RHEL 10 FirewallD Commands & Examples

Table of Contents

• What is FirewallD?
• Key FirewallD Concepts
• Common FirewallD Commands
• Basic FirewallD Operations
• Managing Zones
• Configuring Services and Ports
• Using Rich Rules for Advanced Filtering
• Best Practices for FirewallD
• Conclusion
• Frequently Asked Questions

What is FirewallD?

FirewallD is RHEL 10’s default firewall management tool, designed to control network traffic dynamically. Unlike older tools like iptables, FirewallD uses a simpler, zone-based approach to manage rules, making it beginner-friendly yet powerful for advanced users. It allows you to define rules for different network environments (e.g., home, public, work) and apply them based on your network connection. FirewallD runs as a service, integrating seamlessly with RHEL 10’s system management tools like systemctl. With commands like firewall-cmd, you can secure your system without diving into complex syntax, making it perfect for both servers and desktops.

Key FirewallD Concepts

Before using FirewallD, let’s cover its core concepts to make commands easier to understand:

• Zones: Predefined sets of rules for different network environments (e.g., public, trusted).
• Services: Preconfigured rule sets for common applications (e.g., ssh, http).
• Ports: Specific network ports (e.g., 80 for HTTP) you can open or close.
• Rich Rules: Advanced rules for fine-grained control, like allowing specific IPs or logging traffic.
• Permanent vs. Runtime: Runtime changes apply until reboot; permanent changes persist across reboots.
• Default Zone: The zone applied to network interfaces unless specified otherwise.

These concepts form the foundation of FirewallD’s flexibility, letting you tailor security to your needs.

Common FirewallD Commands

FirewallD uses the firewall-cmd tool for most tasks. The table below summarizes key commands you’ll use in RHEL 10.

Basic FirewallD Operations

Let’s start with the essentials to get FirewallD up and running on RHEL 10:

• Check FirewallD Status: Verify it’s running: sudo firewall-cmd --state. Output should be “running.”
• Enable FirewallD: Ensure it starts on boot: sudo systemctl enable --now firewalld.
• List Available Zones: See all zones: firewall-cmd --get-zones. Common zones include public, trusted, and home.
• Reload FirewallD: Apply changes without restarting: sudo firewall-cmd --reload.
• Make Changes Permanent: Add --permanent to commands to save rules across reboots: sudo firewall-cmd --permanent --add-service=ssh.
• Check Active Rules: View current configuration: firewall-cmd --list-all.

Example: To enable FirewallD and check its status:

sudo systemctl enable --now firewalld
sudo firewall-cmd --state

Tip: Always test changes in runtime mode before making them permanent to avoid locking yourself out.

Managing Zones

Zones allow you to apply different rules to different network interfaces. Here’s how to manage them:

• Set Default Zone: Set public as the default: sudo firewall-cmd --set-default-zone=public.
• Assign Interface to Zone: Link an interface (e.g., eth0) to a zone: sudo firewall-cmd --permanent --zone=public --add-interface=eth0.
• List Active Zones: Check which zones are in use: sudo firewall-cmd --get-active-zones.
• View Zone Details: See rules for a zone: sudo firewall-cmd --zone=public --list-all.
• Create Custom Zone: Add a new zone: sudo firewall-cmd --permanent --new-zone=mycustomzone.

Example: Assign eth0 to the trusted zone and make it permanent:

sudo firewall-cmd --permanent --zone=trusted --add-interface=eth0
sudo firewall-cmd --reload

Tip: Use the public zone for servers exposed to the internet for stricter default rules.

Configuring Services and Ports

FirewallD makes it easy to allow specific services or ports. Here’s how:

• Add a Service: Allow HTTP traffic: sudo firewall-cmd --permanent --add-service=http.
• Remove a Service: Block HTTP: sudo firewall-cmd --permanent --remove-service=http.
• Add a Port: Open port 8080: sudo firewall-cmd --permanent --add-port=8080/tcp.
• Remove a Port: Close port 8080: sudo firewall-cmd --permanent --remove-port=8080/tcp.
• List Services: Check available services: firewall-cmd --get-services.
• Verify Open Ports: See open ports: firewall-cmd --list-ports.

Example: Allow HTTPS and a custom port for a web app:

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --reload

Tip: Use services for common apps (e.g., ssh, mysql) to avoid manually specifying ports.

Using Rich Rules for Advanced Filtering

Rich rules offer precise control, like allowing specific IPs or logging traffic. Here’s how to use them:

• Allow Specific IP: Permit traffic from 192.168.1.100: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept'.
• Block an IP: Deny traffic from 10.0.0.50: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.50" reject'.
• Log Denied Traffic: Log dropped packets: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" log prefix="DENIED: " level="warning"'.
• Limit Connection Rate: Restrict SSH attempts: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" service name="ssh" limit value="10/m" accept'.
• Remove Rich Rule: Delete a rule: sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" accept'.

Example: Allow MySQL access from a specific subnet:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="mysql" accept'
sudo firewall-cmd --reload

Tip: Test rich rules in runtime mode to ensure they don’t disrupt services.

Best Practices for FirewallD

To keep your RHEL 10 system secure and functional, follow these tips:

• Use the Public Zone for Servers: It’s restrictive by default, ideal for internet-facing systems.
• Minimize Open Ports: Only allow necessary services or ports to reduce attack surfaces.
• Test Changes: Apply rules in runtime mode first and test connectivity before making them permanent.
• Enable Logging: Log denied traffic to monitor potential threats: firewall-cmd --add-rich-rule='rule family="ipv4" log'.
• Backup Configurations: Save FirewallD rules: sudo cp -r /etc/firewalld /etc/firewalld-backup.
• Integrate with SELinux: Ensure FirewallD rules align with SELinux policies for maximum security.
• Monitor Rules: Regularly check active rules with firewall-cmd --list-all.

Conclusion

FirewallD in RHEL 10 is your key to securing network traffic with ease and precision. From basic commands like firewall-cmd --add-service to advanced rich rules, this tool empowers beginners and pros alike to protect servers, cloud instances, or desktops. By understanding zones, services, and ports, you can tailor FirewallD to your environment, whether you’re running a web app or a database. The examples in this guide—allowing HTTP, restricting IPs, or logging traffic—give you hands-on ways to start. Follow best practices, test your rules, and use RHEL 10’s FirewallD to keep your system safe. Get started today and take control of your network security!

Frequently Asked Questions

What is FirewallD in RHEL 10?

FirewallD is RHEL 10’s default firewall tool for managing network traffic using zones, services, and rules.

How do I check if FirewallD is running?

Run sudo firewall-cmd --state to verify; it should return “running.”

What is a FirewallD zone?

A zone is a set of rules applied to a network interface, like public or trusted.

How do I enable FirewallD?

Use sudo systemctl enable --now firewalld to start and enable it on boot.

What is the difference between runtime and permanent rules?

Runtime rules apply until reboot; permanent rules persist using --permanent.

How do I allow HTTP traffic?

Run sudo firewall-cmd --permanent --add-service=http, then sudo firewall-cmd --reload.

Can I open a specific port?

Yes, use sudo firewall-cmd --permanent --add-port=8080/tcp and reload.

What is a rich rule?

A rich rule is an advanced FirewallD rule for specific filtering, like allowing certain IPs.

How do I block an IP address?

Use sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.50" reject'.

How do I list active zones?

Run firewall-cmd --get-active-zones to see zones and their interfaces.

Can I create a custom zone?

Yes, use sudo firewall-cmd --permanent --new-zone=mycustomzone.

How do I check open ports?

Use firewall-cmd --list-ports to see open ports in the active zone.

What services are available in FirewallD?

List them with firewall-cmd --get-services, including ssh, http, etc.

How do I log denied traffic?

Add a rich rule: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" log prefix="DENIED: "'.

Can I limit SSH connection attempts?

Yes, use sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" service name="ssh" limit value="10/m" accept'.

How do I reload FirewallD rules?

Run sudo firewall-cmd --reload to apply changes without restarting.

Should I use the public zone for servers?

Yes, the public zone is restrictive and ideal for internet-facing servers.

How do I back up FirewallD rules?

Copy the configuration: sudo cp -r /etc/firewalld /etc/firewalld-backup.

Does FirewallD work with SELinux?

Yes, FirewallD integrates with SELinux for enhanced security; ensure rules align with SELinux policies.

Where can I learn more about FirewallD?

Check docs.redhat.com, the Red Hat Customer Portal, or forums like r/redhat on Reddit.