Master Linux Firewalld: Beginner’s Guide to Configuring Firewall Rules
This beginner-friendly guide explains Linux firewalld fundamentals, compares it with iptables, details zone concepts, and walks through practical examples for blocking ping, restricting SSH access, and enabling Apache, providing clear commands and configuration files to help system administrators secure their servers.
Linux Firewall Basics: Firewalld (Beginner Level)
As a system administrator or developer, you may find Linux firewall configuration challenging. This article introduces firewalld on CentOS, compares it with iptables, and provides a hands‑on case study for setting up firewall rules.
1. Two Main Firewall Tools
firewalld – default firewall manager for CentOS 7 and later
iptables – traditional Linux firewall tool
2. Features of firewalld
Dynamic firewall management
Supports zones to define trust levels for network interfaces
Separates runtime and permanent configurations
Supports IPv4 and IPv6
Supports Ethernet bridging
3. Main Differences Between firewalld and iptables
firewalld allows dynamic configuration without restarting services
Rules can be changed on the fly
Uses zones to manage rules
Configuration file locations:
/etc/firewalld/ # system configuration directory
/usr/lib/firewalld/ # default configuration directoryNote: /etc/firewalld/ has higher priority and is the user configuration directory. /usr/lib/firewalld/ has lower priority and contains default configs.
4. firewalld Zones
Common zones and their meanings:
trusted – accepts all network connections.
public – rejects incoming traffic unless it matches predefined services.
work – similar to public but with additional services.
home – allows services such as mdns, samba‑client, dhcpv6‑client.
internal – same as home.
external – only allows ssh.
dmz – only allows ssh.
block – rejects all incoming traffic.
drop – drops all incoming traffic without ICMP response.
5. Three Configuration Methods
firewall‑config graphical tool.
firewall‑cmd command‑line tool.
Editing files under /etc/firewalld/.
Firewall Basic Example
Network diagram:
Steps:
Block ping requests.
Allow SSH only from 192.168.8.130.
Allow all hosts to access Apache.
Install Apache and test:
yum install -y httpd
echo 2024-12-3 > /var/www/html/index.html
systemctl start httpd
curl 127.0.0.1Block Ping Rule
# Start firewalld and enable at boot
systemctl start firewalld
systemctl enable firewalld
# Block ping
firewall-cmd --zone=public --add-icmp-block=echo-request --permanent
firewall-cmd --reload
firewall-cmd --list-allClient test result:
Allow SSH Rule
# Remove default SSH service from public zone
firewall-cmd --zone=public --remove-service=ssh --permanent
# Allow only 192.168.14.112 to use SSH in work zone
firewall-cmd --zone=work --add-source=192.168.14.112 --permanent
firewall-cmd --zone=work --add-service=ssh --permanent
firewall-cmd --reload
firewall-cmd --list-allClient test shows other IPs denied while 192.168.14.112 can connect:
Allow Apache Traffic
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload
firewall-cmd --list-allBefore opening, curl 192.168.14.111 fails; after opening it returns the page content.
Conclusion
This article demonstrates how to configure firewalld to block ping, restrict SSH access to a specific IP, and open HTTP/HTTPS services, illustrating the practical steps and underlying concepts needed for secure server management.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.