Now that we have covered IPtables and UFW, let’s dive into firewalld.
📚 Table of Contents
- What is firewalld?
- Why use firewalld over iptables or UFW?
- firewalld Zones Explained
- Permanent vs Runtime Rules
- Basic Commands: firewall-cmd Usage
- Allowing and Blocking Services and Ports
- Using Rich Rules
- Masquerading and Port Forwarding
- Using Firewall Zones with Interfaces
- Reloading, Saving, and Viewing Configurations
- firewalld Logging
- Conclusion
1. What is firewalld?
firewalld is a dynamic firewall daemon that manages rules using zones and services instead of raw chains and rules like iptables.
- Uses iptables or nftables in the backend.
- Dynamic – applies rules without restarting services or flushing the entire firewall.
- Works with zones, which are collections of rules.
firewall-cmd is the command-line frontend to interact with firewalld.
2. Why Use firewalld Over iptables or UFW?
| Feature | iptables | ufw | firewalld |
|---|---|---|---|
| Dynamic rules | ❌ Flushes rules | ❌ Flushes rules | ✅ No reset required |
| Zone-based | ❌ Manual management | ❌ Basic grouping | ✅ Zone architecture |
| CLI ease-of-use | ⚠️ Complex syntax | ✅ Simple | ✅ Moderate + powerful |
| Service awareness | ❌ Ports only | ✅ Supports services | ✅ Extensive service config |
3. firewalld Zones Explained
Zones define levels of trust for network connections.
Common Zones:
| Zone | Description |
|---|---|
| drop | All incoming connections dropped |
| block | All incoming rejected with icmp-host-prohibited |
| public | For untrusted networks |
| external | For NAT/firewall gateway |
| dmz | Isolated computers |
| work | Internal work environment |
| home | Trusted home environment |
| trusted | All network connections are accepted |
View active zone:
firewall-cmd --get-active-zones
4. Permanent vs Runtime Rules
- Runtime rules: Lost after reboot
- Permanent rules: Persist across reboots
Use –permanent flag for permanent rules.
Example:
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
5. Basic Commands: firewall-cmd Usage
Check service status:
sudo firewall-cmd --state
List all zones:
sudo firewall-cmd --get-zones
Get default zone:
sudo firewall-cmd --get-default-zone
Set default zone:
sudo firewall-cmd --set-default-zone=home
6. Allowing and Blocking Services and Ports
Allow SSH service:
sudo firewall-cmd --zone=public --add-service=ssh
Allow HTTP port:
sudo firewall-cmd --zone=public --add-port=80/tcp
Remove service/port:
sudo firewall-cmd --zone=public --remove-service=ssh
sudo firewall-cmd --zone=public --remove-port=80/tcp
Make permanent:
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --reload
7. Using Rich Rules
Rich rules provide fine-grained control, such as logging, source IP filtering, or interface matching.
Example: Block an IP
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=203.0.113.5 reject'
Example: Allow from specific subnet to a port
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=22 protocol=tcp accept'
Enable logging:
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=203.0.113.10 log prefix="FW-LOG " level=info accept'
8. Masquerading and Port Forwarding
Enable NAT Masquerade:
sudo firewall-cmd --zone=external --add-masquerade
Port Forwarding Example:
Forward external port 8080 to internal 80:
sudo firewall-cmd --permanent --add-forward-port=port=8080:proto=tcp:toport=80
With internal IP:
sudo firewall-cmd --permanent --add-forward-port=port=8080:proto=tcp:toaddr=192.168.1.10:toport=80
9. Using Firewall Zones with Interfaces
Assign an interface to a zone:
sudo firewall-cmd --zone=home --change-interface=eth0
Make it permanent:
sudo firewall-cmd --permanent --zone=home --add-interface=eth0
10. Reloading, Saving, and Viewing Configurations
Reload configuration:
sudo firewall-cmd --reload
View zone config:
sudo firewall-cmd --zone=public --list-all
List services and ports:
sudo firewall-cmd --list-services
sudo firewall-cmd --list-ports
11. firewalld Logging
Enable logging via rich rule (as shown above), or configure firewalld’s logging level in the configuration:
Edit /etc/firewalld/firewalld.conf:
LogDenied=all # other options: off, unicast, broadcast, multicast
Restart the service:
sudo systemctl restart firewalld
Logs will appear in /var/log/messages or /var/log/firewalld
12. Conclusion
firewalld with firewall-cmd provides a modern, flexible, and user-friendly way to manage Linux firewalls. With zone-based architecture and dynamic configuration, it fits well in both server and enterprise environments.
Key Takeaways:
✅ Zone-based security model
✅ Dynamic and persistent rule handling
✅ Support for NAT, port forwarding, and logging
✅ Rich rules offer granular control
Learning firewall-cmd equips you to manage security professionally on RHEL, CentOS, AlmaLinux, Fedora, and beyond.