Exploring firewalld: A Simple and Powerful Firewall for Linux to Replace iptables

Iptables and Beyond

The iptables project, developed by Rusty Russell in 1999 for managing netfilter, replaced tools like ipchains and ipnatctl in the 2.4 Linux kernel, offering a more expandable way to filter packets, giving system administrators greater control and simplifying rule creation. With ipchains, an administrator had to create a rule in each chain to trace a packet’s entire route, whereas now, a single rule is sufficient. The introduction of modules allowed for easy expansion of capabilities. Over time, iptables was ported to IPv6 (in 2011, as ip6tables), and additional modules like ULOG and nf_conntrack were added, enabling various packet manipulations, traffic classification up to the OSI model’s seventh layer, load balancing, and more. As the number of features grew, the configurations became more complex. Despite some unification, each extension has its own syntax; some support ranges, negation, and prefixes, while others do not. Initially, any rule changes required a complete firewall restart, including unloading modules, which led to disconnections of established connections. This issue no longer exists.

In simple cases, configuring with iptables is straightforward, but in complex networks, managing a large number of rules becomes challenging. Understanding all the settings and how it operates requires time. It’s difficult to immediately grasp what each chain does, and rules start to repeat, making them hard to maintain, update, and transfer to other systems.

It’s not surprising that various tools have been developed to address these issues. In Ubuntu, for instance, ufw (Uncomplicated Firewall) is used for straightforward configuration of firewall rules. For example, to allow access to the SSH port, you simply need to enter

Application developers can create pre-configured profiles that activate when the package is installed, saving users from having to create and input rules themselves.

Another well-known project that simplifies the maintenance of complex rules is FERM (for Easy Rule Making). FERM stores all rules in a single file that is easy to read, edit, and load with a single command. This file can be effortlessly transferred between computers. The rules themselves are organized into blocks and can include variables and lists, allowing for the same configurations to be more concise and understandable. The final size of FERM rules is about three times smaller than equivalent configurations for iptables. For example, you can block all connections except for HTTP, SSH, and FTP.

Under the hood, FERM is essentially a Perl script that converts configuration files into iptables rules.

In Fedora 18, the firewalld daemon was announced, which became the official tool for managing netfilter settings in RHEL 7 / CentOS 7. These systems are becoming increasingly popular on VDS, so it’s important to be aware of their specific features.

Features of Firewalld

Firewalld operates as a daemon, allowing new rules to be added without restarting or resetting the existing firewall. Configuration changes can be made at any time and are applied instantly, with no need to save or manually apply them. It supports IPv4, IPv6, automatic kernel module loading, and network zones to define the trust level of connections. Firewalld offers an easy interface for adding rules for services and applications, as well as a whitelist for applications authorized to change rules. Currently, it is supported by libvirt, Docker, fail2ban, Puppet, the Virtuozzo installation script, and many other projects. YUM repositories already include packages like fail2ban-firewalld and puppet-firewalld, making it possible to enable them with a single command.

Firewalld provides information about the current firewall settings via a D-Bus API and accepts changes through D-Bus using PolicyKit authentication methods. It uses iptables, ip6tables, ebtables, and ipset as backends, with plans to integrate nftables. However, firewalld cannot interpret rules created directly by these utilities, so both methods cannot be used simultaneously.

Management is done using command-line utilities like firewall-cmd or the graphical firewall-config, which allows you to configure all the rules in a user-friendly environment. The firewall-offline-cmd utility is used to assist in migrating current iptables rules to firewalld, and by default, it reads from /etc/sysconfig/system-config-firewall. Recent releases include the firewallctl utility, which features a simple syntax and enables you to get information about the service’s status, firewall configuration, and to modify rules.

Checking the status:

Allowing a connection on a specific port is quite straightforward:

For any changes to take effect, you must always run a command after making edits.

The parameter --remove-port is used to delete a port from the rules:

In general, many --add-* commands have corresponding --query-* for status checks, --list-* for lists, --change-* for modifications, or --remove for deleting the respective values. For brevity, we’ll not dwell further on these details. After reloading the rules, let’s proceed to check:

Firewalld includes a mode that allows you to block all connections with a single command:

To check which mode the firewall is in, there is a special command:

Disabling panic mode:

With firewalld, you don’t need to know which port is associated with a service; you just need to specify the service name. The utility will handle the rest.

Once firewalld is installed, it recognizes the configurations of over 50 services. Let’s get the list of these services.

Let’s enable the connection to HTTP:

By using curly braces, you can configure multiple services simultaneously. Information about service settings is available through

Firewalld stores all its configurations in XML files located in directories under /usr/lib/firewalld. Specifically, the services are found in the services directory. Inside each file, you’ll find details such as the name, protocol, and port.

This is a system directory, and nothing should be changed there. If you need to override settings or create your own service, copy any file as a template into /etc/firewalld/services, modify it according to your needs, and apply the settings.

A separate set of rules is used for configuring ICMP. Here’s how to get a list of supported ICMP types:

Checking the status:

Zone Management

In firewalld, zones are used to determine the level of trust for a network connection. A zone can contain multiple network connections, but each network connection can only belong to one zone. You can get a list of all zones using the command firewall-cmd --get-zones.

Upon installation, nine zones are created. Depending on the purpose, one or more of these zones can be utilized:

• Trusted: All network connections are allowed.
• Work/Home/Internal: These zones have similar settings with different purposes. Maximum trust is given to computers on the network, allowing only specific incoming connections (by default SSH and DHCPv6 client; with home and internal also allowing MDNS and Samba client).
• DMZ: For computers in a demilitarized zone, accessible from the Internet with limited access to the internal network. Only specified incoming connections are allowed (by default SSH).
• External: A rule suitable for routers to be used in external networks with masquerading enabled, characterized by maximum distrust and clearly defined allowed incoming connections (by default SSH).
• Public: For use in public places, with maximum distrust towards other computers, allowing only specific incoming connections (by default SSH and DHCPv6 client).
• Block: Incoming network connections are rejected with an icmp-host-prohibited message, only connections initiated from this system are allowed.
• Drop: Only outgoing connections are allowed, all incoming connections are blocked.

Zone descriptions are also provided in XML files located in /usr/lib/firewalld/zones.

After installing the system, the ‘public’ zone is typically used. If the existing zones are not sufficient, you can create new zones using the appropriate tools.

All packets that do not fall within specified zones are processed in the default zone.

Now, let’s look at which zones are currently active and which interfaces are associated with them.

We can also obtain feedback on which zone the interface is associated with.

Let’s review the zone settings (services, ports, protocols, etc.).

If the parameter is empty, it means that the settings have not been configured. If needed, reassign the interface to the zone:

If you check the output of firewall-cmd --zone=public --list-all now, you’ll notice that the network interface is missing from the setup list. Let’s allow the service connection:

Here’s how you can remove it:

Zones can also be associated with other sources, identified by MAC address, individual IP, or network address. Any packet arriving from such a source will be processed according to the zone’s rules.

You can view the list of all sources using --zone=trusted --list-sources. NAT, which allows multiple computers to connect to the network, can be enabled in firewalld with a single command. To check the current masquerade settings:

If the response we receive is no, then activate:

That’s all. To enable external access, we’ll set up port forwarding to one of the computers. For example, if we need SSH access to an internal server:

Let’s check:

The forwarding rule can be deleted using --remove-forward-port.

Advanced Rules

For individual PCs or small networks, the basic features are usually sufficient. To configure complex rules in firewalld, a so-called direct syntax was initially proposed, and a Rich Language was introduced later. The first option requires knowledge of iptables syntax and is recommended only as a last resort since rules do not persist after a reboot.

The syntax for a direct rule is as follows:

The syntax for <args> is exactly the same as that of iptables. Here’s how to retrieve the current settings:

Add a rule that allows connections through port 25:

Let’s forward the connection on port 22 to another server:

Let’s check:

Rich Language allows you to write complex rules in a more comprehensible format. In a rule, you can specify any parameters that define a packet, such as source, destination, service, port, protocol, masquerading, logging, auditing, and action. For instance, you can permit a subnet to connect via HTTP and add auditing:

A significant advantage of Rich Language is that all parameters can be described in XML within the zone file. The file format is very straightforward and mirrors the parameter names:

PANEL

Configuring a firewall is often a matter of habit. Many people find it more convenient to use a command they’ve relied on for years rather than learning a new utility. That’s why sometimes there’s a desire to bring back the classic tool. This isn’t an issue. Iptables isn’t included in CentOS 7 by default, so you’ll need to reinstall it:

To avoid having to configure everything from scratch, it’s better to save the current rules generated by firewalld.

Stopping firewalld and starting iptables:

Reviewing the current rules:

Prevent firewalld from automatically starting when the OS boots:

Conclusions

As you can see, it’s nothing complicated! Firewalld simplifies the setup process, especially considering that configurations can easily be transferred.