Firewalld-config: Complete guide to managing the firewall in Linux

Posted onbyBlockmyIP| Category:Linux Programs

Introduction to firewalld-config

In the world of Linux system management, perimetral security is one of the fundamental pillars. Firewall is the firewall daemon that has replaced iptables in many modern distributions, offering a dynamic and zone-based interface. This guide explores how to use both the command line toolfirewall-cmdas the graphic interfacefirewall-configto manage rules effectively and safely.

What is firewall?

Firewall acts as a layer of administration that works with the kernel netfilter. Instead of directly manipulating rules, it allows to define areas that represent different levels of confidence. Each area can have associated services, ports and custom rules. The main advantage is the possibility of real-time changes without interrupting established connections, and of making them permanent through the option--permanent.

Installation and Enabling

In RHEL-based distributions such as CentOS, Fedora or Rocky Linux, firewall comes pre-installed. If not present, it can be installed with the package manager:

  • sudo dnf install firewall - and (in Fedora / Rocky)
  • sudo yum install firewall - and (in RHEL / CentOS 7)

Once installed, have it and start it with:

  • sudo systemctl able firewall
  • sudo systemctl start firewall

To check your status, usesudo firewall-cmd --state.

Basic concepts: areas and services

Firewall includes several predefined areas, ordered from less to more reliable:

  • drop: discard all incoming traffic without response.
  • block: rejects traffic with message icmp-host--prohibited.
  • public: recommended area for servers exposed to the Internet.
  • external: used on interfaces that act as NAT gateway.
  • dmz: for equipment located in a demilitarized zone.
  • work: for workstations in reliable internal networks.
  • home: home environment.
  • internal: for internal networks of trust.
  • trusted: accepts all connections.

Services are preconfigured definitions that open ports and apply specific rules. For example, the servicehttpopens port 80 / tcp. You can list the services available withsudo firewall-cmd --get-servicesand add one to an area with:

sudo firewall-cmd --zone=public --add-service=http

To make it permanent, add the flag--permanent.

Use of firewall-cmd (CLI)

The command line is the fastest and most scriptable way to manage firewall. Some useful commands:

  • List active areas:sudo firewall-cmd --get-active-zones
  • Show the configuration of an area:sudo firewall-cmd --zone=public --list-all
  • Add a specific port:sudo firewall-cmd --zone=public --add-port=8080/tcp
  • Create a rich rule to allow traffic from a specific IP:

sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.100/32 port protocol=tcp port=22 accept'

Remember that without--permanentchanges are lost when restart the service.

Use of firewall-config (GUI)

For those who prefer a visual interface,firewall-configoffers a graphic view of areas, services and rules. To launch it, just run:

sudo firewall-config

The main window shows a tree of areas on the left panel. When you select an area, you can dial or dismark services on the central panel, add ports using the Add button and create rich rules from the Options menu. The changes are applied in real time and, if you mark the Permanent box, are kept persistently.

Creation of advanced rules (rich rules)

The rich rules allow a granularity that goes beyond ports and services. Some common applications:

  • Limit the number of simultaneous connections from an IP:

sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/8 limit value=10/m accept'

  • Register refused access attempts:

sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 log prefix=FIREWALL_DROP drop'

To remove a rich rule, use the same command by replacing--add-rich-ruleby--remove-rich-rule. Always check the list of rules with--list-rich-rulesbefore making changes in production.

Good security practices

  • Define a default area corresponding to your server's exposure level (e.g.,publicfor hosts on the Internet).
  • Avoid using the areatrustedin production environments.
  • Regular review of active areas and services enabled tofirewall-cmd --list-all-zones.
  • It uses rich rules to limit traffic according to geographical sources or times when necessary.
  • Keep a backup of the configuration runningsudo firewall-cmd --exportand keep it in a version repository.

Following these recommendations, you can maintain a robust and adaptable firewall to the changing needs of your Linux infrastructure.

Conclusion

Firewall, along with your configuration toolsfirewall-cmdandfirewall-config, offers a powerful and flexible way to manage the filtering of packages in modern Linux systems. Whether you prefer the speed of the command line or the clarity of a graphic interface, understand the concepts of rich areas, services and rules will allow you to implement effective security policies without compromising the availability of your services. With the practice and adoption of good practices, firewall will become an essential ally in the protection of its servers and workstations.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish