Introduction to firewalld

Firewalld is a firewall management tool for Linux operating systems. It has same purpose(packet filtering) with iptables but it is an easier to use tool. Firewalld relies on a concept which is called “zones”.

A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections. A zone has definition about those;

Services, firewalld has some predefined service definitions like SSH, HTTP…etc. A service can be added to a zone so an extra port or protocol definition is not necessary.

Ports and protocols, protocol of connection and port or port-range definition of a connection.

ICMP messages, blocks selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.

Masquerading, private IP definition that is behind of a public IP. This is a form of address translation.

Forward ports, forwarding a local port to another machine’s same port or different port in the same machine.

Rich rules, adding complex rules those includes multiple elements.

Now let’s discover command line of firewalld. Be sure about if firewalld working before beginning.

List all zones, display default zone, get detailed info about default zone.

As you see public zone is a default zone, this zone includes all sources(interfaces) as default. This server has single interface. Multiple interfaces can be assigned to multiple zones but single interface can be assigned to only single zone. Also this zone allows all SSH and IPv6 DHCP connections.

Assume that we need a rule that will allow only specific clients to make SSH and we don’t need anything else service. I will achieve that creating a new zone, assigning single interface to it.

Without permanent, firewalld rules are applied on the fly but rules are disappeared after system reboot. You should restart or reload service when you use permanent. To make a rule permanent and enable immediately, you should run command twice(with permanent and without permanent) or you can use firewall-cmd — runtime-to-permanent command. Here I will use only permanent and restart service. Make sure that the server you are playing on must be a test server to avoid any production issue.

After assigning interface to new zone, public zone still owns interface. When I restarted firewalld, SSH connection to server dropped. After checking server’s console;

new zone owned interface, it doesn’t allow any connection because of there are no defined services, IPs or ports.

I can add SSH service to new zone so that will allow SSH connections to server.

But be aware of I allowed SSH connections from all sources. Our aim is creating a rule that will allow SSH from specific sources. This kind of rule contains multiple elements such as IP and port. So we should use a rich rule.

As you see, ssh service is removed after rich rule added. But SSH connection still works after reloading service.