Best FirewallD Configuration on AlmaLinux 9 with Examples

This tutorial is designed to guide you through the process of FirewallD Configuration on AlmaLinux 9. You will learn how to effectively configure FirewallD on AlmaLinux 9, work with zones, create custom services, and explore other useful functionalities. Refer to the step-by-step instructions provided on the Orcacore website for additional information about firewalld commands.

What is the concept of firewalld?

firewalld is a firewall service daemon that offers a dynamically customizable, host-based firewall accessible through a D-Bus interface. Its dynamic nature allows for the creation, modification, and deletion of rules without requiring a restart of the firewall daemon each time changes are made.

firewalld utilizes the concepts of zones and services to streamline traffic management.

Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.

To explore firewalld commands, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide the Initial Server Setup with AlmaLinux 9.

1. Check FirewallD Status on AlmaLinux 9

The first step is to verify whether the FirewallD service is active on your server.

Execute the following command:

sudo systemctl status firewalld

The output should resemble this:

If it’s not running, start and enable FirewallD using:

# sudo systemctl start firewalld
# sudo systemctl enable firewalld

If FirewallD is not installed, install it with:

# sudo dnf update -y
# sudo dnf install firewalld -y

2. FirewallD Zones on AlmaLinux 9

Let’s explore available zones, the default zone, and list all zones using Firewalld commands.

List FirewallD Zones

To list available firewalld zones, use:

sudo firewall-cmd --get-zones

**Output**
block dmz drop external home internal nm-shared public trusted work

List FirewallD Default Zone

To find the default zone, use:

sudo firewall-cmd --get-default-zone

**Output**
public

List All FirewallD Zones

To get all firewalld zones with their configurations, run:

sudo firewall-cmd --list-all-zones

Set Default FirewallD Zone on AlmaLinux 9

You can set the default zone to internal, external, drop, work, or any other available zone. For example, to set the default zone to internal:

sudo firewall-cmd --set-default-zone=internal

Then, verify the change:

sudo firewall-cmd --get-default-zone

**Output**
internal

Another useful feature is managing ICMP types.

The Internet Control Message Protocol (ICMP) is used to exchange information and error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages.

To get a list of supported ICMP types, use:

sudo firewall-cmd --get-icmptypes

3. FirewallD Services on AlmaLinux 9

Now, let’s explore available services. To list all available services, use the following command:

sudo firewall-cmd --get-services

Create your Own Service on FirewallD

To create a custom service, you need to define it in the /etc/firewalld/services/ directory.

Here’s how to add a service for the RTMP port 1935. First, copy an existing service definition from the /usr/lib/firewalld/services directory.

# cd /usr/lib/firewalld/services/
# ls

Copy the ssh.xml file to /etc/firewalld/services/.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

Rename the file from ssh.xml to rtmp.xml:

# mv ssh.xml rtmp.xml
# ls -l rtmp.xml

**Output**
-rw-r--r-- 1 root root 463 Apr 29 07:33 rtmp.xml

Now, edit the file with your favorite text editor (e.g., vi):

sudo vi rtmp.xml

Modify the file as follows:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>rtmp</short>
  <description>To allow RTMP Streaming</description>
  <port protocol="tcp" port="1935"/>
</service>

Save and close the file.

Reload firewalld to apply the changes:

sudo firewall-cmd --reload

Verify the new service:

sudo firewall-cmd --get-services

4. Add Services To FirewallD Zones on AlmaLinux 9

Now that you’ve created a custom service (rtmp), add it to a firewalld zone:

sudo firewall-cmd --add-service=rtmp

To make the change permanent:

sudo firewall-cmd --add-service=rtmp --permanent

Apply the changes:

sudo firewall-cmd --reload

You can also define rules for network source ranges and specific ports. To open a network range (e.g., 192.168.0.0/24) and a port (e.g., 1935):

# sudo firewall-cmd --permanent --add-source=192.168.0.0/24
# sudo firewall-cmd --permanent --add-port=1935/tcp

Apply the changes:

sudo firewall-cmd --reload

To remove the added service from a zone:

sudo firewall-cmd --zone=public --remove-service=rtmp

Note: Always reload the firewall after making changes.

5. Firewalld Rich Rules for Network Range

Rich rules offer more granular control through custom options. They can be used to configure logging, masquerading, port forwarding, and rate limiting.

To allow the http service from a specific network range, use the following:

# sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
# sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

Reload the firewall rules and list the active rules:

# sudo  firewall-cmd --reload
# sudo firewall-cmd --list-all

For more information, consult the man page:

man firewalld

Conclusion

FirewallD Configuration on AlmaLinux 9 is crucial for defining and managing rules that control network traffic, ensuring security by permitting trusted connections while blocking harmful or unwanted ones. You have now learned to effectively configure FirewallD on AlmaLinux 9.

Hope you find these FirewallD Commands useful. You might also be interested in these articles:

Install FirewallD GUI on AlmaLinux 8

Open and Close Ports with FirewallD on Rocky Linux 8

Install and Configure CSF Firewall on AlmaLinux 9

Alternative Solutions for Firewall Management on AlmaLinux 9

While FirewallD is a powerful and integrated solution for managing firewalls on AlmaLinux 9, other options exist that may be more suitable depending on specific requirements and preferences. Here are two alternative approaches:

1. Using iptables Directly

iptables is the traditional command-line firewall utility in Linux, providing a more direct way to manipulate the kernel’s netfilter rules. While FirewallD is a frontend for iptables (or nftables in newer versions), some administrators prefer working directly with iptables for its fine-grained control and familiarity.

Explanation:

iptables works by defining chains of rules that packets are evaluated against. You can create rules to allow or deny traffic based on various criteria, such as source/destination IP address, port number, protocol, and more. Because it is a low-level interface, iptables provides immense flexibility but also requires a deeper understanding of networking concepts.

Implementation Example:

Suppose you want to allow incoming HTTP traffic (port 80) from any source. Here’s how you would do it using iptables:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

These commands add rules to the INPUT and OUTPUT chains to accept TCP traffic on port 80.

To make these rules persistent across reboots, you’ll need to save the current iptables configuration. The method for doing this varies depending on your AlmaLinux setup, but one common way is to use the iptables-save and iptables-restore utilities:

sudo iptables-save > /etc/iptables/rules.v4

Then, you’ll need to configure a service to restore these rules on boot. Create a service file /etc/systemd/system/iptables.service with the following content:

[Unit]
Description=iptables firewall
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4
ExecStop=/sbin/iptables-save -c > /etc/iptables/rules.v4
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Finally, enable and start the service:

sudo systemctl enable iptables.service
sudo systemctl start iptables.service

Advantages:

• Fine-grained control: Direct access to netfilter rules.
• Familiarity: Many administrators are already familiar with iptables.

Disadvantages:

• Complexity: Requires a deeper understanding of networking and iptables syntax.
• Manual management: Rules must be managed manually, which can be time-consuming and error-prone.

2. Using nftables Directly

nftables is the successor to iptables, designed to improve upon its limitations. It provides a more efficient and flexible framework for packet filtering.

Explanation:

nftables introduces a new configuration syntax and a more powerful rule engine. Rules are organized into tables, chains, and sets, allowing for more complex and efficient firewall configurations. Like iptables, it interacts directly with the kernel’s netfilter framework.

Implementation Example:

To achieve the same goal as the iptables example (allowing HTTP traffic), here’s how you would do it with nftables:

First, create the file /etc/nftables/nftables.conf with the following content:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state { established, related } accept
        iif lo accept
        tcp dport 80 accept
        icmp type echo-request accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

This configuration defines a table named filter in the inet family, which handles IPv4 and IPv6 traffic. It creates three chains: input, forward, and output. The input chain allows established and related connections, loopback traffic, TCP traffic on port 80, and ICMP echo requests (ping).

Next, enable and start the nftables service:

sudo systemctl enable nftables.service
sudo systemctl start nftables.service

Advantages:

• Improved efficiency: nftables offers better performance than iptables.
• Simplified syntax: The configuration syntax is more intuitive and easier to read.
• Flexibility: Supports more complex rule sets and advanced features.

Disadvantages:

• Learning curve: Requires learning a new configuration syntax.
• Less widespread familiarity: Not as widely used as iptables, so finding support and documentation may be more challenging.

In summary, while FirewallD provides a user-friendly and integrated firewall management solution on AlmaLinux 9, iptables and nftables offer alternative approaches for those seeking more direct control and flexibility. The choice depends on your specific needs, expertise, and preference.