Firewalld is a dynamic firewall manager built on top of nftables (and formerly iptables) for managing and configuring network firewalls on Linux distributions.
It uses zones and services to simplify the process of configuring a firewall, offering a more flexible and understandable structure than traditional iptables rulesets.
Zones define the trust level of network connections or interfaces.
Firewalld comes with several predefined zones (like public, home, internal, and dmz), each with default rules defining the allowed traffic.
Services in Firewalld are predefined rules that allow traffic based on service name.
For example, allowing HTTP or SSH service would enable traffic on ports 80 and 22, respectively.
Individual ports or port ranges can be opened in specific zones, allowing traffic through these ports on the firewall.
Rich rules provide a powerful way to define detailed rules, including source and destination addresses, port forwarding, and logging for packets that match the rule.
Firewalld is installed by default on many Linux distributions. If it's not, you can install it using the package management system:
sudo apt install firewalldsudo yum install firewalldsudo dnf install firewalldfirewall-cmd --get-active-zonesfirewall-cmd --set-default-zone=publicfirewall-cmd --permanent --zone=public --add-interface=eth0firewall-cmd --permanent --zone=public --change-interface=eth1firewall-cmd --zone=public --add-service=http--permanent to make changes persist across reboots.firewall-cmd --permanent --zone=public --add-port=8080/tcpfirewall-cmd --permanent --zone=public --add-port=5000-6000/udpfirewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" port port=22 protocol=tcp accept'firewall-cmd --reloadfirewall-cmd --list-allsystemctl status firewalldTo verify if a specific port is accessible from an external source, you can use the nc (netcat) command or similar tools. The following example checks if port 80 is open:
nc -zv <firewall-ip-address> 80
Replace <firewall-ip-address> with the IP address of the system running Firewalld. If the port is open, nc will indicate a successful connection.
To prevent ICMP echo requests (ping) from reaching your system, apply the following rich rule:
firewall-cmd --permanent --zone=public --add-icmp-block-inversion
firewall-cmd --reload
This rule blocks all ICMP traffic, including ping requests, in the specified zone.
To allow Virtual Router Redundancy Protocol (VRRP) traffic through your firewall, add a rich rule to permit VRRP packets:
firewall-cmd --permanent --zone=public --add-rich-rule='rule protocol value="vrrp" accept'
firewall-cmd --reload