The Need for Firewalls
Network connections have an origin and a destination. Software at the origin requests the connection, and software at the destination accepts or rejects it. If it is accepted, packets of data—generically called network traffic—can pass in both directions over the connection. That’s true for whether you’re sharing across the room in your own home, remotely connecting to work from your home office, or using a distant, cloud-based resource.
Good security practice says you should limit and control the connections to your computer. This is what firewalls do. They filter network traffic by IP address, port, or protocol, and reject connections that do not meet a predefined set of criteria—the firewall rules—that you have configured. They’re like security personnel at an exclusive event. If your name’s not on the list, you’re not getting inside.
Of course, you don’t want your firewall rules to be so restrictive that your normal activities are curtailed. The simpler it is to configure your firewall the less chance you have of inadvertently setting up conflicting or draconian rules. We often hear from users who say they don’t use a firewall because it is too complicated to understand, or the command syntax is too opaque.
The firewalld firewall is powerful yet simple to set up, both on the command line and through its dedicated GUI application. Under the hood, Linux firewalls rely on netfilter , the kernel-side network filtering framework. Out here in user-land, we have a choice of tools to interact with netfilter, such as iptables, ufw the uncomplicated firewall, and firewalld.
In our opinion, firewalld offers the best balance of functionality, granularity, and simplicity.
Installing firewalld
There are two parts to firewalld . There’s firewalld , the daemon process that provides the firewall functionality, and there’s firewall-config. This is the optional GUI for firewalld. Note that there’s no “d” in firewall-config.
Installing firewalld on Ubuntu, Fedora, and Manjaro is straightforward in all cases, although they each have their own take on what is pre-installed and what is bundled.
To install on Ubuntu, we need to install firewalld and firewall-config.
On Fedora, firewalld is already installed. We just need to add firewall-config .
sudo dnf install firewall-config
On Manjaro, neither component is pre-installed, but they’re bundled into a single package so we can install them both with a single command.
We need to enable the firewalld daemon to permit it to run each time the computer boots up.
And we need to start the daemon so that it is running now.
We can use systemctl to check that firewalld has started and is running without issues:
We can also use firewalld to check whether it is running. This uses the firewall-cmd command with the –state option. Note there’s no “d” in firewall-cmd :
Now we’ve got the firewall installed and running, we can move on to configuring it.
The Concept of Zones
The firewalld firewall is based around zones. Zones are collections of firewall rules and an associated network connection. This lets you tailor different zones—and a different set of security limitations—that you can operate under. For example, you might have a zone defined for regular, everyday running, another zone for more secure running, and a “nothing in, nothing out” complete lockdown zone.
To move from one zone into another, and effectively from one level of security to another, you move your network connection from the zone it is in, to the zone that you wish to run under.
This makes it very fast to move one from one defined set of firewall rules to another. Another way to use zones would be to have your laptop use one zone when you are home and another when you are out and using public Wi-Fi.
firewalld comes with nine pre-configured zones. These can be edited and more zones added or removed.
drop: All incoming packets are dropped. Outgoing traffic is allowed. This is the most paranoid setting. block: All incoming packets are dropped and an icmp-host-prohibited message is sent to the originator. Outgoing traffic is allowed. trusted: All network connections are accepted and other systems are trusted. This is the most trusting setting and should be restricted to very safe environments like captive test networks or your home. public: This zone is for use on public or other networks where none of the other computers can be trusted. A small selection of common and usually safe connection requests are accepted. external: This zone is for use on external networks with NAT masquerading (port forwarding) enabled. Your firewall acts as a router forwarding traffic to your private network which remains reachable, but still private. internal: This zone is intended to be used on internal networks when your system acts as a gateway or router. Other systems on this network are generally trusted. dmz: This zone is for computers located in the “demilitarized zone” outside of your perimeter defenses and with limited access back into your network. work: This zone is for work machines. Other computers on this network are generally trusted. home: This zone is for home machines. Other computers on this network are generally trusted.
The home, work, and internal zones are very similar in function, but separating them out into different zones allows you to fine-tune a zone to your liking, encapsulating one set of rules for a particular scenario.
A good starting point is to find out what the default zone is. This is the zone that your network interfaces are added to when firewalld is installed.
Our default zone is the public zone. To see the configuration details of a zone, use the –list-all option. This lists anything that has been added or enabled for a zone.
We can see that this zone is associated with network connection enp0s3, and is allowing traffic related to DHCP, mDNS, and SSH. Because at least one interface has been added to this zone, this zone is active.
firewalld allows you to add services that you’d like to accept traffic from to a zone. That zone then allows that type of traffic through. This is easier than remembering that mDNS, for example, uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can do that too.
If we run the previous command on a laptop with an ethernet connection and a Wi-Fi card, we’ll see something similar, but with two interfaces.
Both of our network interfaces have been added to the default zone. The zone has rules for the same three services as the first example, but DHCP and SSH have been added as named services, while mDNS has been added as a port and protocol pairing.
To list all zones use the –get-zones option.
To see the configuration for all zones at once, use the –list-all-zones option. You’ll want to pipe this into less.
This is useful because you can scroll through the listing, or use the search facility to look for port numbers, protocols, and services.
On our laptop, we’re going to move our Ethernet connection from the public zone to the home zone. We can do that with the –zone and –change-interface options.
Let’s take a look at the home zone, and see if our change has been made.
And it has. Our Ethernet connection is added to the home zone.
However, this is not a permanent change. We’ve changed the running configuration of the firewall, not its stored configuration. If we reboot or use the –reload option, we’ll revert to our previous settings.
To make a change permanent, we need to use the aptly named –permanent option.
This means we can change the firewall for one-off requirements without altering the firewall’s stored configuration. We can also test changes before we send them to the configuration. To make our change permanent, the format we should use is:
If you make some changes but forget to use –permanent on some of them, you can write the settings of the current running session of the firewall to the configuration using the –runtime-to-permanent option.
RELATED: What Is DHCP (Dynamic Host Configuration Protocol)?
Adding and Removing Services
firewalld knows about a lot of services. You can list them using the –get-services option.
Our version of firewalld listed 192 services. To enable a service in a zone, use the –add-service option.
We can add a service to a zone using the –add-service option.
The name of the service must match its entry in the list of services from firewalld.
To remove a service replace –add-service with –remove-service
Adding and Removing Ports and Protocols
If you prefer to choose which ports and protocols are added, you can do that too. You’ll need to know the port number and the protocol for the type of traffic you’re adding.
Let’s add HTTPS traffic to the public zone. That uses port 443 and is a form of TCP traffic.
You could supply a range of ports by providing the first and last ports with a hyphen “-” between them, like “400-450.”
To remove a port replace –add-port with –remove-port .
RELATED: What’s the Difference Between TCP and UDP?
Using the GUI
Press your “Super” key and start to type “firewall.” You’ll see the brick wall icon for the firewall-config application.
Click that icon to launch the application.
To add a service to firewalld using the GUI is as easy as selecting a zone from the list of zones and selecting the service from the list of services.
You can choose to modify the running session or the permanent configuration by selecting “Runtime” or “Permanent” from the “Configuration” dropdown menu.
To make changes to the running session and only commit the changes once you’ve tested they work, set the “Configuration” menu to “Runtime.” Make your changes. Once you’re happy they’re doing what you want, use the Options > Runtime to Permanent menu option.
To add a port and protocol entry to a zone, select the zone from the zone list, and click on “Ports.” Clicking the add button lets you provide the port number and pick the protocol from a menu.
To add a protocol, click on “Protocols”, click the “Add” button, and select the protocol from the pop-up menu.
To move an interface from one zone to another, double-click the interface in the “Connections” list, then select the zone from the pop-up menu.
The Tip of the Iceberg
There’s a lot more you can do with firewalld, but this is enough to get you up and running. With the information we’ve given you, you’ll be able to create meaningful rules in your zones.