verify Firewalld is running:
sudo firewall-cmd -state
running
Firewall zones
Firewalld makes the configuration of your firewall simple by establishing default zones. Zones are a set of rules that suit the everyday needs of most Linux admins. A firewall zone can define trusted or denied levels for services and ports.
- Trusted zone: All network connections are accepted and used only in trusted environments like a family home or a test lab.
- Public zone: You can define rules only to allow specific ports to open connections while other connections will be dropped. It can be used in public areas when you do not trust other hosts in the network.
- Home, Internal, Work zones: Most incoming connections are accepted in these three zones. Incoming connections exclude traffic on ports that expect no connections or activity. You can apply it in home connections where there is a general trust of the other users on the network. It allows only the selected incoming connections.
- Block zone: This is an extremely paranoid firewall setting where only connections initiated from within the network or server are possible. All incoming connections to the network are rejected, and an ICMP-host-prohibited message is issued.
- DMZ zone: The demilitarized zone can be used to allow access to some services to the public. Only selected connections are accepted. It is an essential option for certain types of servers in an organization's network.
- External zone: When enabled, this zone will act as a router and can be used in external networks with masquerading enabled. The IP address of your private network is mapped to and hidden behind a public IP address. Only the selected incoming connections are accepted, including SSH.
- Drop zone: Any incoming packets are dropped with no reply. This zone only allows outgoing network connections.
Example of default zones defined by Fedora workstation 33
cat /usr/lib/firewalld/zones/FedoraWorkstation.xmlFedora Workstation Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. [firewall ] Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.
Get your current zone:
You can use the - - get-active-zones flag to check the currently active zones in your system.
sudo firewall-cmd --get-active-zones
[sudo] password for tuts:
FedoraWorkstation
interfaces: wlp3s0
libvirt
interfaces: virbr0
The default zone on Fedora Workstation 33 in the FedoraWorkstation zone
Get default zone & all defined zones:
sudo firewall-cmd --get-default-zone
[sudo] password for tuts:
FedoraWorkstation
[tuts@fosslinux ~]$ sudo firewall-cmd --get-zones
FedoraServer Fedora Workstation block dmz drop external home internal libvirt nm-shared public trusted work
List services:
You can get the services the firewall allows other systems to access using the - -list-services flag.
[tuts@fosslinux ~]$ sudo firewall-cmd --list-services
dhcpv6-client mdns samba-client ssh
On Fedora Linux 33, the firewall allows access to four services (dhcpv6-client mdns samba-client ssh) with well-known port numbers.
List firewall port settings:
You can use the - -list-ports flag to see other port settings in any zone.
tuts@fosslinux ~]$ sudo firewall-cmd --list-ports --zone=FedoraWorkstation
[sudo] password for tuts:
1025-65535/udp 1025-65535/tcp
We have specified the zone to check using the option - -zone=FedoraWorkstaion.
Managing zones, ports, and services
Firewall configurations can be configured as either runtime or permanent. All firewall-cmd actions persist only until the computer or firewall restarts. You must create permanent settings with the -permanent flag.
Create a zone
To create a zone, you have to use the - -new-zone flag.
Example:
Create a new permanent zone called fosscorp:
[tuts@fosslinux ~]$ sudo firewall-cmd --new-zone fosscorp --permanent
[sudo] password for tuts:
success
Reload the firewall rules to activate the new zone:
[tuts@fosslinux ~]$ sudo firewall-cmd --reload
Add ssh service to the fosscorp zone so you can access it remotely:
[tuts@fosslinux ~]$ sudo firewall-cmd --zone fosscorp --add-service ssh --permanent
[sudo] password for tuts:
success
Confirm your new zone 'fosscorp' is active:
[tuts@fosslinux ~]$ sudo firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external fosscorp home internal libvirt nm-shared public trusted work
Your new zone fosscorp is now active, and it rejects all incoming connections except SSH traffic.
Use the - -change-interface flag to make the zone fosscorp the active and default zone for a network interface (wlp3s0) you want to protect:
[tuts@fosslinux ~]$ sudo firewall-cmd --change-interface wlp3s0 \
> --zone fosscorp --permanent
The interface is under the [ firewall ] control of NetworkManager, setting zone to 'fosscorp'.
success
If you want to set fosscorp as the default and primary zone, run the following command:
[tuts@fosslinux ~]$ sudo firewall-cmd --set-default fosscorp
success
View the zones currently assigned to each interface using the - -get-active-zones flag:
[tuts@fosslinux ~]$ sudo firewall-cmd --get-active-zones
fosscorp
interfaces: wlp3s0
Add and remove services:
A quick way to allow traffic through your firewall is to add a predefined service.
List available predefined services:
tuts@fosslinux ~]$ sudo firewall-cmd --get-services
[sudo] password for tuts:
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc
bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client
[… ]
Unblock a predefined service
You can permit HTTPS traffic (or any other predefined service) through your firewall using the - -add-service flag.
[tuts@fosslinux ~]$ sudo firewall-cmd --add-service https --permanent
success
[tuts@fosslinux ~]$ sudo firewall-cmd --reload
You can also remove service with the - -remove-service flag:
[tuts@fosslinux ~]$ sudo firewall-cmd --remove-service https --permanent
success
[tuts@fosslinux ~]$ sudo firewall-cmd --reload
Add and remove Ports
You can also add a port number and prototype directly with the -add-port flag. Adding a port number directly can come in handy when a predefined service doesn't exist.
Example:
You can add the non-standard port 1717 for SSH to your custom zone using the following command:
[tuts@fosslinux ~]$ sudo firewall-cmd --add-port 1717/tcp --permanent
[sudo] password for tuts:
success
[tuts@fosslinux ~]$ sudo firewall-cmd -reload
Remove the port using the -remove-port flag option:
[tuts@fosslinux ~]$ sudo firewall-cmd --remove-port 1717/tcp --permanent
success
[tuts@fosslinux ~]$ sudo firewall-cmd -reload
You can also specify a zone to add or remove a port by adding the -zone flag in the command:
Add port 1718 for TCP connection to the FedoraWorstation zone:
[tuts@fosslinux ~]$ sudo firewall-cmd --zone=FedoraWorkstation --permanent --add-port=1718/tcp
success
[tuts@fosslinux ~]$ sudo firewall-cmd --reload
success
Confirm if the changes have taken effect:
[tuts@fosslinux ~]$ sudo firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp3s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp 1718/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Note: Under ports, we have added port number 1718 to allow TCP traffic.
You can remove port 1718/tcp by running the following command:
[tuts@fosslinux ~]$ sudo firewall-cmd --zone=FedoraWorkstation --permanent --remove-port=1718/tcp
success
[tuts@fosslinux ~]$ sudo firewall-cmd --reload
success
Note: If you want to make your changes permanent, you must add the - -permanent flag to your commands.
Recap
Firewalld is a great utility to manage your network security. The best way to increase your system admin skills is to get hands-on experience. I highly recommend installing Fedora in your favorite virtual machine (VM) or in Boxes to experiment with all available firewall-cmd functions. You can learn more firewall-cmd functions from the official Firewalld home page.
