Firewall Configuration (firewalld)
Objective
Manage host firewall with firewalld using zones and services for a more structured approach than raw iptables.
Tools & Technologies
firewalldfirewall-cmdzonesservicesrich rules
Key Commands
firewall-cmd --list-allfirewall-cmd --permanent --add-service=httpfirewall-cmd --reloadfirewall-cmd --get-active-zonesArchitecture Overview
graph TD
subgraph firewalld Zones
TRUSTED[trusted\nAll accepted]
HOME[home\nSelected accepted]
PUBLIC[public\nSSH + DHCP]
WORK[work\nMore services]
DROP[drop\nAll rejected]
end
NIC1[eth0\nLAN] -->|assigned to| HOME
NIC2[eth1\nWAN] -->|assigned to| PUBLIC
style PUBLIC fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0
style DROP fill:#1a1a2e,stroke:#ff4444,color:#ff4444
Step-by-Step Process
01
Zone Management
Assign interfaces to zones and configure allowed services.
# View zones and active interfaces
firewall-cmd --get-active-zones
firewall-cmd --list-all --zone=public
# Assign interface to zone
firewall-cmd --permanent --zone=public --change-interface=eth1
# Allow services
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --reload02
Rich Rules
Write complex rules with source/destination matching.
# Allow from specific subnet
firewall-cmd --permanent --zone=public --add-rich-rule=\
'rule family=ipv4 source address=192.168.1.0/24 service name=ssh accept'
# Rate limit SSH
firewall-cmd --permanent --add-rich-rule=\
'rule service name=ssh limit value=3/m accept'
firewall-cmd --reloadChallenges & Solutions
- firewalld --add-service only works with services defined in /usr/lib/firewalld/services/
- Forgetting --permanent means rules are lost after reload
Key Takeaways
- --permanent without --reload doesn't take effect immediately
- Custom services: copy a .xml from /usr/lib/firewalld/services/ to /etc/firewalld/services/