How to Install Firewalld on Linux | Network Security Guide
When working with Linux software for IOFLOOD, understanding the proper setup process for Firewalld is crucial for enhancing server network security. Deploying Firewalld strengthens the network defenses, which ensures the confidientiality of the data on our client’s cloud hosting services. By referencing our notes, developed processes, and expertise in Linux cybersecurity, we’ve crafted this guide to simplify the Firewalld installation process for our Linux server customers and fellow developers.
In this tutorial, we will guide you on how to install the firewalld command on your Linux system. We will show you methods for both APT and YUM-based distributions, delve into compiling firewalld from source, installing a specific version, and finally, how to use the firewalld command and ensure it’s installed correctly.
So, let’s dive in and begin installing firewalld on your Linux system!
TL;DR: How Do I Install Firewalld on Linux?
Firewalld can be installed on most Linux distributions using the package manager. For Debian-based distributions like Ubuntu, use the command
sudo apt-get install firewalld. For RPM-based distributions like CentOS, usesudo yum install firewalld.
# For Debian-based distributions like Ubuntu
sudo apt-get install firewalld
# For RPM-based distributions like CentOS
sudo yum install firewalld
# Output:
# 'Reading package lists... Done'
# 'Building dependency tree'
# 'Reading state information... Done'
# 'The following additional packages will be installed:'
# ' firewalld-filesystem iptables-nft libiptc0 libxtables12'
# 'Suggested packages:'
# ' firewalld-doc'
# 'The following NEW packages will be installed:'
# ' firewalld firewalld-filesystem iptables-nft libiptc0 libxtables12'
# '0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.'
# 'Need to get 872 kB of archives.'
# 'After this operation, 4,255 kB of additional disk space will be used.'
# 'Do you want to continue? [Y/n]'
This is the most straightforward way to install Firewalld on Linux. However, there’s much more to learn about Firewalld, its installation, configuration, and usage. Continue reading for a more detailed guide and advanced usage scenarios.
Table of Contents
Basic Install: Firewalld on Linux
Firewalld is a dynamic firewall management tool for Linux systems. It uses the concept of ‘zones’ and ‘services’ for managing a Linux firewall. It provides a command-line interface for managing and observing firewall rules. The primary benefits of using Firewalld include easy configuration and dynamic updates without needing to restart the firewall.
Installing Firewalld with APT
For Debian-based distributions like Ubuntu, we use the APT package manager to install Firewalld.
sudo apt update
sudo apt install firewalld
# Output:
# 'Reading package lists... Done'
# 'Building dependency tree'
# 'Reading state information... Done'
# 'The following additional packages will be installed:'
# ' firewalld-filesystem iptables-nft libiptc0 libxtables12'
# 'Suggested packages:'
# ' firewalld-doc'
# 'The following NEW packages will be installed:'
# ' firewalld firewalld-filesystem iptables-nft libiptc0 libxtables12'
# '0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.'
# 'Need to get 872 kB of archives.'
# 'After this operation, 4,255 kB of additional disk space will be used.'
# 'Do you want to continue? [Y/n]'
In this code block, we first update the package lists for upgrades and new packages using sudo apt update. Next, we install Firewalld with sudo apt install firewalld. The command line will then display the progress of the installation.
Installing Firewalld with YUM
For RPM-based distributions like CentOS, we use the YUM package manager to install Firewalld.
sudo yum check-update
sudo yum install firewalld
# Output:
# 'Loaded plugins: fastestmirror, langpacks'
# 'Loading mirror speeds from cached hostfile'
# ' * base: mirror.checkdomain.de'
# ' * extras: centos.mirror.iphh.net'
# ' * updates: centos.bio.lmu.de'
# 'Resolving Dependencies'
# 'There are unfinished transactions remaining. You might consider running yum-complete-transaction, or "yum-complete-transaction --cleanup-only" and "yum history redo last", first to finish them.'
# 'The program yum-complete-transaction is found in the yum-utils package.'
# '--> Running transaction check'
# '--> Processing Dependency: firewalld-filesystem = 0.6.3-10.el7_9.3 for package: firewalld-0.6.3-10.el7_9.3.noarch'
# '--> Running transaction check'
# 'Dependencies Resolved'
# '================================================================================'
# ' Package Arch Version Repository Size'
# '================================================================================'
# 'Installing:'
# ' firewalld noarch 0.6.3-10.el7_9.3 updates 548 k'
# 'Transaction Summary'
# '================================================================================'
# 'Install 1 Package'
# 'Total download size: 548 k'
# 'Installed size: 2.2 M'
# 'Is this ok [y/d/N]: '
In this code block, we first check for system updates using sudo yum check-update. Then we install Firewalld with sudo yum install firewalld. The command line will display the progress of the installation.
Installing Firewalld from Source Code
To install Firewalld from source, you first need to download the source code. The source code for Firewalld is available on the official Firewalld GitHub page.
# Clone the Firewalld repository
git clone https://github.com/firewalld/firewalld.git
# Navigate into the cloned repository
cd firewalld
# Build and install
./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
# Output:
# 'Cloning into 'firewalld'...'
# 'remote: Enumerating objects: 335, done.'
# 'remote: Counting objects: 100% (335/335), done.'
# 'remote: Compressing objects: 100% (200/200), done.'
# 'remote: Total 335 (delta 183), reused 230 (delta 105), pack-reused 0'
# 'Receiving objects: 100% (335/335), 74.18 KiB | 7.42 MiB/s, done.'
# 'Resolving deltas: 100% (183/183), done.'
In this code block, we first clone the Firewalld repository from GitHub. Then, we navigate into the cloned repository. After that, we build and install Firewalld from the source code.
Install Different Versions: Firewalld
Sometimes, you might need to install a specific version of Firewalld. This could be due to compatibility issues, or because a certain feature you need is only available in a specific version.
Installing Specific Versions from Source
To install a specific version of Firewalld from source, you can checkout to the specific version tag after cloning the repository.
# Clone the Firewalld repository
git clone https://github.com/firewalld/firewalld.git
# Navigate into the cloned repository
cd firewalld
# Checkout to the specific version
git checkout v0.8.2
# Build and install
./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
# Output:
# 'Cloning into 'firewalld'...'
# 'remote: Enumerating objects: 335, done.'
# 'remote: Counting objects: 100% (335/335), done.'
# 'remote: Compressing objects: 100% (200/200), done.'
# 'remote: Total 335 (delta 183), reused 230 (delta 105), pack-reused 0'
# 'Receiving objects: 100% (335/335), 74.18 KiB | 7.42 MiB/s, done.'
# 'Resolving deltas: 100% (183/183), done.'
# 'Note: checking out 'v0.8.2'.
In this code block, we first clone the Firewalld repository from GitHub. Then, we navigate into the cloned repository. After that, we checkout to the specific version using git checkout v0.8.2. Finally, we build and install Firewalld from the source code.
Installing Specific Versions with Package Managers
To install a specific version of Firewalld using a package manager, you can specify the version number in the install command.
# For Debian-based distributions like Ubuntu
sudo apt-get install firewalld=0.6.3-2
# For RPM-based distributions like CentOS
sudo yum install firewalld-0.6.3-2.el7
# Output:
# 'Reading package lists... Done'
# 'Building dependency tree'
# 'Reading state information... Done'
# 'The following additional packages will be installed:'
# ' firewalld-filesystem iptables-nft libiptc0 libxtables12'
# 'Suggested packages:'
# ' firewalld-doc'
# 'The following NEW packages will be installed:'
# ' firewalld firewalld-filesystem iptables-nft libiptc0 libxtables12'
# '0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.'
# 'Need to get 872 kB of archives.'
# 'After this operation, 4,255 kB of additional disk space will be used.'
# 'Do you want to continue? [Y/n]'
In this code block, we specify the version number in the install command. For Debian-based distributions like Ubuntu, we use sudo apt-get install firewalld=0.6.3-2. For RPM-based distributions like CentOS, we use sudo yum install firewalld-0.6.3-2.el7.
Key Changes in Firewalld Versions
Different versions of Firewalld come with different features and improvements. Here’s a summary of key changes in recent versions:
| Version | Key Changes |
|---|---|
| 0.9.0 | Added support for nftables backend, improved logging, added new actions for services and zones |
| 0.8.2 | Added support for Python 3, improved IPv6 support, added new options for services and zones |
| 0.7.0 | Added support for ebtables, improved performance, added new options for services and zones |
Verifying and Using Firewalld
After installing Firewalld, you can verify the installation by checking the version of Firewalld.
# Check the version of Firewalld
firewall-cmd --version
# Output:
# '0.8.2'
In this code block, we check the version of Firewalld using firewall-cmd --version. The command line will display the version of Firewalld installed.
Basic Usage of Firewalld
Firewalld uses the concept of ‘zones’ and ‘services’ for its operation. A zone defines the level of trust for network connections. A service is a program that you can add to a zone to allow its network traffic.
Here’s a basic example of how to use Firewalld.
# List all zones
firewall-cmd --list-all-zones
# Output:
# 'block
# target: %%REJECT%%
# icmp-block-inversion: no
# interfaces:
# sources:
# services:
# ports:
# protocols:
# masquerade: no
# forward-ports:
# source-ports:
# icmp-blocks:
# rich rules:
# ...
# work
# target: default
# icmp-block-inversion: no
# interfaces:
# sources:
# services: dhcpv6-client ipp-client samba-client ssh
# ports: 1025-65535/udp 1025-65535/tcp
# protocols:
# masquerade: no
# forward-ports:
# source-ports:
# icmp-blocks:
# rich rules: '
In this code block, we list all zones using firewall-cmd --list-all-zones. The command line will display all zones and their configurations.
Firewalld is a powerful tool for managing firewall on Linux. It provides a dynamic firewall management which supports network/firewall zones to define the trust level of network connections or interfaces.
Alternative Linux Firewall Solutions
While Firewalld is an excellent firewall management tool for Linux, it’s not the only option available. There are several other firewall solutions that you can use, such as iptables and UFW (Uncomplicated Firewall). Each of these alternatives has its own advantages and disadvantages.
Delving into iptables
iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. It’s highly flexible and powerful, but it can also be complex to use, especially for beginners.
Here’s an example of how to use iptables to allow traffic on port 80 (HTTP):
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Output:
# 'iptables: Setting chains to policy ACCEPT: filter [ OK ]'
# 'iptables: Flushing firewall rules: [ OK ]'
# 'iptables: Unloading modules: [ OK ]'
In this code block, we use the iptables -A INPUT -p tcp --dport 80 -j ACCEPT command to allow incoming TCP traffic on port 80. The -A INPUT option appends a rule to the INPUT chain, -p tcp specifies the TCP protocol, --dport 80 specifies the destination port 80, and -j ACCEPT specifies the action to take (accept the packet).
Understanding Uncomplicated Firewall (UFW)
UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. It provides a user-friendly way to create an IPv4 or IPv6 host-based firewall. It’s less flexible than iptables, but it’s easier to use, especially for beginners.
Here’s an example of how to use UFW to allow traffic on port 80 (HTTP):
sudo ufw allow 80/tcp
# Output:
# 'Rules updated'
# 'Rules updated (v6)'
In this code block, we use the ufw allow 80/tcp command to allow incoming TCP traffic on port 80. The allow option adds a rule to the firewall to allow connections on port 80 over TCP.
Weighing the Pros and Cons
| Firewall | Advantages | Disadvantages |
|---|---|---|
| iptables | Highly flexible and powerful | Can be complex to use, especially for beginners |
| UFW | User-friendly, easier to use | Less flexible than iptables |
While Firewalld, iptables, and UFW all serve the same basic purpose, they each offer different benefits and drawbacks. iptables is very powerful and flexible, but it can be complex to use, especially for beginners. UFW, on the other hand, is user-friendly and easier to use, but it’s less flexible than iptables.
In the end, the best firewall solution for you depends on your specific needs and level of expertise. If you’re a beginner or prefer a simpler interface, you might choose UFW. If you need more flexibility and power, you might choose iptables. And if you want a balance of ease of use and power, Firewalld could be the right choice.
Troubleshooting Tips: Firewalld
While Firewalld is a powerful tool, you might encounter some issues when using it. Here are some common problems and their solutions.
Firewalld Service Not Starting
One of the common issues with Firewalld is the service not starting. This could be due to various reasons such as incorrect configuration or system errors. You can check the status of Firewalld service using the following command:
sudo systemctl status firewalld
# Output:
# 'firewalld.service - firewalld - dynamic firewall daemon'
# ' Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)'
# ' Active: active (running) since Tue 2021-05-18 14:36:39 EDT; 1 day 23h ago'
# ' Main PID: 943 (firewalld)'
# ' Tasks: 2 (limit: 4915)'
# ' CGroup: /system.slice/firewalld.service'
# ' └─943 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid'
In this code block, we check the status of Firewalld service using sudo systemctl status firewalld. The command line will display the status of Firewalld service.
If Firewalld service is not running, you can start it using the following command:
sudo systemctl start firewalld
# Output:
# 'Starting firewalld - dynamic firewall daemon'
In this code block, we start the Firewalld service using sudo systemctl start firewalld. The command line will display a message indicating that Firewalld service is starting.
Firewalld Command Not Found
Another common issue is the firewall-cmd command not found. This could be due to Firewalld not being installed or the system not recognizing the command. You can verify if Firewalld is installed using the following command:
firewall-cmd --version
# Output:
# '0.8.2'
In this code block, we check if Firewalld is installed using firewall-cmd --version. The command line will display the version of Firewalld installed.
If Firewalld is not installed, you can install it using the appropriate command for your Linux distribution, as discussed in the previous sections.
Firewalld Blocking Connections
Sometimes, Firewalld might block connections that you want to allow. This could be due to incorrect configuration of zones or services. You can list the rules for a zone using the following command:
firewall-cmd --zone=public --list-all
# Output:
# 'public (active)'
# ' target: default'
# ' icmp-block-inversion: no'
# ' interfaces: eth0'
# ' sources: '
# ' services: dhcpv6-client ssh'
# ' ports: '
# ' protocols: '
# ' masquerade: no'
# ' forward-ports: '
# ' source-ports: '
# ' icmp-blocks: '
# ' rich rules: '
In this code block, we list the rules for the public zone using firewall-cmd --zone=public --list-all. The command line will display the rules for the public zone.
If a service is not listed in the services list, you can add it using the following command:
firewall-cmd --zone=public --add-service=http
# Output:
# 'success'
In this code block, we add the HTTP service to the public zone using firewall-cmd --zone=public --add-service=http. The command line will display a message indicating that the operation was successful.
Firewalld is a powerful tool, but it can be complex to use. Understanding how to troubleshoot common issues and how to use Firewalld effectively can help you secure your Linux system.
Explained: Importance of Firewalls
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted internal network and untrusted external networks, such as the Internet.
# Example of a firewall rule that blocks all incoming traffic
sudo iptables -P INPUT DROP
# Output:
# 'iptables: Setting chains to policy DROP: filter [ OK ]'
In this code block, we use the iptables -P INPUT DROP command to block all incoming traffic. The -P INPUT DROP option sets the default policy for the INPUT chain to DROP, which means all incoming packets will be dropped by default.
Stateful vs Stateless Firewalls
Firewalls can be either stateful or stateless. Stateless firewalls monitor network traffic and restrict or block packets based on source and destination addresses or other static values. They’re not aware of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be part of an existing connection.
On the other hand, stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means they have a state table that keeps track of all the communication channels.
The Role of Firewalld in Linux Security
Firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. Firewalld also supports two types of configurations, runtime and permanent. This makes it a very versatile firewall solution for various types of users and use cases.
# Example of adding a service to a zone in Firewalld
sudo firewall-cmd --zone=public --add-service=http
# Output:
# 'success'
In this code block, we add the HTTP service to the public zone in Firewalld using sudo firewall-cmd --zone=public --add-service=http. The --zone=public option specifies the public zone, and the --add-service=http option adds the HTTP service to the zone.
Firewalld plays a crucial role in Linux security by providing a simple and easy-to-use interface for managing firewall rules. This makes it an excellent choice for both beginners and experienced users.
Practical Security Usages
While this guide has focused on the installation and configuration of Firewalld, it’s important to remember that Firewalld is just one piece of the puzzle when it comes to system security. Firewalls, in general, play a critical role in protecting systems from unwanted access or attacks, but they’re not the only tools at our disposal.
Intrusion Detection Systems: A Proactive Approach
Intrusion Detection Systems (IDS) are designed to detect suspicious activity and take proactive measures to prevent potential threats. They monitor network traffic for malicious activity or policy violations and report these activities to a management station.
# Example of a command to start Snort IDS
sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
# Output:
# 'Running in IDS mode'
# 'Initializing Network Interface eth0'
# 'Decoding Ethernet on interface eth0'
In this code block, we start the Snort Intrusion Detection System using sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0. The command line will display a message indicating that Snort is running in IDS mode and initializing the network interface.
VPNs: Enhancing Privacy and Security
Virtual Private Networks (VPNs) encrypt your internet connection to secure it and protect your privacy. When you use a VPN, your data travels through a tunnel where it’s protected from outside access. This makes it difficult for anyone to monitor your online activities or steal your information.
# Example of a command to start OpenVPN
sudo openvpn --config /etc/openvpn/client.conf
# Output:
# 'OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019'
# 'library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10'
# 'TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:1194'
# 'Attempting to establish TCP connection with [AF_INET]192.168.1.1:1194 [nonblock]'
In this code block, we start the OpenVPN service using sudo openvpn --config /etc/openvpn/client.conf. The command line will display a message indicating that OpenVPN is attempting to establish a TCP connection.
Further Resources for Linux Firewall Mastery
To expand your knowledge on Linux firewalls and system security, consider exploring the following resources:
- The Linux Documentation Project: Security HOWTO provides an overview of many security issues that face the administrator of Linux systems.
DigitalOcean Community Tutorials: Firewalls: This series of tutorials covers the basics of firewall configuration as well as more advanced topics.
Linux Journal: Linux Security: This collection of articles offers in-depth discussions on various Linux security topics.
Recap: Firewalld Installation Guide
In this comprehensive guide, we’ve delved into the installation and configuration of Firewalld on Linux. We’ve seen how Firewalld can be a powerful tool for managing firewall rules and enhancing the security of your Linux system.
We began with the basics, learning how to install Firewalld on different Linux distributions. We then moved onto more advanced topics, such as installing Firewalld from source code, and understanding the concept of ‘zones’ and ‘services’. We also looked at how to troubleshoot common Firewalld issues, and explored alternative firewall solutions like iptables and UFW.
Here’s a quick comparison of the methods we’ve discussed:
| Firewall | Pros | Cons |
|---|---|---|
| Firewalld | Easy to use, dynamic updates | Can be complex for advanced configurations |
| iptables | Highly flexible and powerful | Can be complex to use, especially for beginners |
| UFW | User-friendly, easier to use | Less flexible than iptables |
Whether you’re a beginner just starting out with Firewalld, or an experienced user looking to deepen your understanding, we hope this guide has been a valuable resource for you.
Securing your Linux system is a critical task, and Firewalld provides a robust and flexible solution for managing firewall rules. With the knowledge you’ve gained from this guide, you’re now well-equipped to use Firewalld effectively to enhance your Linux system’s security.
About Author
Gabriel Ramuglia
Gabriel is the owner and founder of IOFLOOD.com, an unmanaged dedicated server hosting company operating since 2010.Gabriel loves all things servers, bandwidth, and computer programming and enjoys sharing his experience on these topics with readers of the IOFLOOD blog.
