Firewalld, a firewall daemon, is a tool for Linux-based operating systems. It is an alternative to iptables and implements persistent network traffic rules. Using Firewalld, you can control network traffic flow in and out of the Linux server. It provides a command line interface where users can add, remove and manage firewall rules.
This post will show you how to install and use the Firewalld firewall tool on Fedora.
Step 1 – Install Firewalld
By default, the Firewalld package is included in the Fedora default repo. You can install it easily using the following command.
dnf install firewalld -y
After installing the Firewalld package, start the Firewalld service and enable it to start at system reboot with the following command:
systemctl start firewalld systemctl enable firewalld
To verify Firewalld’s running status, run the following command:
firewall-cmd --state
Output.
running
Step 2 – List Firewall Zones
By default, Firewalld contains some zones. Each zone contains services and ports. You will need to assign an interface to each zone.
To get a list of all available zones, run the following command.
firewall-cmd --get-zones
You will see the following output.
FedoraServer FedoraWorkstation block dmz drop external home internal nm-shared public trusted work
If you want to list default zones, run the following command.
firewall-cmd --get-default-zone
Output:
public
To see active zones, run the following command.
firewall-cmd --get-active-zones
Step 3 – Display Zone Information
If you want to see the detailed information for any zone, run the following command.
firewall-cmd --info-zone public
Output:
public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Step 4 – Set a Default Zone
You can set any zone as a default zone using the following command.
firewall-cmd --set-default-zone=home
After setting up the default zone, you can verify it using the following command.
firewall-cmd --get-default-zone
Step 5 – List All Services
There are many services available in Firewalld. You can get a list of all services using the following command.
firewall-cmd --get-services
Output:
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Step 6 – Add Ports to Firewalld Zones
You can easily add or remove ports to any Firewalld zones via the command line.
For example, run the following command to add ports 8001 and 22 to the public zone.
firewall-cmd --zone=public --permanent --add-port=8001/tcp --add-port=22/tcp
Next, reload the Firewalld to implement the changes.
firewall-cmd --reload
You can verify the added ports using the following command:
firewall-cmd --info-zone public
Output:
public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns ssh ports: 8001/tcp 22/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Run the following command if you want to remove port 22 from the public zone.
firewall-cmd --zone=public --permanent --remove-port=22/tcp
Step 7 – Add Services to Firewalld Zones
Run the following command to add an FTP service to the public zone.
firewall-cmd --zone=public --permanent --add-service=ftp
Next, reload the Firewalld daemon to apply the changes.
firewall-cmd --reload
To remove the added service, run the following command.
firewall-cmd --zone=public --permanent --remove-service=ftp
Step 8 – Enable IP Masquerading
IP Masquerading is a method that allows hosts with a private IP address to communicate with the Internet via an Internet gateway.
First, verify whether the IP Masquerading is enabled using the following command.
firewall-cmd --zone=public --query-masquerade
You should see the following output.
no
Next, enable the IP Masquerading for the public zone using the following command.
firewall-cmd --zone=public --add-masquerade
Next, reload the Firewalld daemon to apply the changes.
firewall-cmd --reload
To disable the IP masquerading, run the following command:
firewall-cmd --zone=public --remove-masquerade
Conclusion
In this post, we showed you how to install Firewalld on Fedora. We also explained how to add and remove ports and services to Firewalld. You can now implement Firewalld on your server to protect it from DDoS attacks. You can also try Firewalld on VPS hosting from Atlantic.Net!
