[ad_1]
If you are looking for a modern and powerful firewall for Linux that is easy to configure on the command line or with its GUI interface, then firewalld is probably what you are looking for.
The need for firewalls
Network connections have a source and a destination. The software at the source requests the connection and the software at the destination accepts or rejects it. If accepted, data packets, generically called network traffic, can pass in both directions across the connection. That’s true whether you’re sharing in your own room at home, remotely connecting to work from your home office, or using a distant cloud-based resource.
Good security practices say that you should limit and control connections to your computer. This is what firewalls do. They filter network traffic by IP address, port or protocol and reject connections that do not meet a predefined set of criteria: the firewall rules—That you set it up. They are like security personnel at an exclusive event. If your name is not on the list, you will not be able to enter.
Of course, you don’t want your firewall rules to be so restrictive that your normal activities are restricted. The simpler your firewall is to configure, the less chance you have of inadvertently setting up conflicting or draconian rules. We often hear from users that they don’t use a firewall because it’s too complicated to understand or the command syntax is too opaque.
the firewalld The firewall is powerful yet easy to configure, both on the command line and through its dedicated GUI application. Under the hood, Linux firewalls are based on netfilter , the kernel-side network filtering framework. Here in the land of users, we have a selection of tools to interact with netfilterWhat iptables, ufw the seamless firewall, and firewalld.
In our opinion, firewalld offers the best balance between functionality, granularity, and simplicity.
Installing firewalls
There are two parts to firewalld . there are firewalld the daemon process that provides the firewall functionality, and there is firewall-config. This is the optional GUI for firewalld. Note that there is no “d” in firewall-config.
installing firewalld on Ubuntu, Fedora and Manjaro it is straightforward in all cases, although everyone has their own opinion about what is pre-installed and what is included.
To install on Ubuntu, we need to install firewalld Y firewall-config.
sudo apt install firewalld
sudo apt install firewall-config
in Fedoras, firewalld is already installed. We just have to add firewall-config .
sudo dnf install firewall-config
In Manjaro, none of the components are pre-installed, but they are included in a single package so that we can install them with a single command.
sudo pacman -Sy firewalld
We need to enable the firewalld daemon to allow it to run every time the computer boots.
sudo systemctl enable firewalld
And we need to start the daemon so that it is running now.
sudo systemctl start firewalld
we can use systemctl to check that firewalld has started and is running without problems:
sudo systemctl status firewalld
We can also use firewalld to check if it is running. This uses the firewall-cmd command with the --state option. Note that there is no “d” in firewall-cmd :
sudo firewall-cmd --state
Now that we have the firewall installed and working, we can move on to configuring it.
The concept of zones
the firewalld firewall is based on zones. Zones are collections of firewall rules and an associated network connection. This allows you to accommodate different zones, and a different set of security constraints, under which you can operate. For example, you can have a zone defined for running every day, another zone for safer running, and a completely blocked “nothing in, nothing out” zone.
To move from one zone to another, and effectively from one security level to another, you move your network connection from the zone you’re in to the zone you want to run in.
This makes it very fast to move from one defined set of firewall rules to another. Another way to use zones would be to have your laptop use one zone when you’re home and another when you’re away and using public Wi-Fi.
firewalld It comes with nine preconfigured zones. These can be edited and more zones can be added or removed.
- release: All incoming packets are dropped. Outgoing traffic is allowed. This is the most paranoid scenario.
- block: All incoming packets are discarded and
icmp-host-prohibitedthe message is sent to the author. Outgoing traffic is allowed. - trustworthy: All network connections are accepted and other systems are trusted. This is the most reliable setting and should be restricted to very secure environments such as captive testnets or your home.
- public: This zone is for use on public or other networks where none of the other computers can be trusted. A small selection of common and generally secure connection requests are accepted.
- external: This zone is for use on external networks with NAT masquerading (port forwarding) enabled. Your firewall acts as a router that forwards traffic to your private network, which remains accessible, but is still private.
- internal: This zone is designed to be used on internal networks when your system acts as a gateway or router. In general, other systems on this network are trusted.
- dmz: This zone is for computers located in the “demilitarized zone” outside of your perimeter defenses and with limited access to your network.
- to work: This area is for working machines. Other computers on this network are usually trusted.
- home: This area is for domestic machines. Other computers on this network are usually trusted.
The home, work, and internal zones have a very similar function, but separating them into different zones allows you to tailor a zone to your liking, encapsulating a set of rules for a particular scenario.
A good starting point is to find out what the default zone is. This is the zone to which your network interfaces are added when firewalld it’s installed.
sudo firewall-cmd --get-default-zone
Our default zone is the public zone. To view the configuration details of a zone, use the --list-all option. This lists everything that has been added or enabled for a zone.
sudo firewall-cmd --zone=public --list-all
We can see that this zone is associated with the enp0s3 network connection and is allowing DHCP, mDNS, and SSH related traffic. Since at least one interface has been added to this zone, this zone is active.
firewalld allows you to add services from which you would like to accept traffic to a zone. That zone then allows that kind of traffic. This is easier than remembering that mDNS, for example, uses port 5353 and the UDP protocol, and manually adding those details to the zone. Although you can also do it.
If we run the above command on a laptop with an ethernet connection and a Wi-Fi card, we’ll see something similar, but with two interfaces.
sudo firewall-cmd --zone=public --list-all
Both of our network interfaces have been added to the default zone. The zone has rules for the same three services as the first example, but DHCP and SSH have been added as named services, while mDNS has been added as a port and protocol pairing.
To list all zones use the --get-zones option.
sudo firewall-cmd --get-zones
To view the settings for all zones at once, use the --list-all-zones option. You’ll want to pipe this into less.
sudo firewall-cmd --list-all-zones | less
This is useful because you can scroll through the list or use the search function to find port numbers, protocols, and services.
On our laptop, we are going to move our Ethernet connection from the public zone to the home zone. We can do that with --zone Y --change-interface options
sudo firewall-cmd --zone=home --change-interface=enp3s0
Let’s take a look at the launch area and see if our change has been made.
sudo firewall-cmd --zone=home --list-all
And has. Our Ethernet connection is added to the home zone.
However, this is not a permanent change. We have changed the run firewall settings, not your stored setting. If we restart or use the --reload option, we will return to our previous configuration.
To make a change permanent, we need to use the aptly named --permanent option.
This means that we can change the firewall for unique requirements without altering the firewall’s stored configuration. We can also test the changes before sending them to the configuration. For our change to be permanent, the format we must use is:
sudo firewall-cmd --zone=home --change-interface=enp3s0 --permanent
If you make some changes but forget to use --permanent in some of them you can write the configuration of the current running session of the firewall in the configuration using the --runtime-to-permanent option.
sudo firewall-cmd --runtime-to-permanent
RELATED: What is DHCP (Dynamic Host Configuration Protocol)?
Adding and removing services
firewalld knows many services. You can list them using the --get-services option.
sudo firewall-cmd --get-services
our version of firewalld listed 192 services. To enable a service in a zone, use the --add-service option.
We can add a service to a zone using the --add-service option.
sudo firewall-cmd --zone=public --add-service=http
The service name must match its entry in the service list of firewalld.
To delete a service override --add-service with --remove-service
Adding and removing ports and protocols
If you prefer to choose which ports and protocols are added, you can do that too. You will need to know the port number and protocol for the type of traffic you are adding.
Let’s add HTTPS traffic to the public zone. That uses port 443 and is a form of TCP traffic.
sudo firewall-cmd --zone=public --add-port=443/tcp
You can provide a variety of ports by providing the first and last ports with a dash “-“Among them, like” 400-450 “.
To remove a port override --add-port with --remove-port .
RELATED: What is the difference between TCP and UDP?
Using the graphical user interface
Hit the “Super” key and start typing “firewall.” You will see the brick wall icon for the firewall-config request.
Click on that icon to launch the app.
To add a service to firewalld using the GUI is as easy as selecting a zone from the list of zones and selecting the service from the list of services.
You can choose to modify the running session or permanent settings by selecting “Runtime” or “Permanent” from the “Settings” dropdown menu.
To make changes to the running session and only commit the changes once you have tested them to work, set the “Settings” menu to “Runtime”. Make your changes. Once you’re satisfied that they’re doing what you want, use the Options > Runtime menu option to make permanent.
To add a port and protocol entry to a zone, select the zone from the list of zones and click “Ports”. By clicking the Add button, you can provide the port number and choose the protocol from a menu.
To add a protocol, click “Protocols”, click the “Add” button and select the protocol from the pop-up menu.
To move an interface from one zone to another, double-click the interface in the “Connections” list, then select the zone from the pop-up menu.
The tip of the iceberg
There is so much more you can do with firewalld, but this is enough to get it going. With the information we provide you, you will be able to create meaningful rules in your zones.
[ad_2]
