Linux Tactic

Securing Your System with FirewallD: A Comprehensive Guide

Firewalls are essential to every system as they protect it from cyber threats such as hackers and viruses. A robust firewall system ensures that your computer and network remain secure and keeps your sensitive information confidential.

Among the various firewall solutions available in the market, one of the best is FirewallD, a complete firewall solution. This article will provide insight into the basic concepts of FirewallD, the different zones, firewall services, and how to install and enable FirewallD.

Basic FirewallD Concepts

Before delving into FirewallD’s different features, it is vital to understand certain basic concepts. Zones, services, and firewall-cmd play a significant role in FirewallD.

Zones refer to the different levels of security defined by FirewallD. Each zone has different predefined rules that govern how it functions.

The predefined zones are drop, block, public, external, internal, dmz, work, home, and trusted. The drop and block zones are the most secure, while public and external zones are less secure.

Services describe the specific type of connections that FirewallD allows. FirewallD already has predefined services that include HTTP, HTTPS, SMTP, SFTP, and many more.

Firewall services allow you to create incoming traffic rules that apply to specific services. Firewall-cmd is a command-line interface that FirewallD uses to manage zones, services, and other features.

Firewalld Zones

Zones are the core components of FirewallD that ensure your system security. As discussed above, each zone has its own predefined rules that apply to different levels of security.

The drop zone has the strictest set of rules and can only receive traffic from explicitly defined sources. The block zone is slightly less strict and can receive traffic from any source except for the explicitly defined ones.

The trusted zone is the most relaxed and allows traffic to and from all sources. The internal zone is the default zone and the easiest to work with.

It is intended for internal networks, and by default, it accepts all incoming traffic. The external and public zones are meant for external networks such as the internet, and they have strict security policies.

The dmz, work, and home zones allow incoming traffic according to predefined rules but are less strict than the public and external zones. The zones are named according to the environment they’re designed for.

You can choose the zone according to your needs.

Firewall Services

Firewall services govern the specific type of connections that FirewallD allows. As mentioned earlier, FirewallD has predefined services already available, but you can create custom services according to your specific needs.

The predefined services include ssh, http, ftp, smtp, and many more. You can find the list of predefined services using the firewall-cmd command.

Custom services are tailored to specific needs and are useful for allowing traffic for specific applications. For example, you can create a custom service for VPN connections or FTP clients.

By creating custom services, you can streamline your traffic settings and minimize the risk of exposure to cyber threats.

Firewalld Runtime and Permanent Settings

Runtime configuration settings are effective only until the machine’s next reboot. Whereas permanent configurations stay effective even after a machine’s reboot.

You can make runtime changes using the firewall-cmd command and permanent changes using the firewall-cmd –permanent command. The use of runtime vs.

permanent settings requires a certain amount of care so that any changes made are done correctly. When using the –permanent option, ensure that you are adding only the required rules, and make changes only if you know what you are doing.

Installing and Enabling FirewallD

Now that you have learned about FirewallD’s different features, it is time to explore how to install and enable it. FirewallD comes installed by default in some operating systems like CentOS 7, Fedora, and RHEL 7.

But in case it’s not installed, use the command “yum install firewall” to install FirewallD. To enable FirewallD, you need to run two commands: the first to start it, and the second to tell the system to enable FirewallD at boot.

The commands are:

“systemctl start firewalld”

“systemctl enable firewalld”


In conclusion, FirewallD is an excellent firewall solution that is both robust and customizable. With its predefined rules, you can set up FirewallD quickly and easily.

The ability to create custom services and zones is also a plus for those who have specific requirements. Overall, using FirewallD ensures that your system remains secure and your sensitive data stays protected.

As you’ve learned, managing FirewallD requires a certain level of care, so follow the instructions carefully and always review the documentation before making any changes. FirewallD is a feature-packed firewall solution that offers a vast array of customization options to secure your system.

Among its features, Zones are one of the most significant components that let you customize the level of security of your system. By default, FirewallD comes with certain preconfigured zones set for specific firewall needs.

In this article, we will discuss different zone configurations settings, changing the zone of an interface, and how to open a port or service in FirewallD. Working with

Firewalld Zones

In FirewallD, zones are critical components for defining different levels of security.

Zone settings apply to incoming and outgoing traffic and are useful while configuring different firewall solutions. In the following sections, we will discuss different zone settings, how changes to zone configurations work, and how to change the default zone settings.

Default Zone


Default Zone is the zone that FirewallD uses to lock incoming and outgoing traffic by default. See the default zone by typing the command:

“firewall-cmd –get-default-zone.”

To check if the current active zones match the default zone, use:

“firewall-cmd –get-active-zones.”

Active Zone

The active zone is the currently selected zone being employed across the host. Review the active zone by typing:

“firewall-cmd –get-active-zones.”

Zone Configuration Settings

Firewalld has multiple zone configuration settings for more customization. Type the command:

“firewall-cmd –list-all”

to get a complete list of zone configuration settings.

You can change the settings for individual zones for inbound and outbound traffic and whitelist or blacklist IP addresses.

Changing the Zone of an Interface

It is possible to change the zone of an interface in FirewallD. Use the “firewall-cmd –get-active-zones” command to check the current active zone.

Then, specify a different zone to assign to the interface concerned by typing:

“firewall-cmd –zone=zone_name –change-interface=interface_name.”

Verify Changes

You can verify the changes made by viewing the new active zones using “firewall-cmd –get-active-zones” and testing the interface to confirm if the changes were successful. Changing

Default Zone

FirewallD lets you choose the default zone setting you want.

To do this, type the command:

“firewall-cmd –set-default-zone=zone_name.”

Now that we know how to change zones and default zones let us take a look at how we can open a port or service in FirewallD.

Opening a Port or Service

By default, FirewallD comes installed with predefined services and open ports. These services are defined in .xml files and can be displayed with the “firewall-cmd –get-services” command.

Allowing Incoming Traffic

There are a couple of commands you can use to allow incoming traffic, namely “add-service,” “list-services,” and “–permanent.” The “add-service” command is used to allow incoming traffic for the service specified. You can specify open ports using the “add-port” command.

Adding and Removing Ports

If you want to add a specific port, type:

“firewall-cmd –add-port=80/tcp –permanent.”

If you want to remove a specific port, type:

“firewall-cmd –remove-port=80/tcp –permanent.”

Creating a New FirewallD Service

If you don’t find the specific service you require, or you wish to create a new one altogether, you can use existing services as templates. First, copy a pre-existing service file to your local directory, then modify by running the “firewall-cmd –new-service-from-file” command and reload with:

“firewall-cmd –reload.”

Forwarding Port with Firewalld

You can forward a port to a specific destination IP address with the “add-forward-port” command. Use:

“firewall-cmd –add-masquerade –permanent”

“firewall-cmd –add-forward-port=port=8080:proto=tcp: toaddr= toport=8080 –permanent”

To masquerade traffic from a source network to external networks and forward all traffic from TCP Port 8080 to with the same TCP port.


FirewallD is a complex and feature-packed firewall solution that is highly customizable and configurable. In this article, we have explored how to work with FirewallD zones, change settings configurations, and open a port or service.

Armed with these skills, you can secure your system thoroughly. However, it’s essential to keep in mind that misconfigurations in FirewallD can create openings for cybersecurity threats, so it’s essential to follow instructions carefully and always verify any actions taken.

FirewallD is a powerful firewall solution that offers many customization options to secure your system. One of the fundamental features of FirewallD is its ability to create a ruleset that defines different levels of security for different network interfaces.

In this article, we will go over how to configure FirewallD to create a DMZ ruleset, its verification of changes, and how to list active zones, open ports, and interfaces. Changing

Default Zone to DMZ

The DMZ zone is used for systems that need external network exposure.

The DMZ should be set up with services that are required to be publicly accessible. In FirewallD, configuring DMZ is easy and can be achieved in a few simple steps.

First, change the default zone to DMZ using the following command:

“firewall-cmd –set-default-zone=dmz”

Next, configure the DMZ zone to use the eth0 interface by entering:

“firewall-cmd –zone=dmz –change-interface=eth0”

Once you have configured the DMZ, you can create specific rules that apply to the services you need to expose.

Verification of Changes

It’s important to verify the changes you have made to ensure that they have been successful. You can validate changes by listing the ruleset used by FirewallD by running:

“firewall-cmd –list-all”

This command will list all the configuration settings for the active zone.

You can use this command to verify that the default zone has been changed to DMZ and that the eth0 interface is being used. Another way to confirm changes is to check the active and default zones by typing:

“firewall-cmd –get-active-zones” and “firewall-cmd –get-default-zone.”

Open Ports

To view all open ports, type:

“firewall-cmd –list-ports”

This command will list all ports that have an active rule associated with them, indicating that they are open and permitted. Additionally, you can check the open ports in a specific zone by typing:

“firewall-cmd –zone=zone_name –list-ports”

Active Interfaces

You can check active interfaces by typing the command:

“firewall-cmd –get-active-zones”

This command provides a list of active zones, and each active zone is associated with an interface.


FirewallD offers many customization options that make configuring firewall rulesets easy and efficient. By changing the default zone to DMZ and configuring the eth0 interface, you can create a ruleset that allows access to specific services while maintaining a high level of security.

To validate changes, use the command “firewall-cmd –list-all” to view all current configuration settings, including open ports and active interfaces. By carefully configuring rulesets using FirewallD, you can stay safe from potential cybersecurity threats.

In conclusion, FirewallD is a powerful firewall solution that allows users to create a ruleset tailored to their specific security needs. By changing the default zone to DMZ and configuring interfaces, such as eth0, FirewallD offers the flexibility to define different levels of security and control access to specific services.

Verifying changes through commands like “firewall-cmd –list-all” ensures that configurations are accurate and effective. The ability to manage open ports and active interfaces enhances system security.

As cybersecurity threats continue to evolve, configuring a robust firewall ruleset with FirewallD is crucial for safeguarding sensitive information and maintaining a secure network environment. Take advantage of FirewallD’s features to create a strong defense against potential cyber threats.

Popular Posts