FirewallD Configuration on AlmaLinux 9

This tutorial intends to teach you to FirewallD Configuration on AlmaLinux 9. You will learn to configure FirewallD on AlmaLinux 9, work with zones and create your own services, and much more exciting usage of FirewallD.

FirewallD Introduction

firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

firewalld uses the concepts of zones and services, that simplify traffic management.

Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.

Steps To FirewallD Configuration on AlmaLinux 9

To configure firewalld on AlmaLinux 9, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide the Initial Server Setup with AlmaLinux 9.

Check FirewallD Status on AlmaLinux 9

The first step is to check whether you have FirewallD service active on your server or not.

To do this, run the command below:

sudo systemctl status firewalld

In my case, I get the following output:

Output
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor>
     Active: active (running) since Sat 2023-04-29 07:03:15 EDT; 6s ago
       Docs: man:firewalld(1)
   Main PID: 5045 (firewalld)
      Tasks: 2 (limit: 23609)
     Memory: 24.0M
        CPU: 627ms
     CGroup: /system.slice/firewalld.service
...

If it is not running, use the following commands to start and enable your FirewallD:

# sudo systemctl start firewalld
# sudo systemctl enable firewalld

If your service is not available, you can install FirewallD with the following command:

# sudo dnf update -y
# sudo dnf install firewalld -y

FirewallD Zones on AlmaLinux 9

At this point, we want to find out available zones, and default zones, and list all zones using the following commands.

List FirewallD Zones

To list the firewalld zone, you can use the command below on AlmaLinux 9:

sudo firewall-cmd --get-zones

Output
block dmz drop external home internal nm-shared public trusted work

List FirewallD Default Zone

Also, you can find the default zones on firewalld by using the following command:

sudo firewall-cmd --get-default-zone

Output
public

List All FirewallD Zones

To get all the firewalld zones, you can run the command below on AlmaLinux 9:

sudo firewall-cmd --list-all-zones

Output
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: yes

  interfaces:
 ...

Set Default FirewallD Zone on AlmaLinux 9

At this point, you can set the default zone as internal, external, drop, work, or any other zone. For example, if you want to set your firewalld zone as an internal zone, you can use the command below:

sudo firewall-cmd --set-default-zone=internal

Then, verify by getting the default zones:

sudo firewall-cmd --get-default-zone

Output
internal

Another interesting feature of firewalld is ‘The ICMP type ‘ is one of the ICMP types supported by firewalld.

The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages.

To get the listing of supported icmp types, you can use the command below:

sudo firewall-cmd --get-icmptypes

Output
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

FirewallD Services on AlmaLinux 9

At this point, we want to find out available services on FirewallD. To list all available services, you can use the following command:

sudo firewall-cmd --get-services

Output
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication
...

Create your Own Service on FirewallD

To create your own service, you need to define it at the /etc/firewalld/services/ directory.

Here we will show you how to do it with an example. We want to add a service for RTMP port 1935. First, make a copy of any one of the services at the /usr/lib/firewalld/services directory.

# cd /usr/lib/firewalld/services/
# ls

Output
afp.xml                      mqtt.xml
amanda-client.xml            mssql.xml
amanda-k5-client.xml         ms-wbt.xml
amqps.xml                    murmur.xml
amqp.xml                     mysql.xml
apcupsd.xml                  nbd.xml
audit.xml                    netbios-ns.xml
bacula-client.xml            nfs3.xml
bacula.xml                   nfs.xml
bb.xml                       nmea-0183.xml
bgp.xml                      nrpe.xml
bitcoin-rpc.xml              ntp.xml
bitcoin-testnet-rpc.xml      nut.xml
bitcoin-testnet.xml          openvpn.xml
bitcoin.xml                  ovirt-imageio.xml
bittorrent-lsd.xml           ovirt-storageconsole.xml
ceph-mon.xml                 ovirt-vmconsole.xml
ceph.xml                     plex.xml
cfengine.xml                 pmcd.xml
cockpit.xml                  pmproxy.xml
....

Here we will copy the ssh.xml file to the /etc/firewalld/services/.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

Next, rename the  file ‘ssh.xml‘ to ‘rtmp.xml‘ with the command below:

# mv ssh.xml rtmp.xml
# ls -l rtmp.xml

Output
-rw-r--r-- 1 root root 463 Apr 29 07:33 rtmp.xml

Now open the file with your favorite text editor, here we use vi:

sudo vi rtmp.xml

Edit the file as shown below:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>rtmp</short>
  <description>To allow RTMP Streaming</description>
  <port protocol="tcp" port="1935"/>
</service>

When you are done, save and close the file.

To apply the changes, reload the firewalld:

sudo firewall-cmd --reload

Now you can verify it by getting the list of services:

sudo firewall-cmd --get-services

Output
... pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtmp rtsp salt-master ...

Add Services To FirewallD Zones on AlmaLinux 9

In the previous step, you have learned to create your own service(for example rtmp). To add the rtmp service to the firewalld zone, you can run the command below:

sudo firewall-cmd --add-service=rtmp

To make it permanent, run the command below:

sudo firewall-cmd --add-service=rtmp --permanent

Apply the changes by reloading the firewalld:

sudo firewall-cmd --reload

Also, you can easily define rules for the network source range and open any one of the ports. For example, if you would like to open a network range say ‘192.168.0.0/24‘ and port ‘1935‘ use the following commands:

# sudo firewall-cmd --permanent --add-source=192.168.0.0/24
# sudo firewall-cmd --permanent --add-port=1935/tcp

Apply the changes by reloading the firewalld on AlmaLinux:

sudo firewall-cmd --reload

To remove the added zone, you can run the command below:

sudo firewall-cmd --zone=public --remove-service=rtmp

Note: Remember to reload the firewall after any Firewalld configuration.

Firewalld Rich Rules for Network Range

Rich rules provide a much greater level of control through more custom granular options. Rich rules can also be used to configure logging, masquerading, port forwarding, and rate limiting.

For example, if you want to allow the http service, use the following rules. First, add the rule and make it permanent and reload the rules and check the status.

# sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

After adding the above rules, don’t forget to reload the firewall rules and list the rules using:

# sudo  firewall-cmd --reload
# sudo firewall-cmd --list-all

For more information, you can visit the man page:

man firewalld

Conclusion

At this point, you have learned to Configure FirewallD on AlmaLinux 9 (FirewallD Configuration on AlmaLinux 9).

Hope you enjoy it. Also, you may be interested in these articles on the Orcacore website:

Install FirewallD GUI on AlmaLinux 8

Open and Close Ports with FirewallD on Rocky Linux 8

Install and Configure CSF Firewall on AlmaLinux 9