Master Linux Firewalld: Beginner’s Guide to Configuring Firewall Rules

Linux Firewall Basics: Firewalld (Beginner Level)

As a system administrator or developer, you may struggle with Linux firewall configuration. This guide explains firewalld on CentOS, compares it with iptables, and provides a hands‑on case study to set up firewall rules correctly.

Two Main Firewall Tools

firewalld – default firewall manager for CentOS 7 and later

iptables – traditional Linux firewall tool

Features of firewalld

Dynamic firewall management

Supports network/firewall zones to define trust levels for interfaces

Separates runtime and permanent configurations

Supports IPv4 and IPv6

Supports Ethernet bridging

Main Differences Between firewalld and iptables

firewalld provides dynamic configuration without service restart

firewalld uses zones to manage rules

iptables requires static configuration; changes need service reload

iptables manages rules via chains and often requires clearing old rules

Configuration File Locations

/etc/firewalld/        # system configuration directory
/usr/lib/firewalld/    # default configuration directory

Note: /etc/firewalld/ – higher priority, user configuration directory /usr/lib/firewalld/ – lower priority, default configuration directory

firewalld Zones

Zone

Description

trusted

Accept all network connections

public

Reject inbound traffic unless it matches outgoing traffic or predefined services (ssh, dhcpv6-client)

work

Similar to public but with additional predefined services (ssh, ipp-client, dhcpv6-client)

home

Allows services like ssh, ipp-client, mdns, samba-client, dhcpv6-client

internal

Same as home

dmz

Same as home

external

Reject inbound traffic unless it matches outgoing traffic or ssh

block

Reject all inbound traffic unless it matches outgoing traffic

drop

Drop all inbound traffic without ICMP error responses

Three Configuration Methods

firewall-config graphical tool

firewall-cmd command‑line tool

Directly edit configuration files under

/etc/firewalld/

Basic Firewall Case

+-------------+      +-------------+      +-------------+
|   Client    |      |  Firewall   |      |   Apache    |
|192.168.14.112|      |192.168.14.111|      |Linux Server |
+-------------+      +-------------+      +-------------+

1. Block Ping Requests

# Start firewalld and enable on boot
systemctl start firewalld
systemctl enable firewalld

# Block ping (ICMP echo‑request) in the public zone
firewall-cmd --zone=public --add-icmp-block=echo-request --permanent
firewall-cmd --reload

# Verify configuration
firewall-cmd --list-all

2. Allow SSH Only from a Specific Host

# Remove default SSH service from public zone
firewall-cmd --zone=public --remove-service=ssh --permanent

# Allow host 192.168.14.112 to access SSH in the work zone
firewall-cmd --zone=work --add-source=192.168.14.112 --permanent
firewall-cmd --zone=work --add-service=ssh --permanent
firewall-cmd --reload

# Verify configuration
firewall-cmd --list-all

3. Allow Apache (HTTP/HTTPS) Traffic

# Open HTTP and HTTPS services in the public zone
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload

# Verify configuration
firewall-cmd --list-all

Summary

Through this article we learned the basic concepts of firewalld and iptables, and demonstrated practical steps to:

Easily configure firewall rules to block ping requests.

Restrict SSH access to a specific IP address, enhancing server security.

Open HTTP/HTTPS services so a website can be accessed from outside.

Remember that firewall configurations are not static; adjust rules as needed based on real‑world requirements, and always understand the underlying principles to handle various scenarios effectively.