March 21, 2023
Introduction
In this blog post, we will guide you through the process of installing, enabling, and configuring
firewalls on various Linux distributions, specifically Ubuntu/Debian, CentOS 7, CentOS Stream 8,
Fedora, and Red Hat Enterprise Linux (RHEL). Firewalls play a crucial role in securing your system
by controlling incoming and outgoing network traffic based on predefined rules. The default firewall
for Ubuntu and Debian-based distributions is Uncomplicated Firewall (UFW), while CentOS and
Fedora/RHEL use firewalld.
Please click on the headings below to expand.
Ubuntu/Debian: Installing and enabling UFW ▼
Step 1: Install UFW
To install UFW on your Ubuntu or Debian-based system, run the following command:
sudo apt-get update
sudo apt-get install ufw
Step 2: Enable UFW
To enable the UFW firewall, run:
sudo ufw enable
Step 3: Set default rule to allow incoming traffic
By default, UFW denies all incoming traffic. To change this behavior (not recommended, see
below), run:
sudo ufw default allow incoming
CentOS 7: Installing and enabling firewalld ▼
Step 1: Install firewalld
To install firewalld on CentOS 7, run:
sudo yum install firewalld
Step 2: Enable and start firewalld
To enable and start the firewalld service, run:
sudo systemctl enable firewalld
sudo systemctl start firewalld
Step 3: Set default rule to allow incoming traffic
By default, firewalld denies all incoming traffic. To change this behavior (not recommended, see
below), run:
sudo firewall-cmd --set-default-zone=trusted
sudo firewall-cmd --runtime-to-permanent
CentOS Stream 8/9: Installing and enabling firewalld ▼
Step 1: Install firewalld
To install firewalld on CentOS Stream 8, run:
sudo dnf install firewalld
Step 2: Enable and start firewalld
To enable and start the firewalld service, run:
sudo systemctl enable firewalld
sudo systemctl start firewalld
Step 3: Set default rule to allow incoming traffic
By default, firewalld denies all incoming traffic. To change this behavior (not recommended, see
below), run:
sudo firewall-cmd --set-default-zone=trusted
sudo firewall-cmd --runtime-to-permanent
Fedora & Red Hat Enterprise Linux (RHEL): Installing and enabling
firewalld ▼
Step 1: Install firewalld
To install firewalld on Fedora & Red Hat Enterprise Linux (RHEL), run:
sudo dnf install firewalld
Step 2: Enable and start firewalld
To enable and start the firewalld service, run:
sudo systemctl enable firewalld
sudo systemctl start firewalld
Step 3: Set default rule to allow incoming traffic
By default, firewalld denies all incoming traffic. To change this behavior (not recommended, see
below), run:
sudo firewall-cmd --set-default-zone=trusted
sudo firewall-cmd --runtime-to-permanent
openSUSE: Installing and enabling firewalld ▼
Step 1: Install firewalld
To install firewalld on openSUSE, run:
sudo zypper install firewalld
Step 2: Enable and start firewalld
To enable and start the firewalld service, run:
sudo systemctl enable firewalld
sudo systemctl start firewalld
Step 3: Set default rule to allow incoming traffic
By default, firewalld denies all incoming traffic. To change this behavior (not recommended, see
below), run:
sudo firewall-cmd --set-default-zone=trusted
sudo firewall-cmd --runtime-to-permanent
Further Firewall Configuration
As stated above, allowing all incoming traffic is not recommended, but instead you should configure
your firewall to limit services. Allowing all incoming traffic can expose your system to potential
threats.
Please see below for additional configuration options
Uncomplicated Firewall (UFW): ▼
Enable/disable UFW:
sudo ufw enable
sudo ufw disable
Check UFW status and rules:
sudo ufw status verbose
Set default policies (allow, deny, or reject):
sudo ufw default allow incoming
sudo ufw default deny incoming
sudo ufw default reject incoming
Allow/deny specific ports and protocols:
sudo ufw allow 22/tcp
sudo ufw deny 22/tcp
Allow/deny specific IP addresses or subnets:
sudo ufw allow from 192.168.1.0/24
sudo ufw deny from 192.168.1.0/24
Delete a rule:
sudo ufw delete allow 22/tcp
Reset UFW to default settings:
sudo ufw reset
firewalld ▼
In the context of firewalld, a "zone" is a predefined set of rules that define the level of trust
for network connections and interfaces. Each zone has its own rules, services, and ports that
are allowed or denied based on the trust level. By setting a default zone, you are determining
the default set of rules that will be applied to network connections that do not explicitly
belong to any other zone.
Firewalld comes with several predefined zones, such as:
- drop: All incoming connections are dropped without any reply. Only outgoing connections are
allowed.
- block: Similar to 'drop', but incoming connections are rejected with an icmp-host-prohibited
or icmp6-adm-prohibited message.
- public: Represents public, untrusted networks. Only selected incoming connections are
allowed.
- external: Used for external networks with masquerading enabled, especially for routers. Only
selected incoming connections are allowed.
- dmz: Used for computers in your demilitarized zone (DMZ). Only selected incoming connections
are allowed.
- work: Used for work machines. Trust most of the machines in the network. Only selected
incoming connections are allowed.
- home: Used for home machines. Trust most of the machines in the network. Only selected
incoming connections are allowed.
- internal: Used for internal networks. Trust all machines in the network. Only selected
incoming connections are allowed.
- trusted: All network connections are accepted.
When you "set default zone" in firewalld, you are defining which zone's rules should be applied
to network connections that have not been explicitly assigned to another zone. For example, if
you set the default zone to 'public', any connections not specified to be in another zone will
be treated according to the rules and policies of the 'public' zone.
Enable/disable firewalld:
sudo systemctl enable firewalld
sudo systemctl disable firewalld
Start/stop firewalld:
sudo systemctl start firewalld
sudo systemctl stop firewalld
Check firewalld status and rules:
sudo firewall-cmd --state
sudo firewall-cmd --list-all
Set default zone:
sudo firewall-cmd --set-default-zone=public
Allow/deny specific ports and protocols:
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=22/tcp --permanent
Allow/deny specific services:
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --remove-service=http --permanent
Allow/deny specific IP addresses or subnets:
sudo firewall-cmd --zone=public --add-source=192.168.1.0/24 --permanent
sudo firewall-cmd --zone=public --remove-source=192.168.1.0/24 --permanent
Reload firewalld configuration:
sudo firewall-cmd --reload
Conclusion
These are some of the common commands and ways to control both UFW and firewalld. Depending on your
specific needs, you may need to dive deeper into each tool's documentation for more advanced use
cases. We have now demonstrated how to install, enable, and configure the firewalls (UFW and
firewalld) on Ubuntu/Debian, CentOS 7, CentOS Stream 8, Fedora, Red Hat Enterprise Linux (RHEL), and
openSUSE.