If you’re looking for a modern, powerful firewall for Linux that can be easily configured via the command line or GUI, then
firewalld is probably what you are looking for.
The need for firewalls
Network connections have an origin and a destination. The software at the origin requests the connection and the software at the destination accepts or rejects it. If received, packets of data—generally called network traffic—can pass through the connection in both directions. This is true whether you’re sharing across a room in your home, connecting remotely to work from your home office, or using a remote cloud resource.
Good security practice says you should limit and control connections to your computer. That’s what firewalls do. They filter network traffic by IP address, port or protocol and reject connections that do not meet a pre-defined set of criteria – firewall rules– that you have configured. They are like security personnel at an exclusive event. If your name is not on the list, you will not get in.
Of course, you don’t want your firewall rules to be so restrictive that your normal activities are restricted. The simpler the firewall configuration, the less chance you’ll inadvertently set conflicting or draconian rules. We often hear from users who say they don’t use a firewall because it’s too complicated to understand or the command syntax is too opaque.
firewalld the firewall is powerful yet easy to configure, both at the command line and through a dedicated GUI application. Under the hood, Linux firewalls rely on
netfilter , a kernel-side network filtering framework. Here in userland we have a choice of tools to work with
ufw uncomplicated firewall a
By our opinion,
firewalld offers the best balance between functionality, granularity and simplicity.
Installing a firewall
There are two parts
firewalld . Here is
firewalld daemon process that provides firewall functionality, and there it is
firewall-config. This is an optional GUI for
firewalld. Notice there is no “d”.
firewalld on Ubuntu, Fedora, and Manjaro it’s straightforward in all cases, though each has its own take on what’s preinstalled and what’s bundled.
To install on Ubuntu we need to install
sudo apt install firewalld
sudo apt install firewall-config
firewalld is already installed. We just have to add
sudo dnf install firewall-config
There is no component pre-installed on Manjaro, but they are bundled into one package, so we can install them both with a single command.
sudo pacman -Sy firewalld
We have to allow
firewalld daemon so that it can start every time the computer starts.
sudo systemctl enable firewalld
And we need to start the daemon to run now.
sudo systemctl start firewalld
We can use
systemctl check it
firewalld got it up and running without any problems:
sudo systemctl status firewalld
We can also use
firewalld check if it is running. This is what he uses
firewall-cmd command s
--state choice. Notice there is no “d”.
sudo firewall-cmd --state
Now that we have the firewall installed and running, we can move on to configuring it.
Concept of zones
firewalld A firewall is based around zones. Zones are collections of firewall rules and associated network connections. This allows you to customize different zones – and a different set of security restrictions – under which you can operate. For example, you can have a zone defined for regular daily running, another zone for safer running, and a complete “no-in, no-out” lockdown zone.
To move from one zone to another, and effectively from one security level to another, you move your network connection from the zone it is in to the zone you want to operate under.
This makes it very quick to move one from one defined set of firewall rules to another. Another way to use zones would be for your laptop to use one zone when you’re at home and another when you’re out and about on public Wi-Fi.
firewalld comes with nine pre-configured zones. These can be edited to add or remove additional zones.
- decrease: All incoming packets are dropped. Outgoing traffic is allowed. This is the most paranoid setting.
- block: All incoming packets are dropped and an
icmp-host-prohibitedthe message is sent to the originator. Outgoing traffic is allowed.
- trustworthy: All network connections are accepted and other systems are trusted. This is the most trusted setting and should be limited to very secure environments such as test networks or your home.
- public: This zone is intended for use on public or other networks where no other computer can be trusted. A small selection of common and usually safe connection requests are accepted.
- external: This zone is for use on external networks with NAT (port forwarding) masking enabled. Your firewall acts as a router redirecting traffic to your private network, which remains reachable but still private.
- internal: This zone is intended for use on internal networks when your system is acting as a gateway or router. Other systems on this network are generally trusted.
- dmz: This zone is for computers located in a “demilitarized zone” outside your perimeter defenses and with limited access back to your network.
- work: This zone is for work machines. Other computers on this network are generally trusted.
- Home: This zone is for home machines. Other computers on this network are generally trusted.
Home, work and indoor zones have a very similar function, but splitting them into different zones allows you to fine-tune the zone to your liking and encapsulate one set of rules for a specific scenario.
A good starting point is to find out what the starting zone is. This is the zone where your network interfaces are added
firewalld is installed.
sudo firewall-cmd --get-default-zone
Our default zone is the public zone. To view zone configuration details, use
--list-all choice. Here is a list of everything that has been added or enabled for the zone.
sudo firewall-cmd --zone=public --list-all
We can see that this zone is associated with the enp0s3 network connection and allows DHCP, mDNS and SSH related traffic. Because at least one interface has been added to this zone, this zone is active.
firewalld allows you to add services from which you want to receive traffic to the zone. This zone then allows the passage of this type of traffic. It’s easier than remembering that, for example, mDNS uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can do that too.
If we run the previous command on a laptop with an Ethernet connection and a Wi-Fi card, we will see something similar, but with two interfaces.
sudo firewall-cmd --zone=public --list-all
Both of our network interfaces have been added to the default zone. The zone has rules for the same three services as the first example, but DHCP and SSH have been added as named services, while mDNS has been added as a port and protocol pairing.
To display all zones, use
sudo firewall-cmd --get-zones
To view the configuration for all zones at once, use
--list-all-zones choice. You’ll want to plug it in
sudo firewall-cmd --list-all-zones | less
This is useful because you can scroll through the list or use the search facility to find port numbers, protocols, and services.
On our laptop, we move our ethernet connection from the public zone to the home zone. We can do it with
sudo firewall-cmd --zone=home --change-interface=enp3s0
Let’s take a look at the home zone and see if our change has taken place.
sudo firewall-cmd --zone=home --list-all
And it has. Our ethernet connection is added to the home zone.
However, this is not a permanent change. We changed run firewall configuration, not his stored configuration. If we restart or use
--reload option, we will return to the previous setting.
To make the change permanent, we need to use the aptly named
This means we can change the firewall for one-time requests without changing the saved firewall configuration. We can also test the changes before submitting them to the configuration. To make our change permanent, we should use the format:
sudo firewall-cmd --zone=home --change-interface=enp3s0 --permanent
If you make some changes but forget to apply them
--permanent on some of them you can write the settings of the currently running firewall session to the configuration using
sudo firewall-cmd --runtime-to-permanent
RELATED: What is DHCP (Dynamic Host Configuration Protocol)?
Adding and removing services
firewalld knows about many services. You can list them using
sudo firewall-cmd --get-services
firewalld the listed 192 services. To enable a service in a zone, use
We can add a service to a zone using
sudo firewall-cmd --zone=public --add-service=http
The name of the service must match its entry in the list of services from
To remove a service, replace it
Adding and removing ports and protocols
If you prefer to choose which ports and protocols are added, you can do that as well. You will need to know the port number and protocol for the type of traffic you are adding.
Let’s add HTTPS traffic to the public zone. This uses port 443 and is a form of TCP traffic.
sudo firewall-cmd --zone=public --add-port=443/tcp
You can add a series of ports by hyphenating the first and last ports with “
-” between them, for example “400–450”.
To remove a port, replace
RELATED: What is the difference between TCP and UDP?
Using the GUI
Press the “Super” key and start typing “firewall”. You will see a brick wall icon for
Click this icon to launch the application.
To add a service
firewalld using the GUI is as easy as selecting a zone from the zone list and selecting a service from the service list.
You can modify the running session or permanent configuration by selecting “Runtime” or “Permanent” from the “Configuration” drop-down menu.
If you want to make changes in a running session and make changes only after you test that they work, set the “Configuration” menu to “Runtime”. Make changes. Once you’re satisfied that they do what you want, use the Options > Runtime to Permanent menu option.
To add a port and log entry to a zone, select the zone from the zone list and click “Ports”. Click the Add button to enter a port number and select a protocol from the menu.
To add a protocol, click on “Protocols”, click the “Add” button and select a protocol from the drop-down menu.
To move an interface from one zone to another, double-click the interface in the “Connections” list, then select a zone from the drop-down menu.
The tip of the iceberg
There is so much more you can do with it
firewalld, but that’s enough to get you up and running. With the information we have provided you will be able to create meaningful rules in your zones.