Firewalld-config: Complete guide for managing the firewall in Linux

Posted on by BlockmyIP | Category: Linux Programs

Introduction to firewalld-config

In the world of Linux system administration, perimeter security is one of the fundamental pillars. Firewalld is the firewall daemon that has replaced iptables in many modern distributions, offering a dynamic and zone-based interface. This guide explores how to use both the command-line tool firewall-cmd and the graphical interface firewall-config to manage rules effectively and securely.

What is firewalld?

Firewalld acts as a management layer that works with the kernel’s netfilter. Instead of manipulating rules directly, it allows defining zones that represent different levels of trust. Each zone can have associated services, ports, and custom rules. The main advantage is the ability to apply changes in real time without interrupting established connections, and to make them permanent using the --permanent option.

Installation and Enablement

In RHEL-based distributions such as CentOS, Fedora, or Rocky Linux, firewalld comes preinstalled. If it is not present, it can be installed via the package manager:

  • sudo dnf install firewalld -y (on Fedora/Rocky)
  • sudo yum install firewalld -y (on RHEL/CentOS 7)

Once installed, enable and start it with:

  • sudo systemctl enable firewalld
  • sudo systemctl start firewalld

To verify its status, use sudo firewall-cmd --state.

Basic Concepts: Zones and Services

Firewalld includes several predefined zones, ordered from least to most trusted:

  • drop: drops all incoming traffic without any response.
  • block: rejects incoming traffic with an icmp-host-prohibited message.
  • public: recommended zone for servers exposed to the Internet.
  • external: used on interfaces acting as NAT gateways.
  • dmz: for computers placed in a demilitarized zone.
  • work: for workstations on trusted internal networks.
  • home: home environment.
  • internal: for trusted internal networks.
  • trusted: accepts all connections.

Services are preconfigured definitions that open ports and apply specific rules. For example, the http service opens port 80/tcp. You can list available services with sudo firewall-cmd --get-services and add one to a zone using:

sudo firewall-cmd --zone=public --add-service=http

To make it permanent, add the --permanent flag.

Using firewall-cmd (CLI)

The command line is the fastest and scriptable way to manage firewalld. Some

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .