Key Takeaways
- Firewalld is a modern and powerful firewall for Linux that is easy to configure through the command line or GUI interface.
- Firewalls are important for limiting and controlling network connections to your computer to enhance security.
- Firewalld uses zones to organize firewall rules and allows for fine-tuning and customization based on different security needs.
If you’re looking for a modern, powerful firewall for Linux that is easy to configure on the command line or with its GUI interface, then firewalld
is probably what you’re looking for.
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
Why Do You Need a Firewall?
Network connections have an origin and a destination. Software at the origin requests the connection, and software at the destination accepts or rejects it. If it is accepted, packets of data — generically called network traffic — can pass in both directions over the connection. That’s true for whether you’re sharing across the room in your own home, remotely connecting to work from your home office, or using a distant, cloud-based resource.
Good security practice says you should limit and control the connections to your computer. This is what firewalls do. They filter network traffic by IP address, port, or protocol, and reject connections that do not meet a predefined set of criteria — the firewall rules — that you have configured. They’re like security personnel at an exclusive event. If your name’s not on the list, you’re not getting inside.
Of course, you don’t want your firewall rules to be so restrictive that your normal activities are curtailed. The simpler it is to configure your firewall the less chance you have of inadvertently setting up conflicting or draconian rules. We often hear from users who say they don’t use a firewall because it is too complicated to understand, or the command syntax is too opaque.
The firewalld
firewall is powerful yet simple to set up, both on the command line and through its dedicated GUI application. Under the hood, Linux firewalls rely on netfilter
, the kernel-side network filtering framework. Out here in user-land, we have a choice of tools to interact with netfilter
, such as iptables
, ufw
the uncomplicated firewall, and firewalld
.
In our opinion, firewalld
offers the best balance of functionality, granularity, and simplicity.
Installing firewalld
There are two parts to firewalld
. There’s firewalld
, the daemon process that provides the firewall functionality, and there’s firewall-config
. This is the optional GUI for firewalld
. Note that there’s no “d” in firewall-config
.
Installing firewalld
on Ubuntu, Fedora, and Manjaro is straightforward in all cases, although they each have their own take on what is pre-installed and what is bundled.
To install on Ubuntu, we need to install firewalld
and firewall-config
.
sudo apt install firewalld
sudo apt install firewall-config
On Fedora, firewalld
is already installed. We just need to add firewall-config
.
sudo dnf install firewall-config
On Manjaro, neither component is pre-installed, but they’re bundled into a single package so we can install them both with a single command.
sudo pacman -Sy firewalld
We need to enable the firewalld
daemon to permit it to run each time the computer boots up.
sudo systemctl enable firewalld
And we need to start the daemon so that it is running now.
sudo systemctl start firewalld
We can use systemctl
to check that firewalld
has started and is running without issues:
sudo systemctl status firewalld
We can also use firewalld
to check whether it is running. This uses the firewall-cmd
command with the --state
option. Note there’s no “d” in firewall-cmd
:
sudo firewall-cmd --state
Now we’ve got the firewall installed and running, we can move on to configuring it.
The Concept of Zones
The firewalld
firewall is based around zones. Zones are collections of firewall rules and an associated network connection. This lets you tailor different zones — and a different set of security limitations — that you can operate under. For example, you might have a zone defined for regular, everyday running, another zone for more secure running, and a “nothing in, nothing out” complete lockdown zone.
To move from one zone into another, and effectively from one level of security to another, you move your network connection from the zone it is in, to the zone that you wish to run under.
This makes it very fast to move one from one defined set of firewall rules to another. Another way to use zones would be to have your laptop use one zone when you are home and another when you are out and using public Wi-Fi.
firewalld
comes with nine pre-configured zones. These can be edited and more zones added or removed.
- drop: All incoming packets are dropped. Outgoing traffic is allowed. This is the most paranoid setting.
- block: All incoming packets are dropped and an
icmp-host-prohibited
message is sent to the originator. Outgoing traffic is allowed. - trusted: All network connections are accepted and other systems are trusted. This is the most trusting setting and should be restricted to very safe environments like captive test networks or your home.
- public: This zone is for use on public or other networks where none of the other computers can be trusted. A small selection of common and usually safe connection requests are accepted.
- external: This zone is for use on external networks with NAT masquerading (port forwarding) enabled. Your firewall acts as a router forwarding traffic to your private network which remains reachable, but still private.
- internal: This zone is intended to be used on internal networks when your system acts as a gateway or router. Other systems on this network are generally trusted.
- dmz: This zone is for computers located in the “demilitarized zone” outside of your perimeter defenses and with limited access back into your network.
- work: This zone is for work machines. Other computers on this network are generally trusted.
- home: This zone is for home machines. Other computers on this network are generally trusted.
The home, work, and internal zones are very similar in function, but separating them out into different zones allows you to fine-tune a zone to your liking, encapsulating one set of rules for a particular scenario.
A good starting point is to find out what the default zone is. This is the zone that your network interfaces are added to when firewalld
is installed.
sudo firewall-cmd --get-default-zone
Our default zone is the public zone. To see the configuration details of a zone, use the --list-all
option. This lists anything that has been added or enabled for a zone.
sudo firewall-cmd --zone=public --list-all
We can see that this zone is associated with network connection enp0s3, and is allowing traffic related to DHCP, mDNS, and SSH. Because at least one interface has been added to this zone, this zone is active.
firewalld
allows you to add services that you’d like to accept traffic from to a zone. That zone then allows that type of traffic through. This is easier than remembering that mDNS, for example, uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can do that too.
If we run the previous command on a laptop with an ethernet connection and a Wi-Fi card, we’ll see something similar, but with two interfaces.
sudo firewall-cmd --zone=public --list-all
Both of our network interfaces have been added to the default zone. The zone has rules for the same three services as the first example, but DHCP and SSH have been added as named services, while mDNS has been added as a port and protocol pairing.
To list all zones use the --get-zones
option.
sudo firewall-cmd --get-zones
To see the configuration for all zones at once, use the --list-all-zones
option. You’ll want to pipe this into less
.
sudo firewall-cmd --list-all-zones | less
This is useful because you can scroll through the listing, or use the search facility to look for port numbers, protocols, and services.
On our laptop, we’re going to move our Ethernet connection from the public zone to the home zone. We can do that with the --zone
and --change-interface
options.
sudo firewall-cmd --zone=home --change-interface=enp3s0
Let’s take a look at the home zone, and see if our change has been made.
sudo firewall-cmd --zone=home --list-all
And it has. Our Ethernet connection is added to the home zone.
However, this is not a permanent change. We’ve changed the running configuration of the firewall, not its stored configuration. If we reboot or use the --reload
option, we’ll revert to our previous settings.
To make a change permanent, we need to use the aptly named --permanent
option.
This means we can change the firewall for one-off requirements without altering the firewall’s stored configuration. We can also test changes before we send them to the configuration. To make our change permanent, the format we should use is:
sudo firewall-cmd --zone=home --change-interface=enp3s0 --permanent
If you make some changes but forget to use --permanent
on some of them, you can write the settings of the current running session of the firewall to the configuration using the --runtime-to-permanent
option.
sudo firewall-cmd --runtime-to-permanent
Adding and Removing Services
firewalld
knows about a lot of services. You can list them using the --get-services
option.
sudo firewall-cmd --get-services
Our version of firewalld
listed 192 services. To enable a service in a zone, use the --add-service
option.
We can add a service to a zone using the --add-service
option.
sudo firewall-cmd --zone=public --add-service=http
The name of the service must match its entry in the list of services from firewalld
.
To remove a service replace --add-service
with --remove-service
Adding and Removing Ports and Protocols
If you prefer to choose which ports and protocols are added, you can do that too. You’ll need to know the port number and the protocol for the type of traffic you’re adding.
Let’s add HTTPS traffic to the public zone. That uses port 443 and is a form of TCP traffic.
sudo firewall-cmd --zone=public --add-port=443/tcp
You could supply a range of ports by providing the first and last ports with a hyphen “-
” between them, like “400-450.”
To remove a port replace --add-port
with --remove-port
.
Using the GUI
Press your “Super” key and start to type “firewall.” You’ll see the brick wall icon for the firewall-config
application.
Click that icon to launch the application.
To add a service to firewalld
using the GUI is as easy as selecting a zone from the list of zones and selecting the service from the list of services.
You can choose to modify the running session or the permanent configuration by selecting “Runtime” or “Permanent” from the “Configuration” dropdown menu.
To make changes to the running session and only commit the changes once you’ve tested they work, set the “Configuration” menu to “Runtime.” Make your changes. Once you’re happy they’re doing what you want, use the Options > Runtime to Permanent menu option.
To add a port and protocol entry to a zone, select the zone from the zone list, and click on “Ports.” Clicking the add button lets you provide the port number and pick the protocol from a menu.
To add a protocol, click on “Protocols”, click the “Add” button, and select the protocol from the pop-up menu.
To move an interface from one zone to another, double-click the interface in the “Connections” list, then select the zone from the pop-up menu.
The Tip of the Iceberg
There’s a lot more you can do with firewalld
, but this is enough to get you up and running. With the information we’ve given you, you’ll be able to create meaningful rules in your zones.