Firewalld is a firewall service that is used on modern Linux distributions such as Rocky Linux or Red Hat Enterprise. Firewalld offers flexible management via zones and service definitions, without the need for traditional and manual creation of long iptable rules. Firewalld automatically abstracts the necessary iptable rules and sets them conveniently via Firewalld service on the respective system (netfilter kernel module). The focus here is on simple administration and rapid adaptability.<\/p>\n\n\n\n
zones<\/code> define the trust level of the network connections \/ interfaces connected to the server. They enable differentiated handling of incoming and outgoing traffic based on the assigned security level.
The public zone is considered to be particularly restrictive and is intended for untrusted networks.<\/li>\n\n\n\n- Services:<\/strong> The
services<\/code> in Firewalld represent predefined rule sets to control access to certain network services \/ ports in a standardised way. This includes frequently used protocols and application ports such as HTTP<\/code>, SSH<\/code>etc.<\/li>\n<\/ul>\n\n\n\n\nGeneral use of the public zone for increased security<\/h5>\nAs already mentioned, the Public Zone<\/strong> for the Intended for use in insecure or public networks<\/strong> and offers the most restrictive configuration<\/strong>. This minimises the risk of unwanted access and is particularly important for interfaces that are directly connected to the Internet. The assignment of an interface to the public zone and the subsequent careful configuration of the permitted services and ports is generally recommended - even in apparently secure, internal server networks (Zero trust approach<\/strong>).<\/cite><\/blockquote>\n\n\n\nZone management<\/h4>\n\n\n\n\n- List active zones:<\/strong>
# firewall-cmd --list-all-zones<\/code> shows all configured zones and their settings.<\/li>\n\n\n\n- Change the zone for an interface:<\/strong> With
# firewall-cmd --zone=public --change-interface=eth0<\/code> the network interface can be eth0<\/strong> the Public Zone<\/strong> can be assigned.<\/li>\n<\/ul>\n\n\n\nManaging services<\/h4>\n\n\n\n\n- Add a service (service):<\/strong>
# firewall-cmd --zone=public --add-service=http<\/code> allows HTTP traffic (Port 80\/TCP<\/strong>) in the Public Zone. For persistent changes<\/strong> is additionally assigned to the command \"--permanent<\/code>\" attached.<\/li>\n\n\n\n- Remove service:<\/strong>
# firewall-cmd --zone=public --remove-service=http<\/code> removes the release again. Persistent changes also require the \"--permanent<\/code>\" Flag.<\/li>\n\n\n\n- Display of all currently authorised services<\/strong>:
# firewall-cmd --list-services<\/code><\/li>\n<\/ul>\n\n\n\nAdding and removing new ports<\/h4>\n\n\n\n\n- Add custom port:<\/strong>
# firewall-cmd --zone=public --add-port=5000\/tcp<\/code> opens TCP port 5000 in the public zone.
For a permanent change also here \"--permanent<\/code>\" do not forget.<\/li>\n\n\n\n- Close custom port:<\/strong>
# firewall-cmd --zone=public --remove-port=5000\/tcp<\/code> closes the port again.<\/li>\n\n\n\n- Display all authorised ports<\/strong>:
# firewall-cmd --list-ports<\/code><\/li>\n<\/ul>\n\n\n\nPro tip<\/strong>: To keep all current allowed services or ports<\/strong> is the easiest way to display # firewall-cmd --list-all<\/code> used.<\/pre>\n\n\n\n# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: bridge0_to_LAN bridge1_to_RP enp1s0f0 enp1s0f1 enp1s0f2 enp1s0f3 storage-bond0\n sources:\n services: cockpit dhcpv6-client http https plex ssh\n ports: 6060\/tcp 6062\/tcp 6063\/tcp 6064\/tcp 6065\/tcp 8080\/tcp 6061\/tcp 7020\/tcp 7015\/tcp 7030\/tcp 7040\/tcp 6066\/tcp 5601\/tcp 9200\/tcp 19999\/tcp 32401\/tcp 5044\/tcp 7041\/tcp 3000\/tcp 6067\/tcp 81\/tcp 6070\/tcp 8443\/tcp 9300\/tcp 6071\/tcp 6622\/tcp 2342\/tcp 6072\/tcp 7031\/tcp 7042\/tcp 3005\/tcp 7043\/tcp 7029\/tcp 9003\/tcp 8000\/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:<\/code><\/pre>\n\n\n\nCreate customised services<\/h3>\n\n\n\n
If, for example, you deploy your own software that requires several ports via different protocols such as TCP or UDP, it makes sense that all ports belonging to the service in question can also be defined and maintained uniformly on the Linux system. The procedure is quite simple:<\/p>\n\n\n\n
\n- Define new service:<\/strong> Under \"
\/etc\/firewalld\/services\/<\/code>\" a new XML file<\/strong> for the service to be defined.<\/li>\n<\/ul>\n\n\n\nAn example of such a definition could look like this:<\/p>\n\n\n\n
plex\n Needed Ports for Plex Server<\/code><\/pre>\n\n\n\nAfter creating a new service definition, in our case \"plex\", under the specified path, Firewalld must be reloaded before the newly defined service can then be started with
# firewall-cmd --zone=public --add-service=plex<\/code> can be activated.<\/p>\n\n\n\n\n- Re-read service files:<\/strong> With
# firewall-cmd --reload<\/code> all changes are read in again by Firewalld and the new services can then be added to the zone.<\/li>\n<\/ul>\n\n\n\nImportant details about the persistent rules<\/h3>\n\n\n\n
Persistent rules are used when defining<\/strong> from Firewalld exclusively in the configuration<\/strong>in the example of the public zone under \"\/etc\/firewalld\/zones\/public.xml<\/code>\u00ab, written<\/strong>. This allows them to be loaded automatically when the system is restarted. Important<\/strong>But that means, that newly defined persistent rules are not applied immediately.<\/strong> Therefore, the definition in the Runtime, i.e. either again without \"--persistant<\/code>\" necessary, or the simpler variant<\/strong>by reloading the firewall configuration with # firewall-cmd --reload<\/code>.
This ensures that all changes to the persistant configuration are active (reloaded) and can also be used as a test to see whether all connections still work as they should after a reboot.<\/p>\n\n\n\nSummary<\/h3>\n\n\n\n
Firewalld provides an advanced and scalable solution for firewall management on Rocky Linux or Red Hat based systems. By using zones and services, administrators can effectively plan and control network traffic and generally increase transparency and security. Observing best practices, such as using the public zone not only for insecure networks, as well as testing persistent changes or restrictive rules, are important first steps towards a secure IT landscape in your organisation.<\/p>","protected":false},"excerpt":{"rendered":"
Firewalld is a firewall service that runs on modern Linux distributions such as Rocky Linux or Red Hat Enterprise ... <\/p>\n