Firewalld is Linux firewall management tool with support for IPv4, IPv6, Ethernet bridges and IPSet firewall settings. It acts as a front-end to Linux kernel’s netfilter framework. Firewalld is a default firewall management software on RHEL 7 family.
In this guide, I’ll show you the basic usage of Firewalld on Ubuntu 22.04|20.04|18.04 Linux distributions. The default firewall system for Ubuntu is ufw but you can install and use Firewalld if you prefer. Firewalld works fine for me since I’m a heavy CentOS 7 user.
Step 1 – Install Firewalld on Ubuntu 22.04|20.04|18.04
Install Firewalld on Ubuntu22.04|20.04|18.04 by running the commands:
sudo apt update
sudo apt install firewalldBy default, the service should be started, if not running, start and enable it to start on boot:
sudo systemctl enable firewalld
sudo systemctl start firewalldConfirm that the service is running:
$ sudo firewall-cmd --state
runningIf you have ufw enabled, disable it to make firewalld your default firewall
sudo ufw disableStep 2: Using Firewalld on Ubuntu22.04|20.04|18.04
Now that the package has been installed and firewalld service started, let’ look at few usage examples
See below examples for the basic usage of firewalld.
1. List all firewall rules configured
$ sudo firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
ssh and dhcpv6-client services are enabled by default when you start firewalld service.
2. Get a list of all services that can be enabled using a name
To see all active services run the following command:
sudo firewall-cmd --get-services3. Enable http service
In this example we enable http service.
sudo firewall-cmd --add-service=http --permanentThe --permanent option means persist rules against server reboots.
4. Enable both http and https on a single line
Here is an example on enabling both http and https services:
sudo firewall-cmd --permanent --add-service={http,https} --permanent5. Enable TCP port 7070
Enable TCP port 7070
sudo firewall-cmd --add-port=7070/tcp --permanent6. Enable UDP port 514
How to enable UDP port 514
sudo firewall-cmd --add-port=514/udp --permanent7. Create a new zone
Creation of a new zone named myzone
sudo firewall-cmd --new-zone=myzone --permanent8. Enable service on a specific zone
Let’s enable a service on the zone created:
sudo firewall-cmd --zone=myzone --add-port=4567/tcp --permanent9. Set default zone
Set created zone as default
sudo firewall-cmd --set-default-zone=public --permanent10. Add an interface to a zone
Adding an interface to a zone:
sudo firewall-cmd --get-zone-of-interface=eth0 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth0 --permanent11. Allow access to a port from specific subnet/IP
How to allow specified subnet access to service or port:
# Allow access to ssh from 192.168.0.12 sing IP address
sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.0.12/32" accept' --permanent
# Allow access to ssh from 10.1.1.0/24 network
sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="10.1.1.0/24" accept' --permanent
12. List rich rules
List rich rules on the system
sudo firewall-cmd --list-rich-rules13. Configure Port forwarding
Enable port forwarding:
# Enable masquerading
sudo firewall-cmd --add-masquerade --permanent
# Port forward to a different port within same server ( 22 > 2022)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent
# Port forward to same port on a different server (local:22 > 192.168.2.10:22)
sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent
# Port forward to different port on a different server (local:7071 > 10.50.142.37:9071)
sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent14. Removing port/service
Replace --add with –-remove
For further reading, refer to the Official Firewalld Documentation
