Firewalld: An Easier Way to Manage Linux Firewalls

If you use either Rocky Linux or AlmaLinux as your server operating system of choice, you’ll find them as powerful as it is flexible. And thankfully, they are not nearly as complicated as they once were.

Take, for instance, the firewall. Back in the old days, working with the firewall required you get to know the highly complicated iptables utility.

Here’s a sample command for adding an iptables rule:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

This adds a rule to the INPUT chain for incoming TCP traffic on port 22, and uses the recent module to mark the source IP address, updates the rule to drop packets if the rate limit exceeds 4 new connections within 60 seconds.

To be fair, iptables is capable of doing some very complicated things. But with that complication comes the challenge of writing rules that work. It takes a long time to master iptables and most new Linux admins are busy just getting up to speed with the basics of the operating system.

What Is Firewalld?

That’s why the far simpler firewalld is a better place to start. Firewalld is a firewall management tool that provides a dynamically managed firewall that is user-friendly and supports features like network zones. With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management (so long as you’ve installed Rocky Linux with a desktop environment).

Let’s dive in and take our first steps with this powerful firewall tool.

What You Need

To follow along, you’ll need a Linux distribution that uses firewalld (such as Red Hat Enterprise Linux, Rocky Linux, Alma Linux, CentOS Stream, or Fedora) and a user with sudo privileges. That’s it, let’s get to know this firewall system.

Enable the Firewall

Out of the box, you might find the firewall is disabled. Because firewalld runs as a service on your Linux distribution, you can enable it with the help of systemctl like so:

sudo systemctl enable --now firewalld

You can then verify the firewall is running with the command:

sudo systemctl status firewalld

It should be listed as active (running).

List Currently Active Rules

Next, we’re going to take a look at the currently active rules running in the firewall. This can be done with the command:

sudo firewall-cmd --list-all

Notice the command is not firewalld, but firewall-cmd. Firewalld is the daemon (service) and firewall-cmd is the command used to manage the rules.

The output of the above command will look something like this:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps kerberos ntp
  ports: 2377/tcp 7946/tcp 7946/udp 4789/udp 10000/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Instead of listing both ports and services simultaneously, you could view them separately with the command:

sudo firewall-cmd --list-ports
sudo firewall-cmd --list-services

Adding a Service or Port through the Firewall

Let’s say you need to add HTTP (port 80) and SSH (port 22) through the firewall. Before we do that, we have to decide which zone we’ll work with, of which there are nine (drop, block, public, external, internal, dmz, work, home, and trusted). Of those nine, you’ll probably mostly work with these four:

• public – public, untrusted networks
• home – private, trusted networks
• work – same as home, only used for business purposes
• trusted – all connected machines are trusted

For our purposes, we’re going to focus on the public zone because that is generally associated with external connections (WAN). If you’re running a web server, you’ll probably want to allow public traffic through the firewall so it can reach the websites you are serving up.

To make sure you’re using the public zone, use the following command:

sudo firewall-cmd --set-default-zone=public

Verify the change with:

sudo firewall-cmd --get-active-zones

You should see something like this in the output:

public
  interfaces: enp0s3

To allow port 80 (HTTP) through, issue the command:

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent

What that does is add the new rule but it doesn’t automatically activate it. For that, you must reload the firewall with the command:

sudo firewall-cmd --reload

Now, if you check the firewalld status, you’ll see HTTP listed. Let’s say you also need HTTPS added to the firewall. Instead of using the port number, we can do so via a service like so:

sudo firewall-cmd --zone=public --add-service=https --permanent

Again, reload the firewall with:

sudo firewall-cmd --reload

You can do the same thing with SSH (port 22), which can be added with either of the following commands:

sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-service=ssh --permanent

Reload the firewall with:

sudo firewall-cmd --reload

Removing a Port or Service from the Firewall

In the same way, you can remove a service or port from the firewall, thereby blocking access to the server. Sticking with our examples, we can remove access via a service with a command like this:

sudo firewall-cmd --zone=public --remove-service=https --permanent

We can also remove access via a port like so:

sudo firewall-cmd --zone=public --remove-port=443/tcp --permanent

Notice we have to use a protocol (such as tcp) when adding or removing via port numbers, which isn’t required when adding or removing via service. And, remember, any time you modify the firewall, you have run the sudo firewall-cmd –reload command before the changes take effect.

And there you have it, your first steps with the firewalld system. Thankfully, you don’t have to worry about working with the iptables command, which is far more complicated. To learn more about firewalld, check out the official documentation.