Master Linux firewalld: From Basics to Advanced Zone Management

Linux Firewall Overview

A firewall is a set of components placed between networks or security domains to enhance internal network security. It uses access‑control mechanisms to decide which internal services can be accessed from outside and which external requests are allowed. Linux implements firewall functionality in the kernel; from kernel 2.4 onward, packet filtering is provided by netfilter. CentOS 6 uses

iptables

as the management tool, while CentOS 7 uses

firewalld

, a next‑generation dynamic firewall that supports zones and interface security levels.

Linux Firewall Framework

The netfilter framework resides in the Linux kernel and offers stateful or stateless packet filtering services such as NAT and IP masquerading. firewalld builds on netfilter to provide dynamic management and allows services or applications to add rules via an interface. Netfilter operates at the IP layer without modifying the IP stack code, keeping firewall code separate from the protocol stack.

Data packets enter the IP stack, are processed by PREROUTING, routed, and then handled by INPUT, FORWARD, or OUTPUT chains before leaving via POSTROUTING. iptables stores its configuration in

/etc/sysconfig/iptables

, whereas firewalld stores XML files under

/usr/lib/firewalld/

and

/etc/firewalld/

. firewalld can apply changes at runtime without restarting the firewall, but all modifications must go through the firewalld daemon to keep kernel and daemon states consistent.

firewalld Management

firewalld provides dynamic zone‑based management. Zones define the trust level of network connections, ranging from

drop

(discard all packets) to

trusted

(accept all). Pre‑defined zones include

public

,

external

,

dmz

,

work

,

home

,

internal

, etc. Zones can be configured via graphical tools (

firewall-config

), command‑line client (

firewall-cmd

), or D‑BUS interface.

Typical zone configuration steps:

Use

firewall-cmd --get-zones

to list available zones.

Set the default zone with

firewall-cmd --set-default-zone=public

.

Add services, ports, masquerading, port forwarding, or ICMP filters to a zone.

Apply changes permanently with the

--permanent

flag and reload the daemon.

Common firewall‑cmd commands

--get-default-zone : Query the current default zone.

--set-default-zone= : Set the default zone (affects runtime and permanent configs).

--list-all : Show all configured interfaces, sources, services, and ports for a zone.

--add-service= : Allow traffic to a specific service.

--remove-service= : Remove a service from a zone.

--add-port= : Open a specific port or port range.

--remove-port= : Close a previously opened port.

--reload : Discard runtime configuration and apply permanent settings.

Example usage

<code># Query firewalld version and status
firewall-cmd --version
firewall-cmd --state

# List services and open ports in the public zone
firewall-cmd --zone=public --list-services
firewall-cmd --zone=public --list-ports

# Add SSH service temporarily (runtime only)
firewall-cmd --add-service=ssh

# Add HTTP service permanently to the work zone
firewall-cmd --permanent --add-service=http --zone=work

# Open port 443/tcp permanently in the internal zone
firewall-cmd --permanent --zone=internal --add-port=443/tcp

# Reload to apply permanent changes
firewall-cmd --reload</code>

firewalld also supports rich rules for complex policies, D‑BUS for status queries, and integrates with NetworkManager to automatically assign interfaces to zones.

Additional Topics

Misconfiguration of

sysctl

parameters such as

net.ipv4.ip_forward

can affect firewall behavior. firewalld and iptables differ mainly in configuration storage and runtime flexibility: iptables uses a static file, while firewalld stores XML and can modify rules without disrupting existing connections.