Favorite Social Media Timesink
When you take a break from work, where are you going?
Video clips on TikTok/YouTube
X, Bluesky, Mastodon et al...
Web surfing
I do not get distracted by petty amusements

Firewalld: An Easier Way to Manage Linux Firewalls

Tired of iptables? With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management.
Dec 23rd, 2023 6:00am by
Featued image for: Firewalld: An Easier Way to Manage Linux Firewalls
Feature Image by Gerd Altmann from Pixabay, penguin by M. Harris, Pixabay.

If you use either Rocky Linux or AlmaLinux as your server operating system of choice, you’ll find them as powerful as it is flexible. And thankfully, they are not nearly as complicated as they once were.

Take, for instance, the firewall. Back in the old days, working with the firewall required you get to know the highly complicated iptables utility.

Here’s a sample command for adding an iptables rule:

This adds a rule to the INPUT chain for incoming TCP traffic on port 22, and uses the recent module to mark the source IP address, updates the rule to drop packets if the rate limit exceeds 4 new connections within 60 seconds.

To be fair, iptables is capable of doing some very complicated things. But with that complication comes the challenge of writing rules that work. It takes a long time to master iptables and most new Linux admins are busy just getting up to speed with the basics of the operating system.

What Is Firewalld?

That’s why the far simpler firewalld is a better place to start. Firewalld is a firewall management tool that provides a dynamically managed firewall that is user-friendly and supports features like network zones. With firewalld, you can easily open ports, block IP addresses, manage zones, and even add a GUI for easier management (so long as you’ve installed Rocky Linux with a desktop environment).

Let’s dive in and take our first steps with this powerful firewall tool.

What You Need

To follow along, you’ll need a Linux distribution that uses firewalld (such as Red Hat Enterprise Linux, Rocky Linux, Alma Linux, CentOS Stream, or Fedora) and a user with sudo privileges. That’s it, let’s get to know this firewall system.

Enable the Firewall

Out of the box, you might find the firewall is disabled. Because firewalld runs as a service on your Linux distribution, you can enable it with the help of systemctl like so:

You can then verify the firewall is running with the command:

It should be listed as active (running).

List Currently Active Rules

Next, we’re going to take a look at the currently active rules running in the firewall. This can be done with the command:

Notice the command is not firewalld, but firewall-cmd. Firewalld is the daemon (service) and firewall-cmd is the command used to manage the rules.

The output of the above command will look something like this:

Instead of listing both ports and services simultaneously, you could view them separately with the command:

Adding a Service or Port through the Firewall

Let’s say you need to add HTTP (port 80) and SSH (port 22) through the firewall. Before we do that, we have to decide which zone we’ll work with, of which there are nine (drop, block, public, external, internal, dmz, work, home, and trusted). Of those nine, you’ll probably mostly work with these four:

  • public – public, untrusted networks
  • home – private, trusted networks
  • work – same as home, only used for business purposes
  • trusted – all connected machines are trusted

For our purposes, we’re going to focus on the public zone because that is generally associated with external connections (WAN). If you’re running a web server, you’ll probably want to allow public traffic through the firewall so it can reach the websites you are serving up.

To make sure you’re using the public zone, use the following command:

Verify the change with:

You should see something like this in the output:

To allow port 80 (HTTP) through, issue the command:

What that does is add the new rule but it doesn’t automatically activate it. For that, you must reload the firewall with the command:

Now, if you check the firewalld status, you’ll see HTTP listed. Let’s say you also need HTTPS added to the firewall. Instead of using the port number, we can do so via a service like so:

Again, reload the firewall with:

You can do the same thing with SSH (port 22), which can be added with either of the following commands:

Reload the firewall with:

Removing a Port or Service from the Firewall

In the same way, you can remove a service or port from the firewall, thereby blocking access to the server. Sticking with our examples, we can remove access via a service with a command like this:

We can also remove access via a port like so:

Notice we have to use a protocol (such as tcp) when adding or removing via port numbers, which isn’t required when adding or removing via service. And, remember, any time you modify the firewall, you have run the sudo firewall-cmd –reload command before the changes take effect.

And there you have it, your first steps with the firewalld system. Thankfully, you don’t have to worry about working with the iptables command, which is far more complicated. To learn more about firewalld, check out the official documentation.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Enable, Alma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.