Introduction to Firewalld

While UFW is the default firewall utility for Ubuntu, other Linux distributions like CentOS, Fedora, and RHEL commonly use Firewalld. Firewalld is a dynamic firewall management tool that provides a simpler way to manage firewall rules compared to directly using iptables.

Its key distinguishing feature is its **zone-based** approach. Instead of directly managing individual rules, Firewalld allows you to define different security zones (like ‘public’, ‘home’, ‘internal’) and assign network interfaces or source addresses to these zones. Each zone has a predefined set of rules, making it easier to manage security policies for different network environments.

Why Use Firewalld?

Firewalld offers several advantages, particularly in server environments and for administrators managing complex networks:

• Dynamic Updates: Rules can be changed without restarting the firewall service, which is crucial for active servers.
• Zone-Based Management: Simplifies policy management by grouping network connections into trusted zones.
• Service Definitions: Pre-defined services (like HTTP, SSH) make it easy to open common ports without knowing the port number.
• Runtime & Permanent Configurations: Allows testing rules in runtime before making them permanent.
• Interface with iptables/nftables: Like UFW, it acts as a frontend, but it can use either iptables or the newer nftables as its backend.

Core Concepts: Zones

Zones are the heart of Firewalld. Each zone defines a level of trust for network connections. When an interface or source IP is assigned to a zone, it inherits that zone’s rules.

Common Zones:

• public: For untrusted networks, where you only accept selected incoming connections.
• home: For home environments, trusting other computers on the network.
• internal: For internal networks, trusting most connections.
• trusted: All network connections are accepted.
• drop: All incoming packets are dropped without a reply.

You can assign network interfaces (e.g., `eth0`, `wlan0`) or specific source IP addresses to a zone.

Installation & Basic Usage

Firewalld is typically pre-installed on RHEL/CentOS/Fedora. If not, you can install it.

Check Firewalld Status

To see if Firewalld is running:

Install Firewalld (if needed)

On RHEL/CentOS/Fedora systems:

Enable & Start Firewalld

To enable Firewalld to start on boot and start it immediately:

To stop it:

Get Active Zones

To see which zones are currently active:

Common Firewalld Commands

Firewalld commands typically involve specifying the zone and whether the change is temporary (runtime) or permanent.

Allow a Service (e.g., SSH)

To allow SSH in the public zone (runtime, then permanent):

To reload permanent rules:

Allow a Port (e.g., HTTP)

To allow HTTP (port 80) in the public zone:

To remove a port:

Allow from Specific IP Address

To allow all traffic from a specific IP in the public zone:

List Rules for a Zone

To see all rules for the public zone:

Firewalld vs. iptables vs. UFW

All three tools interact with the Linux kernel’s netfilter subsystem, but they offer different levels of abstraction and management styles.

• iptables: The low-level utility for directly configuring netfilter. Offers maximum control but is complex and requires deep understanding of packet flow. Changes are not dynamic by default.
• UFW: A high-level frontend for iptables, primarily used on Ubuntu. Simplifies common tasks with straightforward commands. It’s rule-based and less dynamic than Firewalld.
• Firewalld: A dynamic, zone-based firewall manager. It’s a higher-level abstraction than iptables and offers more flexibility for managing different network environments compared to UFW’s simpler approach. It’s the default on many RHEL-based distributions.

The choice between UFW and Firewalld often depends on the Linux distribution you are using and your preference for managing firewall rules (simple rule-based vs. dynamic zone-based).