Sun. Dec 10th, 2023

Key Takeaways

  • Firewalld is a modern and powerful firewall for Linux that is easy to configure through the command line or GUI interface.
  • Firewalls are important for limiting and controlling network connections to your computer to enhance security.
  • Firewalld uses zones to organize firewall rules and allows for fine-tuning and customization based on different security needs.

If you’re looking for a modern, powerful firewall for Linux that is easy to configure on the command line or with its GUI interface, then firewalld is probably what you’re looking for.

This Cybersecurity Awareness Week article is brought to you in association with Incogni.

Why Do You Need a Firewall?

Network connections have an origin and a destination. Software at the origin requests the connection, and software at the destination accepts or rejects it. If it is accepted, packets of data — generically called network traffic — can pass in both directions over the connection. That’s true for whether you’re sharing across the room in your own home, remotely connecting to work from your home office, or using a distant, cloud-based resource.

Good security practice says you should limit and control the connections to your computer. This is what firewalls do. They filter network traffic by IP address, port, or protocol, and reject connections that do not meet a predefined set of criteria — the firewall rules — that you have configured. They’re like security personnel at an exclusive event. If your name’s not on the list, you’re not getting inside.

Of course, you don’t want your firewall rules to be so restrictive that your normal activities are curtailed. The simpler it is to configure your firewall the less chance you have of inadvertently setting up conflicting or draconian rules. We often hear from users who say they don’t use a firewall because it is too complicated to understand, or the command syntax is too opaque.

The firewalld firewall is powerful yet simple to set up, both on the command line and through its dedicated GUI application. Under the hood, Linux firewalls rely on netfilter, the kernel-side network filtering framework. Out here in user-land, we have a choice of tools to interact with netfilter , such as iptables, ufw the uncomplicated firewall, and firewalld.

In our opinion, firewalld offers the best balance of functionality, granularity, and simplicity.

Installing firewalld

There are two parts to firewalld . There’s firewalld , the daemon process that provides the firewall functionality, and there’s firewall-config. This is the optional GUI for firewalld. Note that there’s no “d” in firewall-config.

Installing firewalld on Ubuntu, Fedora, and Manjaro is straightforward in all cases, although they each have their own take on what is pre-installed and what is bundled.

To install on Ubuntu, we need to install firewalld and firewall-config.

sudo apt install firewalld

Installing firewalld on Ubuntu

sudo apt install firewall-config

Installing firewall-config on Ubuntu

On Fedora, firewalld is already installed. We just need to add firewall-config .

sudo dnf install firewall-config

Installing firewall-config on Fedora

On Manjaro, neither component is pre-installed, but they’re bundled into a single package so we can install them both with a single command.

sudo pacman -Sy firewalld

Installing firewalld and firewall-config with one command on Manjaro

We need to enable the firewalld daemon to permit it to run each time the computer boots up.

sudo systemctl enable firewalld

Enabling firewalld to auto-start on boot

And we need to start the daemon so that it is running now.

sudo systemctl start firewalld

Starting the firewalld daemon

We can use systemctl to check that firewalld has started and is running without issues:

sudo systemctl status firewalld

Checking the status of firewalld with systemctl

We can also use firewalld to check whether it is running. This uses the firewall-cmd command with the --state option. Note there’s no “d” in firewall-cmd :

sudo firewall-cmd --state

Checking the status of firewalld with the firewall-cmd command

Now we’ve got the firewall installed and running, we can move on to configuring it.

The Concept of Zones

The firewalld firewall is based around zones. Zones are collections of firewall rules and an associated network connection. This lets you tailor different zones — and a different set of security limitations — that you can operate under. For example, you might have a zone defined for regular, everyday running, another zone for more secure running, and a “nothing in, nothing out” complete lockdown zone.

To move from one zone into another, and effectively from one level of security to another, you move your network connection from the zone it is in, to the zone that you wish to run under.

This makes it very fast to move one from one defined set of firewall rules to another. Another way to use zones would be to have your laptop use one zone when you are home and another when you are out and using public Wi-Fi.

firewalld comes with nine pre-configured zones. These can be edited and more zones added or removed.

  • drop: All incoming packets are dropped. Outgoing traffic is allowed. This is the most paranoid setting.
  • block: All incoming packets are dropped and an icmp-host-prohibited message is sent to the originator. Outgoing traffic is allowed.
  • trusted: All network connections are accepted and other systems are trusted. This is the most trusting setting and should be restricted to very safe environments like captive test networks or your home.
  • public: This zone is for use on public or other networks where none of the other computers can be trusted. A small selection of common and usually safe connection requests are accepted.
  • external: This zone is for use on external networks with NAT masquerading (port forwarding) enabled. Your firewall acts as a router forwarding traffic to your private network which remains reachable, but still private.
  • internal: This zone is intended to be used on internal networks when your system acts as a gateway or router. Other systems on this network are generally trusted.
  • dmz: This zone is for computers located in the “demilitarized zone” outside of your perimeter defenses and with limited access back into your network.
  • work: This zone is for work machines. Other computers on this network are generally trusted.
  • home: This zone is for home machines. Other computers on this network are generally trusted.

The home, work, and internal zones are very similar in function, but separating them out into different zones allows you to fine-tune a zone to your liking, encapsulating one set of rules for a particular scenario.

A good starting point is to find out what the default zone is. This is the zone that your network interfaces are added to when firewalld is installed.

sudo firewall-cmd --get-default-zone

Finding the default firewalld zone

Our default zone is the public zone. To see the configuration details of a zone, use the --list-all option. This lists anything that has been added or enabled for a zone.

sudo firewall-cmd --zone=public --list-all

Listing the details of the public zone

We can see that this zone is associated with network connection enp0s3, and is allowing traffic related to DHCP, mDNS, and SSH. Because at least one interface has been added to this zone, this zone is active.

firewalld allows you to add services that you’d like to accept traffic from to a zone. That zone then allows that type of traffic through. This is easier than remembering that mDNS, for example, uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can do that too.

If we run the previous command on a laptop with an ethernet connection and a Wi-Fi card, we’ll see something similar, but with two interfaces.

sudo firewall-cmd --zone=public --list-all

A zone with two interfaces in it

Both of our network interfaces have been added to the default zone. The zone has rules for the same three services as the first example, but DHCP and SSH have been added as named services, while mDNS has been added as a port and protocol pairing.

To list all zones use the --get-zones option.

sudo firewall-cmd --get-zones

Listing all the firewalld zones

To see the configuration for all zones at once, use the --list-all-zones option. You’ll want to pipe this into less.

sudo firewall-cmd --list-all-zones | less

Listing the details of all zones

This is useful because you can scroll through the listing, or use the search facility to look for port numbers, protocols, and services.

The details of all zones displayed in in less

On our laptop, we’re going to move our Ethernet connection from the public zone to the home zone. We can do that with the --zone and --change-interface options.

sudo firewall-cmd --zone=home --change-interface=enp3s0

Adding a network interface to the home zone

Let’s take a look at the home zone, and see if our change has been made.

sudo firewall-cmd --zone=home --list-all

The home zone with a network interface added

And it has. Our Ethernet connection is added to the home zone.

However, this is not a permanent change. We’ve changed the running configuration of the firewall, not its stored configuration. If we reboot or use the --reload option, we’ll revert to our previous settings.

To make a change permanent, we need to use the aptly named --permanent option.

This means we can change the firewall for one-off requirements without altering the firewall’s stored configuration. We can also test changes before we send them to the configuration. To make our change permanent, the format we should use is:

sudo firewall-cmd --zone=home --change-interface=enp3s0 --permanent

If you make some changes but forget to use --permanent on some of them, you can write the settings of the current running session of the firewall to the configuration using the --runtime-to-permanent option.

sudo firewall-cmd --runtime-to-permanent

Reloading the firewall configuration

Adding and Removing Services

firewalld knows about a lot of services. You can list them using the --get-services option.

sudo firewall-cmd --get-services

Listing the services firewalld can reference by name

Our version of firewalld listed 192 services. To enable a service in a zone, use the --add-service option.

List of recognised services

We can add a service to a zone using the --add-service option.

sudo firewall-cmd --zone=public --add-service=http

Adding the HTTP service to a zone

The name of the service must match its entry in the list of services from firewalld.

To remove a service replace --add-service with --remove-service

Adding and Removing Ports and Protocols

If you prefer to choose which ports and protocols are added, you can do that too. You’ll need to know the port number and the protocol for the type of traffic you’re adding.

Let’s add HTTPS traffic to the public zone. That uses port 443 and is a form of TCP traffic.

sudo firewall-cmd --zone=public --add-port=443/tcp

Adding a port and protocol pairing to a zone

You could supply a range of ports by providing the first and last ports with a hyphen “-” between them, like “400-450.”

To remove a port replace --add-port with --remove-port .

Using the GUI

Press your “Super” key and start to type “firewall.” You’ll see the brick wall icon for the firewall-config application.

The firewall-config icon

Click that icon to launch the application.

To add a service to firewalld using the GUI is as easy as selecting a zone from the list of zones and selecting the service from the list of services.

You can choose to modify the running session or the permanent configuration by selecting “Runtime” or “Permanent” from the “Configuration” dropdown menu.

The configuration dropdown menu

To make changes to the running session and only commit the changes once you’ve tested they work, set the “Configuration” menu to “Runtime.” Make your changes. Once you’re happy they’re doing what you want, use the Options > Runtime to Permanent menu option.

To add a port and protocol entry to a zone, select the zone from the zone list, and click on “Ports.” Clicking the add button lets you provide the port number and pick the protocol from a menu.

Adding a port and procol pairing using the firewall-config GUI

To add a protocol, click on “Protocols”, click the “Add” button, and select the protocol from the pop-up menu.

A protocol in the public zone, in the firewall-config GUI

To move an interface from one zone to another, double-click the interface in the “Connections” list, then select the zone from the pop-up menu.

Moving a network interface fromone zone to another in the firewall-config GUI

The Tip of the Iceberg

There’s a lot more you can do with firewalld, but this is enough to get you up and running. With the information we’ve given you, you’ll be able to create meaningful rules in your zones.

Source link

By John P.

Leave a Reply

Your email address will not be published. Required fields are marked *