Linux Firewall Management using firewalld

By /

Over the past few months, I feel like I’ve been on a tear with deploying Linux. Most of the deployments are for hosting various services in support of several new applications and tools. In all instances, RHEL was used and poking holes through its firewall was required. I figured this was a good opportunity to dust off some RHEL firewall basics and present them here.

As it relates to RHEL 9, let’s talk about firewalld and nftables.

  • firewalld – is a management daemon/tool that provides an admin with a zone-based frontend for configuring firewall rules. You would commonly leverage this via the command line interface using the firewall-cmd cli command.
  • nftables – the Linux kernels’ high performance network packet filtering framework, manages filtering and traffic rules for IPv4, IPv6, and other protocols

In a nutshell, you use firewalld to manage nftables traffic rules. In the case of firewalld, it is:

  • Zone based – a zone defines a level of trust for a network connection. For example, there’s a public zone where the firewall can block everything. In contrast, there’s a home zone, where things may be less restrictive and allows for file sharing or ssh.
  • Service aware – predefined services like https and dns, so you don’t have to remember port 443 tcp for https and port 53 udp for dns.
  • Runtime vs Permanent aware – you can limit the firewall configuration to runtime (lost after a reboot) or make it permanent.

Common Commands

ActionCommand
Check Statussudo firewall-cmd --state
List Everythingsudo firewall-cmd --list-all
Add a Servicesudo firewall-cmd --add-service=https --permanent
Open a Portsudo firewall-cmd --add-port=8080/tcp --permanent
Reload Configsudo firewall-cmd --reload
Check Active Zonessudo firewall-cmd --get-active-zones

Below are some examples of adding several permanent rules using firewall-cmd. You must reload the configuration to activate the changes. 

sudo firewall-cmd --add-port=8383/tcp --permanent

sudo firewall-cmd --add-port=4200-4300/tcp --permanent

sudo firewall-cmd --add-port=53/udp --permanent

If you run a command without the –permanent flag, the rule is applied instantly. You do not need to reload, but the rule will disappear if the system reboots or the service restarts. Again, after entering the command immediately below, the rule will be active instantly in runtime only.

sudo firewall-cmd --add-port=443/tcp

If you include the –permanent flag, the rule is written to configuration files on disk so that the configuration will persist after a reboot, but it’s not applied to the live system immediately. To make it active, you must reload the configuration, as displayed in example below

sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload

One last thing to cover is removing a rule. Largely speaking, the same permanent and runtime idea applies. Here’s an example below

sudo firewall-cmd --remove-port=443/tcp --permanent
sudo firewall-cmd --reload

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top