FirewallD is a dynamic firewall management tool for Linux systems that provides a flexible interface for managing iptables and nftables rules. It is widely used on RHEL-based distributions such as CentOS, AlmaLinux, Rocky Linux, and Fedora. FirewallD uses zones, services, ports, and rich rules to simplify firewall configuration, allowing administrators to control traffic by service, port, protocol, network, or individual IP address without manually editing complex rule tables.
What Is FirewallD and How It Works
FirewallD runs as a background daemon and applies firewall rules dynamically. Unlike traditional static firewalls, changes can be applied without restarting the firewall service, preventing SSH session drops. FirewallD organizes rules into zones, which represent trust levels for network connections. Each network interface is assigned to a zone, and rules are applied accordingly.
Installing FirewallD
sudo dnf install firewalld -ydnf→ Package manager used on modern RHEL-based systems.install→ Installs the specified package.firewalld→ The FirewallD service package.-y→ Automatically confirms installation prompts.
Starting and Enabling FirewallD
sudo systemctl start firewalldsystemctl→ Controls systemd services.start→ Starts the service immediately.firewalld→ The firewall daemon service name.
sudo systemctl enable firewalldenable→ Configures the service to start automatically on boot.firewalld→ The firewall service.
Checking Firewall Status
sudo firewall-cmd --statefirewall-cmd→ FirewallD command-line management tool.--state→ Displays whether the firewall is running.
Understanding Zones
sudo firewall-cmd --get-default-zone--get-default-zone→ Shows the current default zone.
sudo firewall-cmd --get-active-zones--get-active-zones→ Lists active zones and assigned interfaces.
Allowing Common Services
sudo firewall-cmd --permanent --add-service=ssh--permanent→ Saves the rule across reboots.--add-service=ssh→ Allows SSH service (port 22).
sudo firewall-cmd --permanent --add-service=http--add-service=http→ Allows HTTP traffic (port 80).
sudo firewall-cmd --permanent --add-service=https--add-service=https→ Allows HTTPS traffic (port 443).
sudo firewall-cmd --reload--reload→ Reloads firewall rules without restarting the service.
Opening and Closing Specific Ports
sudo firewall-cmd --permanent --add-port=8080/tcp--add-port=8080/tcp→ Opens TCP port 8080.
sudo firewall-cmd --permanent --remove-port=8080/tcp--remove-port=8080/tcp→ Closes TCP port 8080.
Allowing a Specific IP Address (All Ports)
You can allow all traffic from a trusted IP address by adding it as a source to a trusted zone.
sudo firewall-cmd --permanent --zone=trusted --add-source=203.0.113.10--zone=trusted→ Specifies the trusted zone.--add-source=203.0.113.10→ Allows all traffic from this IP address.--permanent→ Makes the rule persistent.
Blocking a Specific IP Address (All Ports)
To completely block an IP address from accessing your server:
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='198.51.100.25' reject"--add-rich-rule→ Adds an advanced rule using rich rule syntax.family='ipv4'→ Applies rule to IPv4 traffic.source address='198.51.100.25'→ Specifies the IP to block.reject→ Rejects traffic from the specified IP.
Allowing a Specific IP to Access a Specific Port
This example allows only one IP address to access SSH (port 22).
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='203.0.113.50' port port='22' protocol='tcp' accept"source address='203.0.113.50'→ IP allowed to connect.port port='22'→ Target port number.protocol='tcp'→ Specifies TCP protocol.accept→ Allows the connection.
Blocking a Specific IP From a Specific Port
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='198.51.100.60' port port='80' protocol='tcp' reject"source address='198.51.100.60'→ IP address to block.port port='80'→ Blocks access to HTTP port 80.protocol='tcp'→ Applies to TCP traffic.reject→ Rejects matching traffic.
Allowing a Subnet
You can allow an entire subnet to access a service.
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' service name='http' accept"192.168.1.0/24→ Specifies subnet range.service name='http'→ Applies rule to HTTP service.accept→ Allows matching traffic.
Listing Active Rules
sudo firewall-cmd --list-all--list-all→ Displays services, ports, sources, and rich rules in the current zone.
Best Practices for FirewallD Security
- Always keep SSH access restricted to trusted IP addresses whenever possible.
- Use rich rules for granular IP-based access control.
- Open only required ports to minimize attack surface.
- Reload the firewall after permanent changes.
- Test firewall rules carefully on remote servers to avoid accidental lockouts.
Final thoughts
FirewallD is a powerful and flexible Linux firewall management solution that simplifies complex network filtering tasks. By leveraging zones, services, ports, and rich rules, administrators can implement granular access control, including IP-based filtering and port-specific restrictions. Proper FirewallD configuration significantly enhances server security and reduces exposure to unauthorized access. Whether managing a VPS, dedicated server, or enterprise environment, mastering FirewallD is essential for maintaining a secure Linux infrastructure.
