Firewalls are one of the most essential parts of security when we are going online. Here we learn the steps and command to install, configure, and how to use FirewallD on Rocky Linux 8 using CLI or GUI.
Many of us who are not already Linux would already be familiar with the firewall feature on Windows, where it is very easy to turn On or Off ports or services using GUI. However, what about Linux such as CentOS, Rocky Linux, RedHat, AlmaLinux, and more… If you are using full Linux Desktop then a firewall would already be there but in most of the cases without a graphical interface. Nevertheless, Debian, RedHat, Ubuntu, and other Linux systems provide the appropriate firewall GUI software directly from their respective repository to manage things with the help of mouse clicks.
But what if you just want a basic OS installation with no graphical interface? Because minimal versions of Linux would not even have the CLI version of Firewall by default. Well, this is a very small problem, if you have an active internet connection and due to an in-built package manager under Linux, we can install a firewall with just a single command.
Features of FirewallD:
• Complete D-Bus API
• IPv4, IPv6, bridge, and ipset support
• IPv4 and IPv6 NAT support
• firewall zones
• A predefined list of zones, services, and ICMP types
• Simple service, port, protocol, source port, masquerading, port forwarding, ICMP filter, rich rule, interface, and source address handling in zones
• Simple service definitions for ports, protocols, source ports, modules (Netfilter helpers), and destination address handling
• Rich Language for more flexible and complex rules in zones
• Timed rules in zones
• Simple logging of rejected packets
• Direct interface
• Lockdown: Whitelist of users who are allowed to modify the firewall.
• Automatic loading of the Linux kernel modules
• Works with Puppet
• CLI for online and offline configurations
• Graphical Tool (using gtk3)
• Applet (using Qt4)
Firewalls in CentOS used to be controlled by ipTables. This has largely been superseded by FirewallD. By default, only port 22 is open on Rocky Linux 8, else is closed for now.
Steps to install and configure Firewalld on Rocky Linux 8
The command given here will also be applicable for other Redhat-based systems such as CentOS, Oracle Linux, Rocky Linux, and RedHat.
There are no special requirements, however, make sure you have the following things:
• Rocky Linux 8
• At least a non-root sudo user
• An Internet connection
• Access to Terminal
2. DNF Update
The very first thing after installing a Linux OS or before setting up some tool using the package manager is to run a system update. This will ensure all the packages are in their latest state and also refresh the repository cache as well.
sudo dnf update
3. Install Firewalld on Rocky Linux 8
We don’t have to look for any third-party repository to get the packages for the installation of FirewallD on Rocky Linux 8 or any other Redhat-based one. It is already supplied by the baseOS repo of the system. Hence, simply run the given command, and you are done.
sudo dnf install firewalld
4. Start FirewallD service
The service of Firewalld will not start atomically, we have to do that manually and also enable the same to run with the system boot.
sudo systemctl unmask firewalld
sudo systemctl start firewalld
sudo systemctl enable firewald
Check the status:
sudo systemctl status firewalld
4. Check Version
After completing the process of installation successfully, we can check the version of the firewall to confirm it is there on our system.
sudo firewall-cmd --version
5. FirewallD Usage on Rocky Linux 8
There are a few predefined zones, we can use with the command of Firewalld to configure various services and ports on the system. Here are those:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: All network connections are accepted.
Command Syntax to allow or block ports
So far, you would are already familiar with the zones of the Firewalld program, now we can easily use the command terminal to open, close, and manage ports or services in various zones.
For example- you want to open port 80 or HTTP service:
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-service=http
In the same way, we can open ports 22, 443, or services not already allowed in the firewall.
After opening the port, it is important to reload the firewall service to apply the changes we have done.
sudo firewall-cmd --reload
Whereas to block any open port or service, we just need to use the remove option, here is the syntax for that.
For example, you want to block port 80, the command will be:
sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp
or if you know the service corresponding to the port:
sudo firewall-cmd --permanent --zone=public --remove-service=hhtp
After that don’t forget to reload the firewall:
sudo firewall-cmd --reload
List All the active ports:
To know what are the ports active in the firewall to connect, we can list them using the
sudo firewall-cmd --list-ports
List default zone information
When you don’t know which zone has what kind of service or simply want to get all information related to firewall in a different zone, then run:
To list- all ports
sudo firewall-cmd --list-all
Whereas for some specific zone only, the user can declare the same in the command:
sudo firewall-cmd --list-all --zone=home
Command to see which services are allowed
To get the only list of services allowed in the firewall:
sudo firewall-cmd --list-services
6. Install FirewallD GUI on Rocky Linux 8
Well, those who are using the graphical user interface of the Rocky Linux 8 or any RPM-based one, can go for the GUI interface to manage the firewall services, easily, such as adding or removing ports and services.
sudo dnf install firewall-config
Once the installation gets completed, go to Application Launcher and search for –Firewall. As its icon appears click to run the same.
Using the GUI we can easily configure various services and ports with the help of just a few clicks.
7. Stop and disable Firewalld
Whenever you don’t want your Firewall to block or allow any port/service, we can stop it temporarily until the system start.
sudo systemctl stop firewalld
Whereas, if you want to stop and disable the Firewall permanently, run:
sudo systemctl disable firewalld
sudo systemctl mask firewalld
8. Uninstall or Remove
In case you don’t want the FirewallD on your system anymore, we can remove it using the DNF package manager by using the “remove” option.
sudo dnf remove firewalld
for GUI, if you have installed:
sudo dnf remove firewall-config
In this way, we can install and use FirewallD on Allamlinux and other RPM-based Linux systems to secure our system from the outside world to some extent. Learn more about it at the official FirewallD Documentation.