Introduction
Firewalld is a dynamic firewall management tool for Linux systems that provides a more user-friendly interface for configuring the underlying netfilter framework. This document provides a detailed overview of firewalld, including its implementation across different Linux distributions, installation requirements, configuration file locations, command usage, and practical examples for common scenarios.
Distribution Differences and Installation Status
Firewalld's availability and default installation status varies across Linux distributions:
Red Hat-based Distributions
1. Red Hat Enterprise Linux (RHEL):
• Firewalld is installed by default since RHEL 7
• Replaces the older iptables service
• Primary firewall management tool in RHEL 7, 8, 9, and 10
2. Fedora:
• Bundled by default
• First major distribution to adopt firewalld (since Fedora 18)
• Serves as the reference implementation
3. CentOS/Rocky Linux/AlmaLinux:
• Included by default as these are RHEL derivatives
• Primary firewall management tool
4. Oracle Linux:
• Included by default when using the Red Hat compatible kernel
SUSE-based Distributions
1. openSUSE:
• Included by default
• Primary firewall management tool
2. SUSE Linux Enterprise Server (SLES):
• Included by default since SLES 12
Debian-based Distributions
1. Ubuntu:
• Not installed by default
• Ubuntu primarily uses UFW (Uncomplicated Firewall) as its default firewall management tool
• Can be installed manually: sudo apt install firewalld
2. Debian:
• Not installed by default
• Traditionally uses iptables directly or UFW
• Can be installed manually: sudo apt install firewalld
3. Linux Mint:
• Not installed by default
• Uses UFW by default
• Can be installed manually: sudo apt install firewalld
Arch-based Distributions
1.Arch Linux:
•Not installed by default
•Can be installed manually: sudo pacman -S firewalld
2.Manjaro:
•Not installed by default
•Can be installed manually: sudo pacman -S firewalld
Installation Commands
For distributions where firewalld is not installed by default:
• Debian/Ubuntu/Mint: sudo apt install firewalld
• Arch/Manjaro: sudo pacman -S firewalld
• Gentoo: sudo emerge --ask net-firewall/firewalld
After installation, enable and start the service:
Bash
sudo systemctl enable firewalld
sudo systemctl start firewalld
Configuration File Locations
Firewalld uses a hierarchical structure for its configuration files:
Main Configuration Files
1. Primary Configuration File:
• /etc/firewalld/firewalld.conf - Main configuration file with global settings
2. Zone Configuration Files:
• /etc/firewalld/zones/ - Directory containing XML files for each zone
• Example: /etc/firewalld/zones/public.xml
3. Service Definitions:
• /etc/firewalld/services/ - Directory containing XML files defining services
• Example: /etc/firewalld/services/ssh.xml
4. IP Sets Configuration:
• /etc/firewalld/ipsets/ - Directory containing IP set definitions
5. Direct Rules Configuration:
• /etc/firewalld/direct.xml - Configuration for direct rules
Default/Fallback Configuration
These directories contain the default configurations provided by firewalld:
1. Default Zone Configurations:
• /usr/lib/firewalld/zones/ - Default zone definitions
2. Default Service Definitions:
• /usr/lib/firewalld/services/ - Default service definitions
3. Default ICMP Type Definitions:
• /usr/lib/firewalld/icmptypes/ - Default ICMP type definitions
Configuration Hierarchy
Firewalld follows this hierarchy when loading configurations:
1.User-defined configurations in /etc/firewalld/ take precedence
2.If a configuration is not found in /etc/firewalld/, the default from /usr/lib/firewalld/ is used
This allows system administrators to customize configurations while maintaining fallback defaults.
Firewalld Concepts
Before diving into commands, it's important to understand key firewalld concepts:
Zones
Zones are predefined sets of rules that specify the level of trust for network connections. Each zone can be assigned to different network interfaces or source addresses.
Common zones include:
- public: For untrusted public networks (default)
- home: For trusted home networks
- work: For work networks
- internal: For internal networks
- external: For external networks with masquerading enabled
- trusted: All network connections are accepted
- drop: All incoming connections are dropped without reply
- block: All incoming connections are rejected with an icmp-host-prohibited message
Services
Services are predefined collections of ports and protocols. Instead of specifying individual ports, you can enable entire services.
Examples of predefined services:
- ssh: TCP port 22
- http: TCP port 80
- https: TCP port 443
- ftp: TCP port 21
Runtime vs Permanent Configuration
Firewalld operates with two configuration sets:
•Runtime: Changes apply immediately but are lost on service restart or system reboot
•Permanent: Changes are persistent across reboots but require reload to apply
Most commands can be made permanent by adding the --permanent flag.
Comprehensive Command Reference
Basic Service Management
- Check firewalld status:
- Reload firewalld (to apply permanent changes):
- List all available zones:
- List active zones (zones with interfaces or sources):
- Get default zone:
- Set default zone:
Viewing Configuration
- List all settings for a zone:
- List all zones with their settings:
- List allowed services in a zone:
- List open ports in a zone:
- List available services:
Managing Services
- Add a service to a zone:
- Remove a service from a zone:
- Check if a service is allowed:
Managing Ports
- Open a TCP port:
- Open a UDP port:
- Open a port range:
- Close a port:
- Check if a port is open:
Managing Source Addresses
1.Allow all traffic from a specific IP address:
2.Remove a source:
Interface Management
1.Assign an interface to a zone:
2.List interfaces assigned to a zone:
Rich Rules
Rich rules provide more complex rule definitions:
1.Allow traffic from a specific source to a specific port:
2.Limit the rate of connections:
3.Forward traffic from one port to another:
Practical Examples
Example 1: Opening TCP and UDP Ports
To open TCP port 80 (HTTP) and UDP port 53 (DNS):
Bash
# Open TCP port 80
sudo firewall-cmd --zone=public --add-port=80/tcp
sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
# Open UDP port 53
sudo firewall-cmd --zone=public --add-port=53/udp
sudo firewall-cmd --zone=public --permanent --add-port=53/udp
# Reload to ensure permanent rules are applied
sudo firewall-cmd --reload
# Verify the ports are open
sudo firewall-cmd --zone=public --list-ports
Example 2: Enabling Services
Instead of opening individual ports, you can enable predefined services:
Bash
# Enable HTTP service
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=http
# Enable HTTPS service
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --zone=public --permanent --add-service=https
# Reload to ensure permanent rules are applied
sudo firewall-cmd --reload# Verify the services are enabled
sudo firewall-cmd --zone=public --list-services
Example 3: Configuring FTP with Passive Mode Support
FTP requires special configuration because it uses multiple ports:
1. Active FTP: Uses port 21 for control and server-initiated data connections
2. Passive FTP: Uses port 21 for control and client-initiated data connections on high ports
To properly configure FTP with passive mode support:
Bash
# 1. Enable the FTP service (port 21)
sudo firewall-cmd --zone=public --add-service=ftp
sudo firewall-cmd --zone=public --permanent --add-service=ftp
2. Open passive port range (example: 30000-31000)
sudo firewall-cmd --zone=public --add-port=30000-31000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=30000-31000/tcp
3. Enable the FTP connection tracking module
sudo firewall-cmd --add-module=nf_conntrack_ftp
sudo firewall-cmd --permanent --add-module=nf_conntrack_ftp
4. Reload to ensure permanent rules are applied
sudo firewall-cmd --reload
Additionally, you need to configure your FTP server to use the same passive port range. For example, in vsftpd, add to /etc/vsftpd/vsftpd.conf:
Plain Text
pasv_enable=YES
pasv_min_port=30000pasv_max_port=31000
Then restart the vsftpd service:
Bash
sudo systemctl restart vsftpd
Example 4: Allowing Access from Specific IP Addresses
To allow all traffic from a specific IP address or network:
Bash
# Allow all traffic from a single IP address
sudo firewall-cmd --zone=trusted --add-source=192.168.1.10
sudo firewall-cmd --zone=trusted --permanent --add-source=192.168.1.10
# Allow all traffic from a network
sudo firewall-cmd --zone=trusted --add-source=10.0.0.0/24
sudo firewall-cmd --zone=trusted --permanent --add-source=10.0.0.0/24
Reload to ensure permanent rules are applied
sudo firewall-cmd --reload
Example 5: Creating a Custom Service
You can create custom services for applications not included by default:
Bash
# Create a new service for a custom application
sudo firewall-cmd --permanent --new-service=myapp
# Configure the service
sudo firewall-cmd --permanent --service=myapp --set-description="My Custom Application"
sudo firewall-cmd --permanent --service=myapp --set-short="MyApp"
sudo firewall-cmd --permanent --service=myapp --add-port=8080/tcp
sudo firewall-cmd --permanent --service=myapp --add-port=8081/udp
# Reload firewalld
sudo firewall-cmd --reload
# Enable the service
sudo firewall-cmd --zone=public --add-service=myapp
sudo firewall-cmd --zone=public --permanent --add-service=myapp
Comparison with Other Linux Firewall Solutions
Firewalld vs. UFW
UFW (Uncomplicated Firewall) is the default firewall configuration tool in Ubuntu and other Debian-based distributions.
Key differences:
1. Architecture:
• Firewalld uses a zone-based approach
• UFW uses a simpler rule-based approach
2. Dynamic Configuration:
• Firewalld supports runtime changes without disrupting existing connections
• UFW typically requires reloading the entire ruleset
3. Interface:
• Firewalld provides both CLI and GUI tools
• UFW is primarily CLI-focused with some GUI options
4. Default Distribution:
• Firewalld is default in RHEL/Fedora/CentOS
• UFW is default in Ubuntu/Debian
Firewalld vs. Direct iptables/nftables
Firewalld is a frontend for iptables (older versions) or nftables (newer versions):
1. Abstraction Level:
• Firewalld provides a higher-level abstraction
• iptables/nftables offer direct, low-level control
2. Ease of Use:
• Firewalld simplifies common tasks
• iptables/nftables require more technical knowledge
3. Dynamic Changes:
• Firewalld supports runtime changes without disrupting connections
• iptables requires careful rule management to avoid disruptions
Troubleshooting
Common Issues and Solutions
1. Changes not taking effect:
• Ensure you're using --permanent for persistent changes
• Run sudo firewall-cmd --reload to apply permanent changes
2. Service still inaccessible after opening ports:
• Verify the service is running: sudo systemctl status service-name
• Check if the service is bound to the correct interface
• Verify no other firewall is running (like iptables)
3. Firewalld not starting:
• Check logs: sudo journalctl -u firewalld
• Ensure no conflicting firewall service is running
4. Locked out of SSH:
• Boot into rescue mode
• Disable firewalld: sudo systemctl disable firewalld
• Fix configuration and re-enable
Logging and Debugging
- Enable logging for dropped packets:
- View firewalld logs:
- 3. View kernel firewall logs:
Conclusion
Firewalld provides a powerful yet user-friendly interface for managing Linux firewalls. Its zone-based approach and dynamic configuration capabilities make it particularly well-suited for systems with changing network environments.
While it comes pre-installed on Red Hat-based distributions, it can be easily installed on other Linux distributions. Understanding the differences in implementation across distributions, along with the key configuration files and commands, allows for effective firewall management regardless of the Linux environment.
By following the examples provided in this document, you can configure firewalld to secure your system while allowing necessary services to function properly, including complex scenarios like FTP passive mode configuration.