Configure FirewallD on Linux Server: Step-by-Step Setup Guide

FirewallD is a firewall management service used in modern Linux systems to dynamically configure and apply firewall rules without restarting the service. It uses the concept of zones to manage incoming traffic based on trust levels and provides predefined services for easy rule creation. To configure FirewallD, administrators can use its flexible command-line tools and integration with system services, which simplifies complex firewall setups.

Configure FirewallD on a Linux

This guide explains how to install, manage, and configure FirewallD on a Linux server to enhance system security and network traffic control.

Prerequisites

Before starting, ensure the following:

  • A Linux system (RHEL, CentOS, Fedora, AlmaLinux, Rocky Linux, or Ubuntu)
  • Root or sudo privileges
  • An active internet connection
  • Terminal or SSH access to the server
  • firewalld installed (or installable via system package manager)

Configure FirewallD on Linux

The configuration of FirewallD involves multiple steps, including installing the service, understanding zone and service concepts, and applying rules. Each section below covers a core aspect of using FirewallD.

Install FirewallD

FirewallD may already be installed on most RHEL-based systems. To confirm:

firewall-cmd --version

If not installed, install FirewallD using the below command:

# For RHEL/CentOS/Fedora
sudo dnf install firewalld
# For Ubuntu/Debian
sudo apt install firewalld

Start and enable the FirewallD service:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Check its status:

sudo systemctl status firewalld

Understand FirewallD Zones

Zones define the trust level of a network connection. Each zone can have different rules and apply to specific network interfaces. Common zones include:

  • public: Default zone, used for untrusted networks
  • internal: Used for trusted networks like private LANs
  • dmz: Used for servers exposed to the internet

To list all available zones:

firewall-cmd --get-zones

To view the default zone:

firewall-cmd --get-default-zone

To assign a network interface (e.g., eth0) to a zone:

sudo firewall-cmd --zone=internal --change-interface=eth0 --permanent
sudo firewall-cmd --reload

To change the system default zone:

sudo firewall-cmd --set-default-zone=internal

Check Out | How to Configure FTP on Linux Server: A Step-by-Step Guide

List and Manage Services in Zones

FirewallD supports predefined services like SSH, HTTP, HTTPS, etc., allowing traffic without manually specifying ports.

To view available services:

firewall-cmd --get-services

To allow a service in a zone:

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload

To remove a service:

sudo firewall-cmd --zone=public --remove-service=http --permanent
sudo firewall-cmd --reload

Open or Close Custom Ports

Custom applications often use non-standard ports. These can be manually opened or closed.

  • To allow TCP port 8080:
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload
  • To remove the same port:
sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
sudo firewall-cmd --reload

You can also specify UDP or a port range if needed.

View Active Rules and Status

To list all active settings in the default zone:

firewall-cmd --list-all

To check settings for a specific zone:

firewall-cmd --zone=public --list-all

To check which interfaces are assigned to which zones:

firewall-cmd --get-active-zones

Temporary vs Permanent Rules

FirewallD allows two types of rule changes:

  • Runtime (temporary): Lost after reboot
  • Permanent: Persist across reboots (requires --permanent)

To make a rule permanent, always add --permanent and then reload:

sudo firewall-cmd --reload

Without --permanent, rules will apply immediately, but won’t survive a reboot.

Enable Logging and View Denied Packets

To monitor dropped or rejected packets, enable denied logging:

sudo firewall-cmd --set-log-denied=all

To view the logs:

journalctl -xe | grep firewalld

Set logging back to default if needed:

sudo firewall-cmd --set-log-denied=off

Remove or Reset Rules

To remove all configurations from a zone:

sudo firewall-cmd --zone=public --remove-service=ssh --permanent
sudo firewall-cmd --zone=public --remove-port=80/tcp --permanent
sudo firewall-cmd --reload

To reset FirewallD to default settings:

sudo firewall-cmd --complete-reload

Or restore to factory default:

sudo firewall-cmd --permanent --reload

Conclusion

This guide explained how to configure FirewallD on a Linux system by covering installation, zone management, service and port control, rule verification, logging, and reset options. FirewallD offers a dynamic, zone-based approach to firewall configuration, making it suitable for both production and development environments. Regular rule audits and proper zone mapping are recommended to maintain optimal security and accessibility. For more information, visit the official FirewallD Documentation.

Leave A Comment