Don't Fear the firewalld

| | |

firewall-configfirewall-config GUIUpdate: Somehow I forgot to mention a GUI for firewalld named firewall-config. Be sure to check that out if you prefer a GUI.

I have run across a few people who are perplexed by firewalld and I must admit that I was for a while until I did some reading and experimentation. What is firewalld? It is basically a replacement for the ancient iptables service on RHEL and Fedora systems. So many of us were just used to manually editing /etc/sysconfig/iptables and then coping that file from system to system as desired, that the switch to firewalld was a bit scary. I mean, who wants to learn something new, right?

Another thing that is scary about firewalld is the complexity of the rules it shows when you do something like: iptables -L

While the configuration, tools and output has dramatically changed... really firewalld makes things easier and more manageable. Really. One of the problems with Linux across distros is that there really hasn't been a standardized way to handle the host-based firewall. Each distro seems to have their own way of doing it... and popular packages like Shorewall have been around for years. I think firewalld tries for a happy medium somewhere between simple and complex and a standard that distros can choose to adopt.

Anyway, here are some basics (as root or via sudo) but if you want more be sure and check out the documentation:

Main documentation: www.firewalld.org/documentation/
Fedora Documentation: fedoraproject.org/wiki/FirewallD
RHEL Documentation: access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

firewall-cmd --list-all (shows human readable firewall settings)

firewall-cmd --add-service=sshd --permanent (opens up port 22 which is sshd and saves to config)
firewall-cmd --add-service=http --permanent (opens up port 80 which is http and saves to config)
firewall-cmd --add-service=https --permanent (opens up port 443 which is https and saves to config)
firewall-cmd --remove-service=https --permanent (closes port 443 and saves to config)

If you want don't want your changes saved just leave off --permanent.

Want to open arbitrary ports for some service (like voxelands-server for example)? That is easy too:

firewall-cmd --add-port=30000/tcp --permanent

Want UDP? Ok:

firewall-cmd --add-port=30000/udp --permanent

After your changes it doesn't hurt to verify again with:

firewall-cmd --list-all

Want to manage firewalld via a config management system? There is a formula for SaltStack here and supposedly Ansible also supports firewalld.

Want to edit a file instead of running firewall-cmd? That's possible too. firewalld stores everything somewhere under /etc/firewalld/. In particular the changes listed above would get written to /etc/firewalld/zones/public.xml. Yeah, it's an "xml" file but make a change or two via firewall-cmd and see what it adds or removes from it and you'll see that it is very easy to monkey-see-monkey-do for those that want to edit the file directly. After updating or replacing any of firewalld's configuration files you want to make firewalld aware of the change with:

systemctl reload firewalld

If you are brave enough to manually edit the config just be aware that you are responsible for your typos.

I've only touched the tip of the iceburg for the most common stuff. Need more info? Yeah, there is a ton of documentation including a couple of man pages.