Comprehensive Guide to Firewalld: From Beginner to Advanced




1. Introduction to Firewalld

Firewalld is a dynamic firewall management tool for Linux systems that provides a flexible way to manage network traffic using zones and rules. Unlike iptables, which requires restarting for changes to take effect, Firewalld applies changes immediately without disrupting existing connections.

Why Use Firewalld?

  • Provides a zone-based firewall configuration.
  • Supports both IPv4 and IPv6.
  • Offers runtime and permanent configurations.
  • Allows dynamic rules without restarting services.
  • Includes rich rules for more granular control.

2. Installing and Enabling Firewalld

Firewalld is pre-installed on most modern Linux distributions, but if it’s missing, you can install it using:

For RHEL, CentOS, Fedora:

sudo yum install firewalld -y

For Debian, Ubuntu:

sudo apt install firewalld -y

Start and Enable Firewalld

sudo systemctl start firewalld
sudo systemctl enable firewalld

Check Firewalld Status

sudo systemctl status firewalld

If the service is running, you should see "active (running)."

3. Understanding Firewalld Zones

Firewalld uses zones to define different levels of trust for network connections. Each zone has a set of predefined rules.

Common Firewalld Zones:



ZoneDescription
dropDrops all incoming traffic, allows outgoing.
blockBlocks all incoming traffic with ICMP rejection.
publicDefault zone, minimal trust level.
externalUsed for external-facing interfaces (e.g., NAT).
internalFor internal network communication.
trustedAllows all incoming and outgoing traffic.
workDesigned for workplace networks, allowing selected services.
homeFor home networks, permitting more trusted traffic.
dmzUsed for servers accessible to the public but isolated from the internal network.

Check the Active Zone:

sudo firewall-cmd --get-active-zones

Assign an Interface to a Zone:

sudo firewall-cmd --zone=public --change-interface=eth0 --permanent
sudo firewall-cmd --reload

Examples for Other Zones:

Set a Work Zone for an Interface:

sudo firewall-cmd --zone=work --change-interface=eth1 --permanent
sudo firewall-cmd --reload

Allow SSH Only in Home Zone:

sudo firewall-cmd --zone=home --add-service=ssh --permanent
sudo firewall-cmd --reload

Allow HTTP and HTTPS in DMZ:

sudo firewall-cmd --zone=dmz --add-service=http --permanent
sudo firewall-cmd --zone=dmz --add-service=https --permanent
sudo firewall-cmd --reload

4. Managing Ports and Services

Firewalld allows enabling/disabling ports and services.

Allowing a Port:

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

Allowing a Service:

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload

Removing a Port/Service:

sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --remove-service=http --permanent
sudo firewall-cmd --reload

Listing Open Ports:

sudo firewall-cmd --list-ports

5. Using Rich Rules for Advanced Firewall Control

Rich rules allow you to define complex firewall rules beyond simple port and service management.

Example 1: Allow SSH from a Specific IP

"sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" 
source address="192.168.1.100" service name="ssh" accept' --permanent"

sudo firewall-cmd --reload

Example 2: Block an IP Address

"sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" 
source address="192.168.1.200" drop' --permanent"

sudo firewall-cmd --reload

6. Managing Firewalld with Direct Rules

Firewalld also allows direct rules for interacting with iptables manually.

Example: Allow Forwarding Traffic

"sudo firewall-cmd --direct --add-rule ipv4 filter 
FORWARD 0 -i eth0 -o eth1 -j ACCEPT"

sudo firewall-cmd --reload

7. Firewalld Logging and Monitoring

Monitoring logs helps in diagnosing firewall issues.

Enable Firewalld Logging:

sudo firewall-cmd --set-log-denied=all

View Logs in Real-Time:

sudo journalctl -f -u firewalld

8. Disabling or Resetting Firewalld

If needed, Firewalld can be disabled or reset to default settings.

Disable Firewalld:

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Reset Firewalld to Default:

sudo firewall-cmd --reload --complete-reload




Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment