Getting Started with Firewalld on RHEL, Rocky Linux, Alma Linux

Last Updated: April 19th, 2024 Guoan Xiao (Admin)
2 Comments
CentOS

Firewalld is the standard firewall software on RHEL-based Linux systems (Fedora, Alma Linux, Rocky Linux). This tutorial is going to show you some basic usages of firewalld.

Install Firewalld

We can easily install it from the default software repository.

sudo dnf install -y firewalld

Start it and enable autostart on system boot.

sudo systemctl enable --now firewalld

Check status:

sudo systemctl status firewalld

sudo systemctl status firewalld

If this is a server, then you probably want to allow SSH traffic, so you won’t be locked out of your server.

sudo firewall-cmd --permanent --add-service=ssh

Firewall Zone

Unlike UFW, Firewalld is designed to work with multiple zones. You need to know the default zone on your server. The most common default zone is named public, but your server could be different.

sudo firewall-cmd --get-default-zone

Sample output:

public

List effective rules in the default zone.

sudo firewall-cmd --list-all

Sample output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh cockpit dhcpv6-client
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

List all zones.

sudo firewall-cmd --list-all-zones

List active zones.

sudo firewall-cmd --get-active-zone

Most of the time, you would be working with the default public zone.

Enable Logging for Firewalld

Because who doesn’t want to get the logging messages when something doesn’t work? Run the following command to enable logging.

sudo firewall-cmd --set-log-denied=all

Next time when something doesn’t work, you can peruse the messages in /var/log/messages file. Below is a sample message that shows a packet sent from 10.10.50.202 to 10.0.0.100 is denied.

Apr 11 13:53:16 almalinux kernel: filter_FWD_public_REJECT: IN=vpns0 OUT=wg0 MAC= SRC=10.10.50.202 DST=10.0.0.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50742 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Open Ports in the Firewall

If you run a WordPress blog and any kind of website, you must allow HTTP and HTTPS traffic, so run the following two commands to allow inbound connection on TCP port 80 and 443.

sudo firewall-cmd --permanent --add-port=80/tcp

sudo firewall-cmd --permanent --add-port=443/tcp

Or, you can combine the two commands like this:

sudo firewall-cmd --permanent --add-port={80/tcp,443/tcp}

If you run an email server, you need to allow TCP port 25 (SMTP), 587(submission), 143(imap) and 993 (imaps).

sudo firewall-cmd --permanent --add-port={25/tcp,587/tcp,143/tcp,993/tcp}

If you want your user to be able to use POP3 protocol, you need to allow TCP port 110 (POP3) and 995 (POP3S).

sudo firewall-cmd --permanent --add-port={110/tcp,995/tcp}

Reload Firewalld for the changes to take effect.

sudo systemctl reload firewalld

Close Ports in the Firewall

If you want to close a port, use the following syntax.

sudo firewall-cmd --permanent --remove-port=25/tcp

Reload Firewalld for the changes to take effect.

sudo systemctl reload firewalld

Rich Rules

With the rich language more complex firewall rules can be created in an easy to understand way. For example, if you want to whitelist an IP address (allow access to every port), run the following command.

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="12.34.56.78" accept'

sudo systemctl reload firewalld

Delete a rich rule:

sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="12.34.56.78" accept'

sudo systemctl reload firewalld

Change Firewalld Backend

By default, Firewalld uses nftables as the backend. If you want to use iptables as backend, then edit the main config file.

sudo nano /etc/firewalld/firewalld.conf

Find the following line.

FirewallBackend=nftables

Change it to:

FirewallBackend=iptables

Save and close the file. Then restart Firewalld.

sudo systemctl restart firewalld

Now you can use iptables command to list rules like:

sudo iptables -L

How to Use iptables Command with Firewalld

If you need to add advance firewall rules that are only supported with iptables, then you can use this command followed by the iptables rule.

sudo firewall-cmd --permanent --direct --add-rule

For example, my CentOS server has two public IP addresses. I want my Postfix SMTP server to use two IP addresses in a round-robin fashion, so I need to do SNAT in the firewall. With iptables, the command is:

sudo iptables -t nat -A POSTROUTING -p tcp --dport 25 -m statistic --mode nth --every 2 --packet 0 -j SNAT --to-source the.first.ip.address

sudo iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source the.second.ip.address

Yes, I can use the above two commands, but they will not be preserved after firewalld restarts.

To add the above rules in Firewalld, use the following commands.

sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp --dport 25 -m statistic --mode nth --every 2 --packet 0 -j SNAT --to-source the.first.ip.address

sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 1 -p tcp --dport 25 -j SNAT --to-source the.second.ip.address

Reload Firewalld for the changes to take effect.

sudo systemctl reload firewalld

Enable Packet Forwarding

If you set up a network such as VPN and want to enable packet forwarding between clients, then run the following commands. Replace the network interface (wg0) and subnet address (10.10.10.0/24) as appropriate.

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i wg0 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -o wg0 -j ACCEPT

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -s 10.10.10.0/24 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -d 10.10.10.0/24 -j ACCEPT

Restart Firewalld for the changes to take effect.

sudo systemctl restart firewalld

You can list the direct rules with the following command.

sudo firewall-cmd --permanent --direct --get-all-rules

Note that the above direct rule only works if you use iptables as backend.

Firewalld is in Failed State

If you encounter the following error message, it means firewalld failed. Firewalld falls back to full stock configuration.

Error: 'NoneType' object has no attribute 'export_config'

Run the following command to check your Firewall configs.

sudo firewall-offline-cmd --check-config

Also, check the firewalld journals.

sudo journalctl -eu firewalld

Firewalld stored its direct rules in the .xml files under the /etc/firewalld/ directory. If you added a wrong rule, then you can delete this rule from the .xml file, then restart firewalld.

sudo systemctl restart firewalld

Wrapping Up

I hope this article helped you use Firewalld RHEL-based Linux systems (Fedora, Alma Linux, Rocky Linux). As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 3 Average: 4.3]

2 Responses to “Getting Started with Firewalld on RHEL, Rocky Linux, Alma Linux

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here

linux system security course LPIC 2

Featured Tutorials

pCloud 65% Off Cloud Storage

pcloud 2TB lifetime

VPS Hosting 30 Days Free Trial

Kamatera 30 days free trial