If you’re looking for a modern, powerful firewall for Linux that’s easy to configure on the command line or with a GUI interface, then
firewalld this is probably what you are looking for.
The need for firewalls
Network connections have origins and destinations. The software at the source requests the connection and the software at the destination accepts or rejects it. If received, data packets, collectively called network traffic, can travel in both directions over the connection. This applies whether you’re sharing a room in your own home, telecommuting from your home office, or using a remote, cloud-based resource.
Good security practice says that you should limit and control access to your computer. This is what firewalls do. They filter network traffic by IP address, port, or protocol and reject connections that do not meet a predefined set of criteria. firewall rules– that you have configured. They are like security guards at an exclusive event. If your name isn’t on the list, you won’t get in.
Of course, you don’t want your firewall rules to be so restrictive that your normal activities are restricted. The simpler your firewall is to configure, the less chance you have of accidentally setting conflicting or rigid rules. We often hear from users that they don’t use a firewall because it’s too complicated to understand or the command syntax is too opaque.
firewalld The firewall is powerful yet simple to set up, both on the command line and through its dedicated GUI implementation. Under the hood, Linux trusts firewalls
netfilter , a kernel-side network filtering framework. Here, in the user country, we have a choice of tools for interaction
ufw uncomplicated firewall and
In our opinion,
firewalld offers the best balance of functionality, granularity and simplicity.
There are two parts to
firewalld . there is
firewalld daemon process that provides firewall functionality and var
firewall-config. This is an optional GUI
firewalld. Note that there is no letter “d”.
It is being installed
firewalld Ubuntu, Fedora, and Manjaro are all simple, although they each have their own view of what’s preinstalled and bundled.
To install on Ubuntu we need to install
sudo apt install firewalld
sudo apt install firewall-config
firewalld already installed. We just have to add
sudo dnf install firewall-config
No components are pre-installed in Manjaro, but they are bundled so that we can install both with one command.
sudo pacman -Sy firewalld
we must allow
firewalld daemon allows it to run every time the computer is booted.
sudo systemctl enable firewalld
And we need to start the demo so that it works now.
sudo systemctl start firewalld
we can use
systemctl to check this
firewalld started and works fine:
sudo systemctl status firewalld
We can use it too
firewalld to check if it works. It uses
firewall-cmd command with
--state choice. Note that there is no letter “d”.
sudo firewall-cmd --state
Now that we have the firewall installed and running, we can proceed to configure it.
Concept of Zones
firewalld based around the firewall zones. Zones are a collection of firewall rules and associated network connections. This allows you to accommodate different zones and different security restrictions in which you can operate. For example, there might be a designated zone for regular, everyday running, another zone for safer running, and a “nothing in, nothing” complete lockdown zone.
To move from one zone to another, effectively moving from one security level to another, you move your network connection from the zone it’s in to the zone you want to work under.
This makes it very fast to switch from one defined set of firewall rules to another. Another way to use zones is to have your laptop use one zone when you’re at home and another zone when you’re out and about using public Wi-Fi.
firewalld comes with nine pre-configured zones. These can be edited and more zones can be added or removed.
- drop: All incoming packets are dropped. Outbound traffic is allowed. This is the most paranoid situation.
- block: All incoming packets are dropped and moment
icmp-host-prohibitedthe message is sent to the author. Outbound traffic is allowed.
- is trusted: All network connections are accepted and trusted to other systems. This is the most reliable setting and should be limited to very secure environments such as test networks or your home.
- public: This zone is for use on public or other networks where none of the other computers can be trusted. A small selection of common and usually secure connection requests are accepted.
- external: This zone is for use on external networks where NAT masquerading (port forwarding) is enabled. Your firewall acts as a router that forwards traffic to your private network, which is accessible but still private.
- internal: This zone is intended for use on internal networks when your system acts as a gateway or router. Other systems on this network are generally reliable.
- dmz: This zone is for computers that are outside your perimeter defenses in the “demilitarized zone” and have limited access to your network.
- work: This zone is for work vehicles. Other computers on this network are generally safe.
- home: This zone is for domestic vehicles. Other computers on this network are generally safe.
Home, work and interior zones are very similar in function, but dividing them into different zones allows you to adjust the zone to your taste, covering a set of rules for a specific scenario.
A good starting point is to find out what the default zone is. This is the zone where your network interfaces are attached
firewalld is installed.
sudo firewall-cmd --get-default-zone
Our default zone is the public zone. Use to view configuration details of a zone
--list-all choice. This lists everything that has been added or enabled for the zone.
sudo firewall-cmd --zone=public --list-all
We can see that this zone is associated with network connection enp0s3 and allows traffic related to DHCP, mDNS and SSH. This zone is active because at least one interface has been added to this zone.
firewalld allows you to add services you want to accept traffic from the zone. That zone allows that kind of traffic. This is easier than remembering, for example, that mDNS uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can do it too.
If we execute the previous command on a laptop with an ethernet connection and a Wi-Fi card, we will see something similar, but with two interfaces.
sudo firewall-cmd --zone=public --list-all
Both of our network interfaces are added to the default zone. The zone contains rules for the same three services as the first example, but with the addition of services named DHCP and SSH, and mDNS as a port and protocol pairing.
Use to list all zones
sudo firewall-cmd --get-zones
Use it to see the configuration for all zones at once
--list-all-zones choice. You’ll want to pull this one in
sudo firewall-cmd --list-all-zones | less
This is useful because you can scroll through the list or use the search tool to search for port numbers, protocols, and services.
We will move our Ethernet connection on our laptop from the public zone to the home zone. we can do that with
sudo firewall-cmd --zone=home --change-interface=enp3s0
Let’s take a look at the home zone and see if our change has been made.
sudo firewall-cmd --zone=home --list-all
And there is. Our Ethernet connection is added to the home zone.
But this is not a permanent change. We have changed escape firewall configuration, not his is kept configuration. If we restart or use
--reload if you choose, we will revert to our previous settings.
We need to use the aptly named to make the change permanent
This means we can change the firewall for one-time requirements without changing the firewall’s stored configuration. We can also test the changes before sending them to the configuration. The format we need to use to make our change permanent:
sudo firewall-cmd --zone=home --change-interface=enp3s0 --permanent
If you make some changes but forget to use them
--permanent using some of them, you can write the parameters of the current running session of the firewall to the configuration
sudo firewall-cmd --runtime-to-permanent
RELATED: What is DHCP (Dynamic Host Configuration Protocol)?
Adding and Removing Services
firewalld aware of many services. you can list them using
sudo firewall-cmd --get-services
firewalld 192 services were provided. Use to activate the service in a zone
we can add a service to the zone using
sudo firewall-cmd --zone=public --add-service=http
The name of the service must match its entry in the list of services
Change to remove the service
Adding and Removing Ports and Protocols
If you want to choose which ports and protocols to add, you can do that too. You need to know the port number and protocol for the type of traffic you are adding.
Let’s add HTTPS traffic to the public zone. It uses port 443 and is a form of TCP traffic.
sudo firewall-cmd --zone=public --add-port=443/tcp
You can specify a range of ports by specifying the first and last ports with a hyphen.
-” as “400-450” among them.
Change the port to remove it
RELATED: What is the difference between TCP and UDP?
Using the GUI
Press “Super” and start typing “firewall”. you will see a brick wall icon for
Click on that icon to launch the app.
To add a service
firewalld Using the GUI is as easy as selecting a zone from the list of zones and selecting a service from the list of services.
You can choose to change the running session or permanent configuration by selecting either Runtime or Permanent from the Configuration drop-down menu.
To make changes in a running session and apply the changes only after verifying that they work, set the Configuration menu to Runtime. Make your changes. Once you’re satisfied that they do what you want, use the Options > Constant runtime menu.
To add a port and protocol entry to a zone, select a zone from the zone list and click Ports. Clicking the Add button allows you to provide a port number and select a protocol from the menu.
To add a protocol, click Protocols, click Add, and select a protocol from the drop-down menu.
To move an interface from one zone to another, double-click an interface in the Connections list, then select a zone from the drop-down menu.
The tip of the iceberg
You can do more
firewalld, but it should be enough to get you started. With the information we give you, you will be able to create meaningful rules in your zones.