Welcome to Day 11 of the 30 Days of Linux Challenge! Today’s topic is vital for securing your Linux systems: firewall configuration using firewalld, the default firewall management system in Red Hat-based distros like RHEL, CentOS, Rocky Linux, and AlmaLinux.
If your system is exposed to any public or private network — you need to control who can connect, on what ports, and under what conditions.
📚 Table of Contents
- Why Firewalls Matter
- What is firewalld?
- Working with Zones
- Managing Services and Ports
- Advanced Rules: Rich Rules
- Try It Yourself
- Why This Matters
Why Firewalls Matter
A firewall controls access to your system's network — it's your first line of defense against unauthorized users, bots, scans, and malicious traffic.
Without proper firewall rules, your services (e.g. web servers, SSH, databases) may be:
- Exposed to the public internet
- Open to brute-force attacks
- Accessible from untrusted sources
firewalld allows you to set dynamic rules, assign trust levels (zones), and manage firewall policies without restarting your system.
What is firewalld?
firewalld is a zone-based firewall manager using iptables or nftables in the background. It’s dynamic — meaning you can change rules on the fly, with no downtime.
Check if it’s active:
sudo systemctl status firewalld
Start and enable it:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Working with Zones
Zones group interfaces and services based on trust level. Some common zones include:
Zone Description
public : Default zone — untrusted networks
home : Trusted home network
internal : Trusted LAN or enterprise connections
drop : Silently drop all incoming connections
trusted : Accept all incoming traffic (use sparingly)
Check your default zone:
sudo firewall-cmd --get-default-zone
View all active rules in a zone:
sudo firewall-cmd --list-all
Managing Services and Ports
Add a service (e.g. HTTP):
sudo firewall-cmd --add-service=http --permanent
Add a specific port:
sudo firewall-cmd --add-port=8080/tcp --permanent
Reload to apply changes:
sudo firewall-cmd --reload
Remove a service:
sudo firewall-cmd --remove-service=http --permanent
Check all open services/ports:
sudo firewall-cmd --list-all
The --permanent flag makes the change survive reboots. Without it, changes are temporary until next reload or reboot.
Advanced Rules: Rich Rules
Rich rules allow for fine-grained control, like allowing access from a specific IP only.
Allow SSH only from one IP:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept'
Drop pings from the internet:
sudo firewall-cmd --permanent --add-icmp-block=echo-request
Try It Yourself
Open your Red Hat system and test:
Step 1: Check firewall status
sudo systemctl status firewalld
Step 2: Allow HTTPS
sudo firewall-cmd --add-service=https --permanent
Step 3: Open port 3000 (Node.js, dashboards, etc.)
sudo firewall-cmd --add-port=3000/tcp --permanent
Step 4: Reload to apply
sudo firewall-cmd --reload
Step 5: Limit SSH to your IP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="YOUR.IP.ADD.RESS" port port="22" protocol="tcp" accept'
Use sudo firewall-cmd --list-all to verify your changes.
Why This Matters
- Firewalld gives you:
- Granular security on a per-service/port basis
- Flexibility to update rules live
- A cleaner, more human-readable interface than raw iptables
For Red Hat admins managing servers in production, on the cloud, or across datacenters — this is one of the most critical security layers.
