Supercharge Linux Firewall: Master Firewalld & ipset for Scalable, High-Performance Security

Why Firewalld?

Firewalld is the default firewall manager on CentOS 7+ and provides dynamic configuration, zone‑based management, and service abstraction, making it simpler and safer than traditional iptables.

Core Concepts

Zone : Predefined containers that represent trust levels (e.g., public for internet‑facing interfaces, internal for LAN). A network interface can belong to only one zone, but a zone may contain multiple interfaces.

Service : A named set of port‑protocol pairs (e.g., ssh → 22/tcp). Using services avoids hard‑coding ports.

Rule : Allow or reject policies bound to a specific zone; rules in different zones are independent.

Installation and Basic Commands

1. Install and start (3 steps)

# Install (most systems already have it)
sudo yum install firewalld -y

# Start and enable at boot
sudo systemctl start firewalld
sudo systemctl enable firewalld

# Verify status (active (running) means OK)
sudo systemctl status firewalld

2. Zone management (frequent commands)

# Show default zone
firewall-cmd --get-default-zone

# Show details of the public zone
firewall-cmd --zone=public --list-all

# Bind interface eth0 to the public zone permanently
firewall-cmd --zone=public --add-interface=eth0 --permanent

# Reload configuration (required after permanent changes)
firewall-cmd --reload

Remember: --permanent writes to the configuration file; without it the rule is temporary and disappears after reboot. After any permanent change, run --reload to apply.

3. Common configuration scenarios

Scenario 1 – Allow/Deny standard services

# Allow HTTP and SSH permanently
firewall-cmd --zone=public --add-service={http,ssh} --permanent

# Remove HTTP service (effectively deny it)
firewall-cmd --zone=public --remove-service=http --permanent

# List currently enabled services
firewall-cmd --list-services

Scenario 2 – Open custom ports

# Open a single port (8080/tcp) permanently
firewall-cmd --zone=public --add-port=8080/tcp --permanent

# Open a range of ports temporarily (useful for debugging)
firewall-cmd --zone=public --add-port=1000-2000/tcp

Scenario 3 – IP‑level access control

# Allow a single IP permanently
firewall-cmd --zone=public --add-source=192.168.1.100 --permanent

# Allow an entire subnet temporarily
firewall-cmd --zone=public --add-source=192.168.1.0/24

Note: --add-source only assigns the IP/subnet to the zone; you still need service or port rules to actually permit traffic.

ipset Integration – Managing Massive IP Lists

Why ipset?

Store thousands of IPs or networks in a single set; a single firewall rule can reference the set, drastically reducing rule count.

Kernel‑level hash matching provides performance far beyond linear rule traversal.

Installation and basic usage

# Install ipset
sudo yum install ipset -y

# Create a blacklist set for individual IPs
sudo ipset create blacklist hash:ip

# Add malicious IPs
sudo ipset add blacklist 10.0.0.7
sudo ipset add blacklist 192.168.5.55

# List set contents
ipset list blacklist

# Save configuration (prevents loss on reboot)
sudo ipset save > /etc/sysconfig/ipset

Set types:

hash:ip  – stores single IPv4 addresses (e.g., 192.168.1.10)
hash:net – stores network prefixes (e.g., 192.168.0.0/16)
Do not mix types; adding a net to <code>hash:ip</code> will fail.

Firewalld + ipset practical examples

Scenario 1 – Block all IPs in a blacklist

firewall-cmd --zone=public \
  --add-rich-rule='rule family="ipv4" source ipset="blacklist" reject' \
  --permanent
firewall-cmd --reload

Scenario 2 – Whitelist only specific IPs for SSH

# 1. Create whitelist set
ipset create whitelist hash:ip
ipset add whitelist 192.168.1.200
ipset add whitelist 203.0.113.10

# 2. Remove default SSH service rule (avoid bypassing whitelist)
firewall-cmd --zone=public --remove-service=ssh --permanent

# 3. Allow only whitelist IPs to reach port 22
firewall-cmd --zone=public \
  --add-rich-rule='rule family="ipv4" source ipset="whitelist" port port="22" protocol="tcp" accept' \
  --permanent
firewall-cmd --reload

Pitfalls & Best Practices

Always use --permanent together with --reload; otherwise rules vanish after reboot.

Choose the correct ipset type: hash:ip for single IPs, hash:net for networks.

Rule order matters: Firewalld matches rules in the order they are added; place reject rules before accept rules.

ipset does not persist automatically; save it (e.g., ipset save > /etc/sysconfig/ipset) and restore on boot via /etc/rc.d/rc.local or a systemd service.

Separate networks into zones (e.g., public for internet‑facing, internal or trusted for LAN) and bind interfaces accordingly.

Prefer service names ( --add-service=http) over raw ports for clarity and future compatibility.

Regularly back up configurations:

firewall-cmd --list-all-zones > ~/firewalld-backup.txt
ipset save > ~/ipset-backup.txt

Ensuring ipset Loads on Boot

# Create /etc/rc.d/rc.local (make it executable)
#!/bin/bash
ipset restore < /etc/sysconfig/ipset

chmod +x /etc/rc.d/rc.local
systemctl enable rc-local

On CentOS 8+ the rc-local service is disabled by default; the above steps re‑enable it.

Three‑Step Implementation Checklist

Basic setup – install Firewalld, set the default zone, open required services/ports.

Bulk IP management – create ipset sets, add IPs, link sets to Firewalld rich rules.

Stability – use permanent rules, reload, back up configs, and ensure ipset loads on boot.