Master Linux firewalld: A Step‑by‑Step Guide to Secure Your Server
This tutorial walks you through the fundamentals of Linux firewalld, comparing it with iptables, explaining zones and configuration files, and provides concrete command‑line examples for blocking ping, restricting SSH access, and opening Apache traffic, helping system administrators secure their servers efficiently.
Two major firewall tools
firewalld – the default firewall manager for CentOS 7 and newer
iptables – the traditional Linux firewall tool
firewalld features
Dynamic firewall management without service restarts
Support for network zones that define trust levels for interfaces
Separate runtime and permanent configurations
IPv4 and IPv6 support
Ethernet bridge support
Key differences between firewalld and iptables
firewalld allows dynamic rule changes; iptables requires service reloads
firewalld uses zones to group rules; iptables uses chains
firewalld stores permanent rules in XML files; iptables stores them in plain‑text files
firewalld configuration lives under /etc/firewalld/ (high priority) and /usr/lib/firewalld/ (default)
iptables configuration typically resides in
/etc/sysconfig/iptablesConfiguration file locations
/etc/firewalld/ # system configuration directory (high priority)
/usr/lib/firewalld/ # default configuration directory (low priority)firewalld zones
trusted : accepts all traffic
public : blocks inbound traffic unless it matches predefined services (e.g., ssh, dhcpv6-client)
work : similar to public but with additional allowed services
home : allows more services such as mdns and samba-client
internal : like home, for trusted internal networks
external : blocks inbound traffic except for ssh
dmz : limited inbound traffic, mainly for servers
block / drop : reject or silently drop all inbound traffic
Three configuration methods
Graphical tool firewall-config Command‑line tool firewall-cmd Directly editing files under
/etc/firewalld/Firewall basic case
1. Block ping requests
# Start firewalld and enable it at boot
systemctl start firewalld
systemctl enable firewalld
# Block ICMP echo‑request (ping) in the public zone
firewall-cmd --zone=public --add-icmp-block=echo-request --permanent
firewall-cmd --reload
# Verify
firewall-cmd --list-all2. Allow SSH only from a specific host
# Remove the default SSH service from the public zone
firewall-cmd --zone=public --remove-service=ssh --permanent
# Add the trusted host to the work zone
firewall-cmd --zone=work --add-source=192.168.14.112 --permanent
# Enable SSH service in the work zone
firewall-cmd --zone=work --add-service=ssh --permanent
firewall-cmd --reload
# Verify
firewall-cmd --list-all3. Open Apache (HTTP/HTTPS) traffic
# Allow HTTP and HTTPS in the public zone
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload
# Verify
firewall-cmd --list-allSummary
Easily block ping requests with a single firewall-cmd command.
Restrict SSH access to a specific IP address, improving server security.
Open HTTP/HTTPS services so the web server becomes reachable from other hosts.
Understanding the underlying concepts of firewalld zones, configuration files, and the differences from iptables enables you to adapt firewall rules to any scenario.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.