Firewalld Installation and Configuration in Ubuntu Server
Firewalld is an awesome host based firewall management tool for Linux Operating System. Firewalld has developed on Fedora but it is now available for almost all Linux distributions. So, Firewalld can be installed in Ubuntu Server although Ubuntu Server has UFW as the default firewall system. Firewalld is more robust and easy to maintain than UFW, I think. So, I am going to discuss how to install and configure Firewalld in Ubuntu Server.
Installing Firewalld in Ubuntu Server
By default Ubuntu Server comes with UFW firewall application. So, first we have to disable the UFW app before installing Firewalld. Issue the following command to disable UFW firewall application.
We will now install Firewalld in Ubuntu Server with the following command.
Firewalld will now start installing and within few times it will be installed completely. After installation, the daemon should be started and enabled for auto start. So, issue the following command to start Firewalld and enable it.
$ sudo systemctl enable firewalld
Sometimes we may need to see the status of the Firewalld daemon. Issue the following command to see the Firewalld status.
You will now find that the Firewalld is active and running. It is also possible to stop and restart the Firewalld daemon with the following commands.
Basic Concepts in Firewalld
Firewalld daemon is a zone based firewall application. A ‘Zone’ is an entity that defines the rules for allowing or rejecting internet traffic. Network interfaces are assigned to a zone to dictate the behavior that the firewall should allow.
Firewalld daemon has the following nine predefined zones based on the trust level.
- drop: It is the lowest level of trust where no incoming connection is allowed . So, all incoming connections are dropped without reply and only outgoing connections from inside are possible.
- block: It is similar to the drop zone, but instead of dropping connections, incoming requests are rejected with a prohibited message.
- public: It represents untrusted networks where most of the services are disabled. You have to manually enable any service or port which is required.
- external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
- internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
- dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed in DMZ zone.
- work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
- home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
- trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
To use the Firewalld firewall, we can create access or reject rules and alter the properties of any zone and then assign any network interface to any zone which is most appropriate.
Getting Default Zone Information of Firewalld
Firewalld daemon provides firewall-cmd command line utility for administrating firewall rules. So, we can do any operation on Firewalld with the firewall-cmd utility.
First, we will know the default information of zones available in Firewalld. So, issue the following command to list all the default zones available in Firewalld.
With the above command you will find all the default zones available in Firewalld as well as their services. For example, if we see the public zone it will look like the following info.
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
From the above information we can see that only SSH and dhcpv6-client services are available in public zone.
The above command shows all the zones with available services. But if we want to know only the name of available zone, issue the following command.
Output
block dmz drop external home internal public trusted work
From the above command, we can see all available zones in Firewalld but among them there is a default zone that rules will be applied by default. To learn the default zone in Firewalld, issue the following command.
Output
public
By default public zone will have the default zone. So, you will find public as output.
It is possible to change the default zone with the firewall-cmd command. To change the default zone, issue the following command.
Now home zone will be the default zone and its rules will be applied by default.
Exploring Active Zone
From the above section, we can see available zones and the default zone but no zone will be active until a network interface will be associated with any zone. So, if we issue the following command to know active zones, no output will appear.
So, to make a zone active, we have to add an interface to a zone. But before adding an interface, we need to know the name of that interface. To know the interface name, we can issue the ip link command.
Output
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:50:56:9d:d9:fe brd ff:ff:ff:ff:ff:ff
3: ens192: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:50:56:9d:05:a3 brd ff:ff:ff:ff:ff:ff
From the output we can see that there are two interfaces in our Ubuntu Server named ens160 and ens192. It may differ in your distribution but note the name that shows from the ip link command.
Now we want to add ens160 to home zone and ens192 to public because these two zones are used most of the cases.
To add ens160 interface to home zone, issue the following command.
Now home zone is active and home zone’s rules will be applied for all incoming traffics coming through ens160 interface. If we now run firewall-cmd command with –get-active-zones option, we will find home zone is now in active zone list.
The above command will make home zone active temporarily and if we reload Firewalld with the following command or restart Firewalld, active zone will be flushed.
So, to make the above rule permanent, we have to run the same command with the –permanent option.
Now the above rule is permanent and it will not be removed either Firewalld reload or restart.
Similarly, we can add ens192 interface to public zone with the following command and activate the public zone.
If we now list active zones, the following output will be found.
Output
home
interfaces: ens160
public
interfaces: ens192
Managing Services in Firewalld Zones
Firewalld daemon provides a lot of services those can be allowed or blocked with firewall rules. To list available services provided by Firewalld, issue the following command.
The listed services can be allowed or blocked with Firewalld. To explore assigned services to a zone (for example: home zone), issue the following command.
The above command will show everything applied on home zone. To list only the services applied on home zone, issue the following command.
Output
dhcpv6-client mdns samba-client ssh
From the output, we can see that there are four services allowed in home zone. Now we want to add a service, for example http, in home zone. For this, issue the following commands.
Similarly you can add any service in your any desired firewall zone following the above command.
Besides adding services, we can also remove any service from any firewall zone with the firewall-cmd utility. To remove any service, for example samba-client, from home zone, issue the following command.
Now if we list services in home zone after running the above command, we will find the following output.
Output
dhcpv6-client http mdns ssh
Managing Ports in Firewalld Zones
Popular services which represent specific port are available in Firewalld daemon. For example, http service represent port 80 and https represent port 443. So, we can allow or block these services with that service name. But sometimes we may need to allow or block some specific ports those are not listed Firewalld daemon services. For this, Firewalld provides –add-port and –remove-port commands to add or remove any port from any zone respectively.
So, to add any port in home zone, for example UDP port 1812, issue the following commands.
Now if we list the allowed port in home zone, the following output will be found.
Output
1812/udp
Similarly we can remove any port from any zone with the following commands.
If we want to know the port of any service, for example http, issue the following command from the command prompt.
Output
http 80/tcp www # WorldWideWeb HTTP
How to install and configure Firewalld daemon in Ubuntu Server has been discussed in this article. How to manage Firewalld services and ports has also been discussed here. So, I hope you will now be able to manage Firewalld daemon in Ubuntu Server without any hesitation. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?
