View Categories

How to Configure Firewalld for Enhanced Server Security

Eugene
Updated on November 27, 2024

Firewalld is a dynamic firewall management tool that provides a flexible way to manage and secure your Linux server.

It uses zones to define the level of trust for incoming and outgoing traffic, allowing administrators to apply rules easily. Below is a comprehensive guide to configuring Firewalld for enhanced server security.

Basic Firewalld Commands #

Start by ensuring Firewalld is installed and running on your server. These commands help you control its state:

  • Start Firewalld for the current session:
sudo systemctl start firewalld
  • Enable Firewalld to start on boot:
sudo systemctl enable firewalld
  • Stop Firewalld for the current session:
sudo systemctl stop firewalld
  • Disable Firewalld from starting on boot:
sudo systemctl disable firewalld
  • Check if Firewalld is running:
sudo systemctl status firewalld

For a quick check of its state:

sudo firewall-cmd --state

Runtime vs. Permanent Configuration #

Firewalld distinguishes between runtime changes, which are temporary, and permanent changes, which are saved to configuration files.

  • To save runtime changes to permanent configuration:
sudo firewall-cmd --runtime-to-permanent
  • Reload Firewalld to apply permanent rules:
sudo firewall-cmd --reload

Firewalld Zones #

Firewalld uses zones to define the trust level for network connections. Each zone comes with predefined rules:

  • View all available zones:
sudo firewall-cmd --get-zones
  • Check currently active zones:
sudo firewall-cmd --get-active-zones
  • Change the current zone:
sudo firewall-cmd --change-zone=public

Zones like publictrusted, and internal allow you to apply security settings based on your network requirements.

Managing Services #

Firewalld simplifies port management by associating services with predefined rules.

  • List all predefined services:bashCopy code
sudo firewall-cmd --get-services
  • Whitelist a service for runtime:bashCopy code
sudo firewall-cmd --add-service=http
  • Whitelist a service permanently:bashCopy code
sudo firewall-cmd --add-service=http --permanent
  • Remove a service permanently:bashCopy code
sudo firewall-cmd --remove-service=dhcpv6-client --permanent

Managing Ports #

For services that don’t have predefined rules, you can manage individual ports:

  • Open a port for runtime only:
sudo firewall-cmd --add-port=8065/tcp
  • Open a port permanently:
sudo firewall-cmd --add-port=8065/tcp --permanent
  • Remove a port:
sudo firewall-cmd --remove-port=8065/tcp --permanent

Panic Mode #

Panic mode is a safeguard feature that blocks all traffic to and from the server:

  • Activate panic mode:
sudo firewall-cmd --panic-on
  • Check the status of panic mode:
sudo firewall-cmd --query-panic

Note: Enabling panic mode during a remote session (e.g., SSH) will disconnect you immediately.

Firewalld Files #

Firewalld stores its configurations in system files:

  • View system configuration files:
ls /etc/firewalld
  • View default ICMP, service, and zone files:
ls /usr/lib/firewalld

Avoid editing default files directly, as updates may overwrite changes.

Firewall-Config GUI Application #

For desktop environments, Firewalld offers a GUI tool called firewall-config for easier zone and rule management. Install it with your package manager:

sudo yum install firewall-config  # On CentOS/RHEL

sudo apt install firewall-config  # On Debian/Ubuntu

Conclusion #

Configuring Firewalld ensures your server is protected with tailored security rules. By leveraging zones, services, and port management, you can create a robust security framework for any network scenario. Regularly review and adjust your firewall rules to maintain optimal security.

Updated on November 27, 2024

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *