Share your love
Best FirewallD Configuration on AlmaLinux 9 with Examples
This tutorial intends to teach you to FirewallD Configuration on AlmaLinux 9. You will learn to configure FirewallD on AlmaLinux 9, work with zones and create your own services, and much more exciting usage of FirewallD. Follow the guide steps below on the Orcacore website to explore more information about firewalld commands.
Table of Contents
What is the concept of firewalld?
firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.
firewalld uses the concepts of zones and services, that simplify traffic management.
Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.
Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.
Steps To FirewallD Configuration on AlmaLinux 9
To explore firewalld commands, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide the Initial Server Setup with AlmaLinux 9.
1. Check FirewallD Status on AlmaLinux 9
The first step is to check whether you have FirewallD service active on your server or not.
To do this, run the command below:
sudo systemctl status firewalld
In my case, I get the following output:
If it is not running, use the following commands to start and enable your FirewallD:
# sudo systemctl start firewalld
# sudo systemctl enable firewalld
If your service is not available, you can install FirewallD with the following command:
# sudo dnf update -y # sudo dnf install firewalld -y
2. FirewallD Zones on AlmaLinux 9
At this point, we want to find out available zones, and default zones, and list all zones using the following Firewalld commands.
List FirewallD Zones
To list the firewalld zone, you can use the command below on AlmaLinux 9:
sudo firewall-cmd --get-zones
Output
block dmz drop external home internal nm-shared public trusted work
List FirewallD Default Zone
Also, you can find the default zones on firewalld by using the following command:
sudo firewall-cmd --get-default-zone
Output
public
List All FirewallD Zones
To get all the firewalld zones, you can run the command below on AlmaLinux 9:
sudo firewall-cmd --list-all-zones
Set Default FirewallD Zone on AlmaLinux 9
At this point, you can set the default zone as internal, external, drop, work, or any other zone. For example, if you want to set your firewalld zone as an internal zone, you can use the command below:
sudo firewall-cmd --set-default-zone=internal
Then, verify by getting the default zones:
sudo firewall-cmd --get-default-zone
Output
internal
Another interesting feature of firewalld is ‘The ICMP type ‘ is one of the ICMP types supported by firewalld.
The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages.
To get the listing of supported icmp types, you can use the command below:
sudo firewall-cmd --get-icmptypes
3. FirewallD Services on AlmaLinux 9
At this point, we want to find out available services on FirewallD. To list all available services, you can use the following command:
sudo firewall-cmd --get-services
Create your Own Service on FirewallD
To create your own service, you need to define it at the /etc/firewalld/services/ directory.
Here we will show you how to do it with an example. We want to add a service for RTMP port 1935. First, make a copy of any one of the services at the /usr/lib/firewalld/services directory.
# cd /usr/lib/firewalld/services/
# ls
Here we will copy the ssh.xml file to the /etc/firewalld/services/.
# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/
Next, rename the file ‘ssh.xml‘ to ‘rtmp.xml‘ with the command below:
# mv ssh.xml rtmp.xml
# ls -l rtmp.xml
Output
-rw-r--r-- 1 root root 463 Apr 29 07:33 rtmp.xml
Now open the file with your favorite text editor, here we use vi:
sudo vi rtmp.xml
Edit the file as shown below:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>rtmp</short>
<description>To allow RTMP Streaming</description>
<port protocol="tcp" port="1935"/>
</service>
When you are done, save and close the file.
To apply the changes, reload the firewalld:
sudo firewall-cmd --reload
Now you can verify it by getting the list of services:
sudo firewall-cmd --get-services
4. Add Services To FirewallD Zones on AlmaLinux 9
In the previous step, you have learned to create your own service(for example rtmp). To add the rtmp service to the firewalld zone, you can run the command below:
sudo firewall-cmd --add-service=rtmp
To make it permanent, run the command below:
sudo firewall-cmd --add-service=rtmp --permanent
Apply the changes by reloading the firewalld:
sudo firewall-cmd --reload
Also, you can easily define rules for the network source range and open any one of the ports. For example, if you would like to open a network range say ‘192.168.0.0/24‘ and port ‘1935‘ use the following commands:
# sudo firewall-cmd --permanent --add-source=192.168.0.0/24
# sudo firewall-cmd --permanent --add-port=1935/tcp
Apply the changes by reloading the firewalld on AlmaLinux:
sudo firewall-cmd --reload
To remove the added zone, you can run the command below:
sudo firewall-cmd --zone=public --remove-service=rtmp
Note: Remember to reload the firewall after any Firewalld configuration.
5. Firewalld Rich Rules for Network Range
Rich rules provide a much greater level of control through more custom granular options. Rich rules can also be used to configure logging, masquerading, port forwarding, and rate limiting.
For example, if you want to allow the http service, use the following rules. First, add the rule and make it permanent and reload the rules and check the status.
# sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
# sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent
After adding the above rules, don’t forget to reload the firewall rules and list the rules using:
# sudo firewall-cmd --reload
# sudo firewall-cmd --list-all
For more information, you can visit the man page:
man firewalld
Conclusion
The firewalld configuration is used to define and manage rules that control network traffic, providing security by allowing trusted connections while blocking harmful or unwanted ones. At this point, you have learned to Configure FirewallD on AlmaLinux 9 (FirewallD Configuration on AlmaLinux 9).
Hope you enjoy using FirewallD Commands. Also, you may interested in these articles:
Install FirewallD GUI on AlmaLinux 8