If you’re looking for a modern, powerful firewall for Linux that is easy to configure on the command line or with its GUI interface, then
firewalld is probably what you’re looking for.
The Need for Firewalls
Network connections have an origin and a destination. Software at the origin requests the connection, and software at the destination accepts or rejects it. If it is accepted, packets of data — generically called network traffic — can pass in both directions over the connection. That’s true for whether you’re sharing across the room in your own home, remotely connecting to work from your home office, or using a remote, cloud-based resource.
Good security practice says you should limit and control the connections to your computer. This is what firewalls do. They filter network traffic by IP address, port, or protocol, and reject connections that do not meet a predefined set of criteria — the firewall rules—That you have configured. They’re like security personnel at an exclusive event. If your name’s not on the list, you’re not getting inside.
Of course, you don’t want your firewall rules to be so restrictive that your normal activities are curtailed. The simpler it is to configure your firewall the less chance you have of inadvertently setting up conflicting or draconian rules. We often hear from users who say they don’t use a firewall because it is too complicated to understand, or the command syntax is too opaque.
firewalld firewall is powerful yet simple to set up, both on the command line and through its dedicated GUI application. Under the hood, Linux firewalls rely on
netfilter , the kernel-side network filtering framework. Out here in user-land, we have a choice of tools to interact with
ufw the uncomplicated firewall, and
In our opinion,
firewalld offers the best balance of functionality, granularity, and simplicity.
There are two parts to
firewalld . There’s
firewalld the daemon process that provides the firewall functionality, and there’s
firewall-config. This is the optional GUI for
firewalld. Note that there’s no “d” in it
firewalld on Ubuntu, Fedora, and Manjaro is straightforward in all cases, although they each have their own take on what is pre-installed and what is bundled.
To install on Ubuntu, we need to install
sudo apt install firewalld
sudo apt install firewall-config
firewalld is already installed. We just need to add
sudo dnf install firewall-config
On Manjaro, neither component is pre-installed, but they’re bundled into a single package so we can install them both with a single command.
sudo pacman -Sy firewalld
We need to enable the
firewalld daemon to allow it to run each time the computer boots up.
sudo systemctl enable firewalld
And we need to start the daemon so that it is running now.
sudo systemctl start firewalld
We can use
systemctl to check that
firewalld has started and is running without issues:
sudo systemctl status firewalld
We can also use
firewalld to check whether it is running. This uses the
firewall-cmd command with the
--state option. Note there’s no “d” in
sudo firewall-cmd --state
Now we’ve got the firewall installed and running, we can move on to configuring it.
The Concept of Zones
firewalld firewall is based around zones. Zones are collections of firewall rules and an associated network connection. This lets you tailor different zones — and a different set of security limitations — that you can operate under. For example, you might have a zone defined for regular, everyday running, another zone for more secure running, and a “nothing in, nothing out” complete lockdown zone.
To move from one zone into another, and effectively from one level of security to another, you move your network connection from the zone it is in, to the zone that you wish to run under.
This makes it very fast to move one from one defined set of firewall rules to another. Another way to use zones would be to have your laptop use one zone when you are home and another when you are out and using public Wi-Fi.
firewalld comes with nine pre-configured zones. These can be edited and more zones added or removed.
- drop: All incoming packets are dropped. Outgoing traffic is allowed. This is the most paranoid setting.
- block: All incoming packets are dropped and an
icmp-host-prohibitedmessage is sent to the originator. Outgoing traffic is allowed.
- trusted: All network connections are accepted and other systems are trusted. This is the most trusting setting and should be restricted to very safe environments like captive test networks or your home.
- public: This zone is for use on public or other networks where none of the other computers can be trusted. A small selection of common and usually safe connection requests are accepted.
- external: This zone is for use on external networks with NAT masquerading (port forwarding) enabled. Your firewall acts as a router forwarding traffic to your private network which remains reachable, but still private.
- internal: This zone is intended to be used on internal networks when your system acts as a gateway or router. Other systems on this network are generally trusted.
- dmz: This zone is for computers located in the “demilitarized zone” outside of your perimeter defenses and with limited access back into your network.
- work: This zone is for work machines. Other computers on this network are generally trusted.
- home: This zone is for home machines. Other computers on this network are generally trusted.
The home, work, and internal zones are very similar in function, but separating them out into different zones allows you to fine-tune a zone to your liking, encapsulating one set of rules for a particular scenario.
A good starting point is to find out what the default zone is. This is the zone that your network interfaces are added to when
firewalld is installed.
sudo firewall-cmd --get-default-zone
Our default zone is the public zone. To see the configuration details of a zone, use the
--list-all option. This lists anything that has been added or enabled for a zone.
sudo firewall-cmd --zone=public --list-all
We can see that this zone is associated with network connection enp0s3, and is allowing traffic related to DHCP, mDNS, and SSH. Because at least one interface has been added to this zone, this zone is active.
firewalld allows you to add services that you’d like to accept traffic from to a zone. That zone then allows that type of traffic through. This is easier than remembering that mDNS, for example, uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can do that too.
If we run the previous command on a laptop with an ethernet connection and a Wi-Fi card, we’ll see something similar, but with two interfaces.
sudo firewall-cmd --zone=public --list-all
Both of our network interfaces have been added to the default zone. The zone has rules for the same three services as the first example, but DHCP and SSH have been added as named services, while mDNS has been added as a port and protocol pairing.
To list all zones use the
sudo firewall-cmd --get-zones
To see the configuration for all zones at once, use the
--list-all-zones option. You’ll want to pipe this into
sudo firewall-cmd --list-all-zones | less
This is useful because you can scroll through the listing, or use the search facility to look for port numbers, protocols, and services.
On our laptop, we’re going to move our Ethernet connection from the public zone to the home zone. We can do that with the
sudo firewall-cmd --zone=home --change-interface=enp3s0
Let’s take a look at the home zone, and see if our change has been made.
sudo firewall-cmd --zone=home --list-all
And it has. Our Ethernet connection is added to the home zone.
However, this is not a permanent change. We’ve changed the running configuration of the firewall, not its stored configuration. If we reboot or use the
--reload option, we’ll revert to our previous settings.
To make a permanent change, we need to use the aptly named
This means we can change the firewall for one-off requirements without altering the firewall’s stored configuration. We can also test changes before we send them to the configuration. To make our change permanent, the format we should use is:
sudo firewall-cmd --zone=home --change-interface=enp3s0 --permanent
If you make some changes but forget to use
--permanent on some of them, you can write the settings of the current running session of the firewall to the configuration using the
sudo firewall-cmd --runtime-to-permanent
RELATED: What Is DHCP (Dynamic Host Configuration Protocol)?
Adding and Removing Services
firewalld knows about a lot of services. You can list them using the
sudo firewall-cmd --get-services
Our version of
firewalld listed 192 services. To enable a service in a zone, use the
We can add a service to a zone using the
sudo firewall-cmd --zone=public --add-service=http
The name of the service must match its entry in the list of services from
To remove a service replace
Adding and Removing Ports and Protocols
If you prefer to choose which ports and protocols are added, you can do that too. You’ll need to know the port number and the protocol for the type of traffic you’re adding.
Let’s add HTTPS traffic to the public zone. That uses port 443 and is a form of TCP traffic.
sudo firewall-cmd --zone=public --add-port=443/tcp
You could supply a range of ports by providing the first and last ports with a hyphen “
-”Between them, like“ 400-450. ”
To remove a port replace
RELATED: What’s the Difference Between TCP and UDP?
Using the GUI
Press your “Super” key and start to type “firewall.” You’ll see the brick wall icon for the
Click that icon to launch the application.
To add a service to
firewalld using the GUI is as easy as selecting a zone from the list of zones and selecting the service from the list of services.
You can choose to modify the running session or the permanent configuration by selecting “Runtime” or “Permanent” from the “Configuration” dropdown menu.
To make changes to the running session and only commit the changes once you’ve tested they work, set the “Configuration” menu to “Runtime.” Make your changes. Once you’re happy they’re doing what you want, use the Options> Runtime to Permanent menu option.
To add a port and protocol entry to a zone, select the zone from the zone list, and click on “Ports.” Clicking the add button lets you provide the port number and pick the protocol from a menu.
To add a protocol, click on “Protocols”, click the “Add” button, and select the protocol from the pop-up menu.
To move an interface from one zone to another, double-click the interface in the “Connections” list, then select the zone from the pop-up menu.
The Tip of the Iceberg
There’s a lot more you can do with
firewalld, but this is enough to get you up and running. With the information we’ve given you, you’ll be able to create meaningful rules in your zones.