JRehkemper.de

Firewalld Guide

RHEL based Linux Systems use firewalld as firewall-service. You can configure it with the firewall-cmd-command. In this article I will guide you through the basic concepts of configuring firewalld.

firewalld is a wrapper-program and uses nftables under the hood. But if you want to you can switch to iptables instead. But this is not in the scope of the article.

Display Ruleset

If you want to display your current ruleset, use the --list-all flag.

[tux@server]$ firewall-cmd --list-all

This will display all rules in the default zone, normally public. If you want to display the ruleset for another zone, add --zone=<zone> to the command.

[tux@server]$ firewall-cmd --list-all --zone=docker

Zones will be discussed later in the article.

Add new Rules

Allow single Port

Normally you would allow single ports in your configuration. It is important that you specify if the connection is tcp or udp.

[tux@server]$ firewall-cmd --add-port=80/tcp
 
# Add to a specific zone
[tux@server]$ firewall-cmd --add-port=80/tcp --zone=docker

# Add udp and tcp
[tux@server]$ firewall-cmd --add-port=1024/tcp
[tux@server]$ firewall-cmd --add-port=1024/udp

Allow Service

There are predefined services for many common use-cases like http or ssh. Service are a collection of ports, used by the protocol or program. That can make your configuration easier to read of you have a service, that requires a lot of open ports.

[tux@server]$ firewall-cmd --add-service=ssh

Define a custom Service

If you want to create a service-configuration for your own service, you can do so by creating an XML-File under /etc/firewalld/services/.

Save current Ruleset

If you add a new rules, like opening a port, this is only in memory. In case you screwed up a rule, just restart your system and the old configuration is loaded.
If you are sure your ruleset is working as intended, you can write the current configuration to disk.

[tux@server]$ firewall-cmd --runtime-to-permanent

This will write your configured rules to a XML-File under /etc/firewalld.

If you want to revert the changes you made you can reload the configuration from disk.

[tux@server]$ firewall-cmd --reload

Delete a Rule

If you want to delete a rule you can do it like so.

[tux@server]$ firewall-cmd --remove-port=80/tcp

[tux@server]$ firewall-cmd --remove-service=http

Zones

Zones are a way to configure profiles for different kinds of networks. If you are connected to a public network you most certainly don’t want to open as many ports as in your home-network. You can utilize zones to quickly switch between these configurations.
There are a few predefined zones, but you may define new ones as well.

Usually only the rules in the active zone are considered by firewalld. The only exception is, if the incoming source IP matches a source-range of another zone. Than the matching source-range will override the active zone and the zone with the matching source will be used to process the request.

Display Zones

# All zones
[tux@server]$ firewall-cmd --list-all-zones

# Only active zone
[tux@server]$ firewall-cmd --get-active-zone

Assign Zones

You can assign an interface to a zone. That way all connections on this interface use the ruleset of the particular zone. A good example is to assign you WiFi Interface to the public zones, to open a minimal number of ports in public networks.

# Add a new interface
[tux@server]$ firewall-cmd --zone=work --add-interface=eth0
 
# change an existing interface
[tux@server]$ firewall-cmd --zone=work --change-interface=eth0

Trusted Zone

The trusted zone is a special one. If you specify an IP or IP-Range in the source, all connections from this source will be accepted. That might be useful in a cluster, because the firewall will never block inter-cluster-communication, but you may define strict rules for access from the outside.

[tux@server]$ firewall-cmd --zone=trusted --add-source=cluster-server-01.local
[tux@server]$ firewall-cmd --zone=trusted --add-source=10.0.0.0/22

Bonus Tipp for Remote Environments

If you are working on a remote server and don’t have physical access to a console, firewall-configuration can be somewhat risky. If you do something wrong you locked your self out.

A little trick is to create rules with a timer.

[tux@server]$ firewall-cmd --remove-port=22/tcp && sleep 60 && firewall-cmd --reload

That way your configuration will be changed, then the shell sleeps for a minute, which gives you time to test the changes, before they get reverted. If you should do something wrong, you only have to wait for a minute before you get access again. If you know that it works, make the changes permanent.

profile picture of the author

Jannik Rehkemper

I'm an professional Linux Administrator and Hobby Programmer. My training as an IT-Professional started in 2019 and ended in 2022. Since 2023 I'm working as an Linux Administrator.