Introduction to firewalld

From the firewalld website:

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.

firewalld uses the command line utility firewall-cmd to configure it. This utility also has some important flags, primarily --permanent and --reload. --permanent defines that the rule is permanent and should be retained. If you don’t use this flag, the rule will be removed when the system reboots. --reload will restart firewalld gracefully and apply rules.

Starting, stopping, and enabling firewalld

firewalld is just a normal service and is very easy to interact with like other services.

If you want to ensure that firewalld starts when the server boots, which is recommended for a firewall, run the following command:

systemctl enable firewalld

When you’re troubleshooting, you may want to temporarily stop the firewall.

systemctl stop firewalld

To ensure that the service runs at startup, run:

systemctl enable firewalld

If you need to disable firewalld at startup, run:

systemctl disable firewalld

[mkb-info]We don’t recommend stopping or disabling firewalld unless you’re troubleshooting.[/mkb-info]

Run this command to see the status:

systemctl status firewalld

When firewalld is disabled, you’ll see this output:

[root@test2 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

Managing firewalld and rules

Now that we have firewalld configured and running, we can add rules. Rules allow us to allow access to services, ports, and even allow specific IPs for access.

Allowing access to a service

You can allow access to a service easily.

firewall-cmd --permanent --add-service=http

firewall-cmd --permanent --add-service=ssh

Allowing access to a TCP or UDP port

You have to specify if the port is TCP or UDP.

firewall-cmd --permanent --add-port=80/TCP

firewall-cmd --permanent --add-port=53/UDP

Allow an IP address

You can allow a single IP address or an entire subnet.

firewall-cmd --permanent --add-source=192.168.1.100

firewall-cmd --permanent --add-source=192.168.1.1/24

Adding rich rules

Rich rules are special rules. If you’re familiar with iptables, these rules might seem familiar. They are a great way to get granular with your rules.

Blocking an IP address

To block access to your server, you can use the following rich rule:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"

Likewise, you can also block access with an entire subnet:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1/24' reject"

Restrict access to a service

This type of rule is ideal for protecting management ports and services like Cockpit or SSH.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" accept'

Removing a rule

Removing a rule is as easy as adding them. Just replace “add” with “remove”. Look at the following examples:

firewall-cmd --permanent --remove-service=http

firewall-cmd --permanent --remove-port=22/TCP

firewall-cmd --permanent --remove-source=192.168.1.100

Saving firewall rules

When you’ve made all your firewall rules changes, make sure to run the following:

firewall-cmd --reload