Master firewalld: Zones, Services, Ports, Rich Rules & Direct Rules on Linux
This guide walks you through configuring firewalld on Linux, covering zones, temporary and permanent settings, service and port management, zone manipulation, rich rule creation, direct rule usage, and essential commands for enabling, disabling, and querying the firewall.
Introduction
Firewalls are essential for controlling network traffic to and from a Linux server. firewalld provides a dynamic, zone‑based firewall daemon built on the Netfilter framework.
What is firewalld?
firewalld replaces static iptables rules with a flexible system that uses zones and services . Zones define a security level (e.g., public, home, internal), while services are predefined collections of ports.
Listing and Understanding Zones
Run firewall-cmd --get-zones to list all available zones. Key zones include:
block : rejects all IPv4 traffic with icmp-host-prohibited and IPv6 with icmp6-adm-prohibited.
dmz : public‑facing hosts with limited internal access.
drop : silently drops all incoming traffic, allowing only outgoing.
external : used for NAT on routers; accepts selected inbound connections.
home : for trusted home networks.
internal : trusted internal networks.
public : default zone for public interfaces.
trusted : accepts all traffic.
work : work environments with mostly trusted hosts.
Managing Services
List available services with firewall-cmd --get-services. Add a service permanently: firewall-cmd --permanent --add-service=samba Reload to apply: firewall-cmd --reload Query a service’s ports:
firewall-cmd --info-service=sambaTemporary vs Permanent Settings
Temporary changes disappear after a reboot; permanent changes are stored in configuration files and become the new temporary state on restart.
Enabling and Disabling firewalld
# Enable firewalld
systemctl start firewalld
# Disable firewalld
systemctl stop firewalld
# Enable at boot
systemctl enable firewalld
# Disable at boot
systemctl disable firewalld
# Check status
systemctl status firewalld
# Or
firewall-cmd --stateZone Management
Show the default zone: firewall-cmd --get-default-zone List the configuration of the default zone: firewall-cmd --list-all Assign an interface to a zone (e.g., move ens33 to home):
firewall-cmd --zone=home --change-interface=ens33Set a new default zone: firewall-cmd --set-default-zone=home Find the zone associated with an interface: firewall-cmd --get-zone-of-interface=ens160 Create a new zone called test:
firewall-cmd --permanent --new-zone=test
firewall-cmd --reloadOpening and Closing Ports
List open ports in the current zone: firewall-cmd --list-ports Add a permanent port (e.g., TCP 8080):
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reloadRemove a port: firewall-cmd --remove-port=8080/tcp Operate on a specific zone (e.g., open port 80 in home):
firewall-cmd --permanent --zone=home --add-port=80/tcp
firewall-cmd --reloadAdding Multiple Services
firewall-cmd --permanent --zone=home --add-service={http,https}
firewall-cmd --reloadPort Forwarding
Enable masquerading for a zone (required for forwarding):
firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --reloadForward local port 80 to local port 8080:
firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --reloadForward port 80 to a remote host (10.0.0.75) port 8080:
firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.0.0.75
firewall-cmd --reloadRich Rules
Rich rules allow expressive firewall policies. General syntax:
rule
[source]
[destination]
service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
[log]
[audit]
[accept|reject|drop|mark]Allow traffic from 192.168.0.0/24:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" accept'Allow SSH from that subnet with logging:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" log prefix="ssh" level="info" accept'Reject SSH from 192.168.10.0/24:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.10.0/24" port port=22 protocol=tcp reject'List, then remove rich rules:
firewall-cmd --zone=public --list-rich-rules
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.0/24" accept'Direct Rules (iptables‑style)
Direct rules let you insert raw iptables commands. Example: open TCP 8081 on the INPUT chain:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 8081 -j ACCEPT
firewall-cmd --reloadList all direct rules: firewall-cmd --direct --get-all-rules Remove a direct rule:
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 0 -p tcp --dport 8080 -j ACCEPT
firewall-cmd --reloadSummary
The article provides a comprehensive walkthrough of firewalld, covering zone concepts, service and port management, temporary vs permanent configurations, enabling/disabling the daemon, zone manipulation, port forwarding, rich rules, and direct iptables‑style rules, with concrete command examples for each operation.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.