Uncover the infinite in IT

Table of Contents
< All Topics

firewalld

Firewalld acts as a front-end to Linux kernel’s netfilter framework. It is a default firewall management software for RHEL 7+ family of Linux distributions but can be used on Debian family of Linux distros.

Install Firewalld on Debian 11 / Debian 10

The firewalld package is available on the official Debian apt repositories. Installation is as quick as firing below commands in the terminal as root user or user with sudo privileges.

sudo apt update
sudo apt -y install firewalld

This will install firewalld on Debian 11/10 and set the service to start at boot. Pull package details with:

$ apt policy firewalld
firewalld:
  Installed: 0.9.3-2
  Candidate: 0.9.3-2
  Version table:
 *** 0.9.3-2 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        100 /var/lib/dpkg/status

Confirm that the service is in running state.

$ sudo firewall-cmd --state
 running

debian@debian-bullseye-01:~$ systemctl status firewalld
 firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-08-19 19:18:49 UTC; 39s ago
       Docs: man:firewalld(1)
   Main PID: 3317 (firewalld)
      Tasks: 2 (limit: 2340)
     Memory: 29.3M
        CPU: 868ms
     CGroup: /system.slice/firewalld.service
             └─3317 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Aug 19 19:18:48 debian-bullseye-01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 19 19:18:49 debian-bullseye-01 systemd[1]: Started firewalld - dynamic firewall daemon.

If you have ufw enabled, disable it to make firewalld your default firewall

sudo ufw disable

Using Firewalld on Debian 10 / Debian 11

Now that the package has been installed and firewalld service started, let’ look at few usage examples on how it can be used to secure your server/workstation.

1. List all firewall rules configured

To list the current rules, use the command:

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

ssh and dhcpv6-client services are allowed by default when you start firewalld service.

2. List services that can be enabled/disabled

To get a full list of services which can be enabled or disabled, use the following command.

sudo firewall-cmd --get-services

3. Enable service / List of services

To allow a service on the firewall, the command syntax is:

sudo firewall-cmd --add-service="servicename" --permanent

The example below will enable http service.

$ sudo firewall-cmd --add-service="http" --permanent
success

$ sudo firewall-cmd --reload

For a list of services, separate them with comma.

sudo firewall-cmd --add-service={http,https,smtp,imap} --permanent --zone=public
sudo firewall-cmd --reload

4. Enable TCP port

The syntax for enabling a TCP port is:

sudo firewall-cmd --add-port=port/tcp --permanent
sudo firewall-cmd --reload

Here is how to enable port 8080 and 8443.

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port={8080,8443}/tcp --permanent
sudo firewall-cmd --reload

For UDP ports, replace /tcp with /udp.

5. Create a new zone

To create a new firewall zone, use the command:

$ sudo firewall-cmd --new-zone=zonename --permanent

#E.g
$ sudo firewall-cmd --new-zone=private --permanent
$ sudo firewall-cmd --reload

6. Enable service/port on a specific zone

To enable a service/port in a specific zone, syntax is:

sudo firewall-cmd --zone=<zone> --add-port=<port>/tcp --permanent
sudo firewall-cmd --zone=<zone> --add-port=<port>/udp --permanent
sudo firewall-cmd --zone=<zone> --add-service=<service> --permanent
sudo firewall-cmd --zone=<zone> --add-service={service1,service2,service3} --permanent

7. Add an interface to a zone

For systems with more than one interface, you can add an interface to a zone. E.g Backend web servers to private zone, and fronted applications to public zone.

sudo firewall-cmd --get-zone-of-interface=eth1 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth1 --permanent

8. Allow access to a port from specific subnet/IP

Access to a service or port can be restricted to be from specific IP address or subnet. with the use of rich rules.

$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.0.12/32" accept' --permanent

$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="10.1.1.0/24" accept' --permanent

9. List rich rules

List rich rules by using the following command:

sudo firewall-cmd --list-rich-rules

10. Configure Port forwarding

See examples below.

# Enable masquerading
sudo firewall-cmd --add-masquerade --permanent

# Port forward to a different port within same server ( 22 > 2022)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent

# Port forward to same port on a different server (local:22 > 192.168.2.10:22)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent

# Port forward to different port on a different server (local:7071 > 10.50.142.37:9071)
sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent

11. Removing a port or service

To remove a port or service from the firewall, replace –add with –-remove in each command used in enabling service.