Firewalld is the default firewall management tool on Red Hat Enterprise Linux (RHEL) based distributions such as Fedora, AlmaLinux, and Rocky Linux. This guide will cover some basic firewalld operations.
Install and Enable Firewalld
Step 1: Install firewalld using the dnf package manager.
sudo dnf install -y firewalld
Step 2: Start the firewalld service and enable it to start automatically at boot.
sudo systemctl enable --now firewalld
Step 3: Verify that the firewalld service is running.
sudo systemctl status firewalld
Step 4: If you’re configuring a server, allow SSH traffic to avoid being locked out.
sudo firewall-cmd --permanent --add-service=ssh
Understanding Firewall Zones
Unlike some other firewalls, firewalld utilizes the concept of zones to manage network traffic. It’s important to know which zone is the default on your system. While public is a common default, your server’s configuration might differ.
Step 1: Determine the default zone.
sudo firewall-cmd --get-default-zone
Step 2: List the currently active rules in the default zone.
sudo firewall-cmd --list-all
Step 3: List all available zones.
sudo firewall-cmd --list-all-zones
Step 4: Display active zones.
sudo firewall-cmd --get-active-zone
In most cases, you’ll be working within the default public zone.
Method 1: Using Direct Rules for Packet Forwarding (iptables Backend)
If you’re using iptables as the backend and need to forward packets between clients (for example, in a VPN setup), direct rules offer precise control. Adapt the interface (wg0) and subnet (10.10.10.0/24) to your network configuration.
Step 1: Add rules to accept forwarding for the specified interface.
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i wg0 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -o wg0 -j ACCEPT
Step 2: Add rules to accept forwarding for the specified subnet.
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -s 10.10.10.0/24 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -d 10.10.10.0/24 -j ACCEPT
Step 3: Restart firewalld for the changes to take effect.
sudo systemctl restart firewalld
Step 4: List the direct rules to confirm your configuration.
sudo firewall-cmd --permanent --direct --get-all-rules
Method 2: Enabling Packet Forwarding (General Method)
Step 1: Enable IP forwarding in the kernel. Edit /etc/sysctl.conf or create a new file in /etc/sysctl.d/.
sudo nano /etc/sysctl.d/99-forwarding.conf
Step 2: Add the following line to the file.
net.ipv4.ip_forward = 1
Step 3: Apply the change.
sudo sysctl -p /etc/sysctl.d/99-forwarding.conf
Step 4: Enable masquerading on the external interface in firewalld. Replace eth0 with your external interface.
sudo firewall-cmd --permanent --zone=public --add-masquerade
Step 5: Reload firewalld to apply the changes.
sudo systemctl reload firewalld
Enable Logging for Firewalld
To help troubleshoot firewall issues, enable logging of denied packets.
Step 1: Enable logging for all denied packets.
sudo firewall-cmd --set-log-denied=all
When a connection is blocked, messages will be logged in /var/log/messages.
Open Ports in the Firewall
If you host a website, you’ll need to allow HTTP (port 80) and HTTPS (port 443) traffic.
Step 1: Open ports 80 and 443 for web traffic.
sudo firewall-cmd --permanent --add-port={80/tcp,443/tcp}
If you run a mail server, you’ll need to open ports for SMTP (25), submission (587), IMAP (143), and IMAPS (993).
Step 2: Open necessary ports for mail server functionality.
sudo firewall-cmd --permanent --add-port={25/tcp,587/tcp,143/tcp,993/tcp}
If POP3 is required, open ports 110 (POP3) and 995 (POP3S).
Step 3: Open POP3 ports if needed.
sudo firewall-cmd --permanent --add-port={110/tcp,995/tcp}
Step 4: Reload firewalld to apply the new rules.
sudo systemctl reload firewalld
Close Ports in the Firewall
To close a port, use the --remove-port option.
Step 1: Remove the desired port.
sudo firewall-cmd --permanent --remove-port=25/tcp
Step 2: Reload firewalld.
sudo systemctl reload firewalld
Rich Rules
Rich rules provide a more expressive way to define firewall rules.
Step 1: Add a rich rule to whitelist an IP address. Replace 12.34.56.78 with the actual IP.
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="12.34.56.78" accept'
Step 2: Reload firewalld.
sudo systemctl reload firewalld
Step 3: To delete a rich rule, use the --remove-rich-rule option.
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="12.34.56.78" accept'
Step 4: Reload firewalld.
sudo systemctl reload firewalld
Changing the Firewalld Backend
By default, firewalld uses nftables. You can switch to iptables by modifying the configuration file.
Step 1: Open the firewalld configuration file.
sudo nano /etc/firewalld/firewalld.conf
Step 2: Locate the FirewallBackend line and change it to iptables.
FirewallBackend=iptables
Step 3: Save the file and restart firewalld.
sudo systemctl restart firewalld
You can now use the iptables command to view rules.
How to Use iptables Commands with Firewalld
For advanced rules not directly supported by firewalld, you can use the --direct option to add raw iptables rules.
Step 1: Add an iptables rule using the --direct option. Replace the.first.ip.address and the.second.ip.address with your actual IPs.
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp --dport 25 -m statistic --mode nth --every 2 --packet 0 -j SNAT --to-source the.first.ip.address
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 1 -p tcp --dport 25 -j SNAT --to-source the.second.ip.address
Step 2: Reload firewalld.
sudo systemctl reload firewalld
Firewalld in Failed State
If firewalld fails, it might revert to a default configuration.
Step 1: Check the firewall configuration.
sudo firewall-offline-cmd --check-config
Step 2: Examine the firewalld journals.
sudo journalctl -eu firewalld
Direct rules are stored in .xml files under /etc/firewalld/. If a rule is causing issues, you can edit or remove it from the corresponding file.
Step 3: Restart firewalld after making changes.
sudo systemctl restart firewalld
This tutorial should provide you with a basic understanding of firewalld on RHEL-based systems. Remember to test any firewall changes in a non-production environment first.