How to Install and Use Firewalld on Ubuntu: A Comprehensive Guide

Firewalld is a dynamic firewall management tool that provides a more flexible and feature-rich alternative to Ubuntu's default UFW (Uncomplicated Firewall). Originally developed for Red Hat-based systems, firewalld has gained popularity for its zone-based approach to firewall management and runtime configuration capabilities. This tutorial will guide you through installing and configuring firewalld on Ubuntu systems.

Table of Contents

Introduction to Firewalld

Firewalld is a zone-based firewall management tool that provides a dynamically managed firewall with support for network/firewall zones. Unlike UFW, which is the default firewall management tool in Ubuntu, firewalld offers several advantages:

• Dynamic rule updates without dropping connections
• Zone-based configuration for different trust levels
• Runtime and permanent configuration options
• Support for rich rules for complex firewall configurations
• Direct interface to iptables for advanced users

Installing Firewalld on Ubuntu

Before installing firewalld, it's important to note that it's generally not recommended to run multiple firewall management tools simultaneously. Since Ubuntu uses UFW by default, we'll need to disable it before setting up firewalld.

Step 1: Disable UFW (if enabled)

# Check UFW status
sudo ufw status

# Disable UFW if it's active
sudo ufw disable

Step 2: Install Firewalld

# Update package lists
sudo apt update

# Install firewalld
sudo apt install -y firewalld

Step 3: Enable and Start Firewalld

# Enable firewalld to start at boot
sudo systemctl enable firewalld

# Start firewalld service
sudo systemctl start firewalld

# Verify firewalld is running
sudo systemctl status firewalld

Basic Firewalld Usage

Checking Status

# Check if firewalld is running
sudo firewall-cmd --state

# Get firewalld version
sudo firewall-cmd --version

Understanding Zones

# List all available zones
sudo firewall-cmd --get-zones

# Show details of all zones
sudo firewall-cmd --list-all-zones

# Check which zone is active
sudo firewall-cmd --get-active-zones

# Get details about a specific zone (e.g., public)
sudo firewall-cmd --zone=public --list-all

Managing Services

# List all available services
sudo firewall-cmd --get-services

# List services allowed in the default zone
sudo firewall-cmd --list-services

# Add a service to the default zone (temporary)
sudo firewall-cmd --add-service=http

# Add a service permanently
sudo firewall-cmd --permanent --add-service=http

# Add a service to a specific zone
sudo firewall-cmd --zone=home --add-service=samba

# Remove a service from the default zone
sudo firewall-cmd --remove-service=http

Managing Ports

# List open ports in the default zone
sudo firewall-cmd --list-ports

# Open a TCP port in the default zone (temporary)
sudo firewall-cmd --add-port=8080/tcp

# Open a port permanently
sudo firewall-cmd --permanent --add-port=8080/tcp

# Open a UDP port in a specific zone
sudo firewall-cmd --zone=home --add-port=123/udp

# Close a port
sudo firewall-cmd --remove-port=8080/tcp

Advanced Firewalld Configuration

Using Rich Rules

# List existing rich rules
sudo firewall-cmd --list-rich-rules

# Allow SSH access from a specific IP address
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'

# Limit HTTP connections to 10 per minute from a specific IP
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" limit value="10/m" accept'

# Block an IP address
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.1" reject'

# Forward traffic from port 80 to port 8080
sudo firewall-cmd --add-rich-rule='rule family="ipv4" forward-port port="80" protocol="tcp" to-port="8080"'

# Add a rich rule permanently
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'

# Remove a rich rule
sudo firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'

Direct Rules

# Add a direct rule (advanced users)
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT

# List direct rules
sudo firewall-cmd --direct --get-all-rules

Runtime vs. Permanent Configuration

# Make runtime changes permanent
sudo firewall-cmd --runtime-to-permanent

# Make permanent changes active in runtime
sudo firewall-cmd --reload

# Check if a rule is in both runtime and permanent configuration
sudo firewall-cmd --query-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'
sudo firewall-cmd --permanent --query-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'

Practical Examples

Example 1: Basic Web Server Configuration

# Allow HTTP and HTTPS traffic
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

# Allow SSH access for remote management
sudo firewall-cmd --permanent --add-service=ssh

# Apply changes
sudo firewall-cmd --reload

# Verify configuration
sudo firewall-cmd --list-all

Example 2: Secure Database Server

# Create a new zone for database access
sudo firewall-cmd --permanent --new-zone=database
sudo firewall-cmd --reload

# Allow MySQL access only from application servers
sudo firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="3306" protocol="tcp" accept'

# Assign the zone to a specific interface
sudo firewall-cmd --permanent --zone=database --add-interface=eth1

# Allow SSH access from admin network
sudo firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" service name="ssh" accept'

# Apply changes
sudo firewall-cmd --reload

Example 3: Rate Limiting to Prevent DoS Attacks

# Limit SSH login attempts
sudo firewall-cmd --permanent --add-rich-rule='rule service name="ssh" limit value="3/m" accept'

# Limit HTTP requests
sudo firewall-cmd --permanent --add-rich-rule='rule service name="http" limit value="100/m" accept'

# Apply changes
sudo firewall-cmd --reload

Troubleshooting

Common Issues and Solutions

# View firewalld logs
sudo journalctl -u firewalld

# View active connections
sudo firewall-cmd --list-all

# Check if a service is allowed
sudo firewall-cmd --query-service=http

# Panic mode (emergency block all traffic)
sudo firewall-cmd --panic-on

# Disable panic mode
sudo firewall-cmd --panic-off

# Check if panic mode is enabled
sudo firewall-cmd --query-panic

Resetting Firewalld Configuration

# Stop firewalld
sudo systemctl stop firewalld

# Reset to default configuration
sudo rm -rf /etc/firewalld/zones/*
sudo rm -rf /etc/firewalld/services/*

# Restart firewalld
sudo systemctl start firewalld

Conclusion

Firewalld provides a powerful, flexible approach to managing your Ubuntu firewall. Its zone-based approach and dynamic configuration capabilities make it especially useful for complex networking environments where different interfaces or networks require different security policies.

While UFW may be simpler for basic setups, firewalld offers more advanced features for those who need finer control over their firewall rules. By mastering the concepts of zones, services, and rich rules, you can create a secure, well-organized firewall configuration tailored to your specific requirements.

Further Resources

• Official Firewalld Documentation
• A Beginner's Guide to Firewalld