Basic Concept of Firewalld
FirewallD uses zones and services instead of iptables chain and rules. Zones are a set of rules that specify what traffic should be allowed depending on the level of trust you have in a network your computers connected to. Network interfaces assigned a zone to dictate a behavior that the firewall should allow. The firewalld is managed using the firewall-cmd command-line tool. It provides an interface to manage runtime and permanent configuration.
Firewalld Zones
There are 9 pre-defined zones in the Firewalld depending on the level of trust in ascending order. A brief explanation of each zone are explained below:
Drop : This zone has the least level of trust and used to drop all incoming traffic without sending any acknowledgment to the sender. Block : This zone is very similar to the Drop zone, the incoming traffic is rejected and the sender gets a message. Public : Allows traffic from certain public networks. External : This zone is used when your system acts as a gateway or router. Internal : The set of rules that apply to the computers in your private internal network. DMZ : This zone is an isolated patch of computers in your internal network that may not access other internal resources. Work : This zone is used for work machines. The trust level is high. Home : Most computers in this zone trust each other. The trust level is higher than work. Trusted : This zone has the highest trust level. All computers in the network are trusted.
Step 1 – Installing Firewalld
By default, Firewalld is pre-installed on most of the operating systems. But some of the minimal OS installation doesn’t included fiIf not installed, you can install it with the following command: After installing firewalld, you will need to start and enable it to start after system reboot. Run the following command to verify the status of firewalld
Step 2 – Working with Zones and Services
By default, public is the default zone in firewalld and all network interfaces are configured with public zone. You can list the default zone with the following command: Output: Next, run the following command to get a list of active zones: You should get the following output: To get a list of all available zones run the following command: You should get the following output: You can list all services associated with a public zone with the following command: You should get the following output: To change the default zone from public to work run the following command: You can now verify your default zone with the following command: Output: You can get a list of all available services in your system with the following command: You should get the following output:
Step 3 – Allow and Deny Services in Firewalld
You can allow and deny incoming traffic based on predefined services in firewalld. For example, to allow all incoming traffic for http service in Public zone run the following command: Output: To allow incoming traffic for ftp service in Public zone run the following command: Output: The above command will add http and ftp service temporary and it is not persistent on reboots. You will need to use the –permanent option to make them permanent as shown below: Next, run the following command to implement the changes: You can now get a list of added services with the following command: You should see the following output: You can also check the detail information about Public zone with the following command: Output: If you want to remove/deny the above services from the firewalld, use the –remove-service option: Next, run the following command to apply the changes:
Step 4 – Allow and Deny Ports in Firewalld
You can also allow and deny incoming traffic based on the port in firewalld. For example, allow all incoming traffic on port 8080 and 443, run the following command: Next, run the following command to apply the changes: Next, verify the added ports with the following command: Output: Similarly remove/deny the above ports from the firewalld, use the –remove-port option: Next, run the following command to apply the changes:
Step 5 – Port Forwarding with Firewalld
Port forwarding is the process that redirects request from IP/port combination and redirect it to a different IP and/or port. This technique allows remote machines to connect to a specific service within a private network. Before configuring port forwarding, you need to activate masquerade in the desired zone. You can activate it using the –add-masquerade option: Next, to forwards traffic from port 80 to port 8080 on the same server run the following command: If you want to forwards traffic from local port 80 to port 8080 on a remote server with IP address 192.168.1.200 run the following command: Next, run the following command to apply the changes: If you want to remove the above rules, replace –add with –remove as shown below:
Conclusion
In the above guide, you learned the basic concept of Firewalld and how to implement it on the Linux operating system. I hope you can now limit unnecessary incoming traffic with firewalld.