AlmaLinuxRHEL Based

How To Install FirewallD on AlmaLinux 10

r00t

Install FirewallD on AlmaLinux 10

Network security stands as a fundamental pillar of modern system administration, and proper firewall configuration serves as the first line of defense against unauthorized access. AlmaLinux 10, as an enterprise-grade Linux distribution, provides robust security features through FirewallD, a dynamic firewall management tool that simplifies network traffic control while maintaining powerful functionality.

This comprehensive guide walks you through the complete process of installing, configuring, and managing FirewallD on AlmaLinux 10. Whether you’re a system administrator securing enterprise servers or a developer setting up a development environment, mastering FirewallD ensures your AlmaLinux system remains protected against potential security threats while maintaining optimal performance.

Understanding FirewallD Fundamentals

What is FirewallD?

FirewallD represents a significant evolution in Linux firewall management, serving as a dynamic firewall daemon that provides a flexible interface for configuring network traffic filtering rules. Unlike traditional iptables configurations that require manual rule management, FirewallD operates as a service that can dynamically modify firewall rules without interrupting existing network connections.

The tool abstracts complex networking concepts into user-friendly zones and services, making firewall management accessible to administrators with varying levels of networking expertise. FirewallD supports both IPv4 and IPv6 protocols, ensuring comprehensive network protection across modern networking environments.

Key FirewallD Concepts

FirewallD operates on several fundamental concepts that distinguish it from traditional firewall solutions. Zones define trust levels for network connections, allowing administrators to apply different security policies based on network interface locations. Each zone contains specific rules determining which services and ports are accessible.

Services represent predefined collections of ports and protocols commonly used by specific applications. For example, the HTTP service includes port 80 and the HTTPS service encompasses port 443, simplifying rule management for common server applications.

The distinction between runtime and permanent configurations provides flexibility in firewall management. Runtime changes take effect immediately but don’t survive system reboots, while permanent configurations persist across system restarts.

Prerequisites and System Requirements

Before installing FirewallD on AlmaLinux 10, ensure your system meets the necessary requirements and prerequisites. Your AlmaLinux 10 system should have sufficient resources and proper network connectivity to support firewall operations.

Verify that you have root or sudo access to the system by running the following command:

sudo whoami

This command should return “root” or display your username, confirming administrative privileges. Additionally, identify your network interfaces to understand which interfaces will be managed by FirewallD:

ip addr show

Update your system packages before proceeding with FirewallD installation to ensure compatibility and security:

sudo dnf update -y

Checking Current FirewallD Status

Verifying Installation Status

AlmaLinux typically includes FirewallD by default, but verification ensures the service is available and properly configured. Check if FirewallD is already installed on your system:

dnf list installed | grep firewalld

If FirewallD is installed, this command displays package information including version details. You can also verify the installation status using the package manager directly:

sudo dnf list firewalld

Service Status Assessment

Determine whether FirewallD is currently running on your AlmaLinux system:

sudo systemctl status firewalld

This command provides comprehensive service status information, including whether the service is active, inactive, or failed. The output also displays recent log entries and service startup information.

Check the firewall state using FirewallD’s built-in command:

sudo firewall-cmd --state

A “running” response indicates FirewallD is active and managing network traffic. If the command returns “not running,” the service requires activation.

Installing FirewallD on AlmaLinux 10

Installation Methods

FirewallD installation on AlmaLinux 10 utilizes the DNF package manager, which handles dependency resolution automatically. Install FirewallD using the following command:

sudo dnf install firewalld -y

The -y flag automatically confirms the installation, streamlining the process. DNF downloads the latest FirewallD package from AlmaLinux repositories and installs all required dependencies.

For systems requiring offline installation, download the FirewallD package and its dependencies:

sudo dnf download --resolve firewalld

This command downloads all necessary packages for manual installation on systems without internet connectivity.

Post-Installation Verification

Confirm successful FirewallD installation by checking the package information:

dnf info firewalld

This command displays detailed package information, including version, architecture, and installation status. Verify that all required dependencies were installed correctly:

dnf list installed | grep -E "(firewalld|python3-firewall)"

Test the FirewallD binary to ensure proper installation:

firewall-cmd --version

A successful installation returns the FirewallD version number, confirming the tool is ready for configuration.

Enabling and Starting FirewallD Service

Service Management Commands

Enable FirewallD to start automatically during system boot:

sudo systemctl enable firewalld

This command creates the necessary systemd links to ensure FirewallD starts with the system. Start the FirewallD service immediately:

sudo systemctl start firewalld

Combine both operations using a single command for efficiency:

sudo systemctl enable --now firewalld

The --now flag starts the service immediately while enabling it for automatic startup.

Service Status Verification

Verify that FirewallD is running correctly:

sudo systemctl status firewalld

Look for “active (running)” in the output, indicating successful service startup. Check the firewall operational status:

sudo firewall-cmd --state

This command should return “running” when FirewallD is properly operational.

Basic FirewallD Configuration

Understanding Default Configuration

FirewallD includes preconfigured settings that provide reasonable security for most AlmaLinux installations. Check the default zone assignment:

sudo firewall-cmd --get-default-zone

Typically, the default zone is “public,” which provides balanced security for general-purpose servers. View currently active zones and their associated network interfaces:

sudo firewall-cmd --get-active-zones

List services enabled in the current zone:

sudo firewall-cmd --list-services

By default, AlmaLinux enables SSH, Cockpit, and DHCPv6-client services, allowing basic system administration and network configuration.

Zone Management Basics

FirewallD organizes network security through zones, each representing different trust levels. List all available zones:

sudo firewall-cmd --get-zones

Common zones include public, home, work, internal, external, dmz, block, drop, and trusted. Each zone has predefined rules appropriate for its intended environment.

View detailed information about a specific zone:

sudo firewall-cmd --zone=public --list-all

This command displays all services, ports, and rules configured for the specified zone.

Essential FirewallD Commands

Status and Information Commands

Monitor FirewallD status and configuration using these essential commands. Check overall firewall status:

sudo firewall-cmd --state

Display comprehensive zone information:

sudo firewall-cmd --list-all-zones

View active zone configurations:

sudo firewall-cmd --list-all

Check which services are currently allowed:

sudo firewall-cmd --list-services

Configuration Commands

Modify FirewallD configuration using runtime and permanent options. Add services to allow specific network traffic:

sudo firewall-cmd --add-service=http --permanent

The --permanent flag ensures changes persist across system reboots. Apply configuration changes immediately:

sudo firewall-cmd --reload

Remove services when they’re no longer needed:

sudo firewall-cmd --remove-service=http --permanent
sudo firewall-cmd --reload

Opening and Managing Ports

Port Management Procedures

FirewallD allows granular control over network ports, enabling specific applications while maintaining security. Open a specific port for TCP traffic:

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

This command opens port 8080 for TCP connections in the public zone. Open UDP ports using similar syntax:

sudo firewall-cmd --zone=public --add-port=53/udp --permanent

Open port ranges when applications require multiple consecutive ports:

sudo firewall-cmd --zone=public --add-port=8000-8100/tcp --permanent

Apply changes after modifying port configurations:

sudo firewall-cmd --reload

Service-Based Access Control

Using predefined services provides better security and easier management than opening individual ports. Add common web services:

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent

List available services:

sudo firewall-cmd --get-services

Create custom service definitions for applications not included in default services:

sudo firewall-cmd --permanent --new-service=myapp
sudo firewall-cmd --permanent --service=myapp --set-description="My Custom Application"
sudo firewall-cmd --permanent --service=myapp --set-short="MyApp"
sudo firewall-cmd --permanent --service=myapp --add-port=9000/tcp

Advanced Configuration Options

Rich Rules Implementation

Rich rules provide advanced firewall functionality beyond basic service and port management. Create rules based on source IP addresses:

sudo firewall-cmd --zone=public --add-rich-rule='rule source address="192.168.1.0/24" service name="ssh" accept' --permanent

This rule allows SSH connections only from the 192.168.1.0/24 network subnet. Block specific IP addresses:

sudo firewall-cmd --zone=public --add-rich-rule='rule source address="203.0.113.50" drop' --permanent

Network Source Management

Configure trusted IP ranges and network segments for enhanced security. Add trusted source networks:

sudo firewall-cmd --zone=trusted --add-source=192.168.0.0/16 --permanent

Remove source networks when they’re no longer trusted:

sudo firewall-cmd --zone=trusted --remove-source=192.168.0.0/16 --permanent

Apply source-based rules to specific zones for network segmentation strategies.

Testing and Verification

Verify FirewallD configuration by testing network connectivity from external systems. Use nmap to scan open ports:

nmap -p 1-1000 your-server-ip

Test specific services using telnet:

telnet your-server-ip 80

Monitor firewall logs for connection attempts:

sudo journalctl -xe | grep firewalld

Check for denied connections in system logs:

sudo journalctl -f | grep "DENIED"

Best Practices and Security Considerations

Security Hardening

Implement the principle of least privilege by opening only necessary ports and services. Regularly audit firewall configurations:

sudo firewall-cmd --list-all-zones > firewall-audit.txt

Create backup configurations before making significant changes:

sudo tar -czf firewall-backup-$(date +%Y%m%d).tar.gz /etc/firewalld/

Maintenance and Monitoring

Establish routine maintenance procedures for optimal firewall performance. Monitor firewall logs regularly to identify potential security threats:

sudo journalctl -u firewalld --since "1 hour ago"

Update firewall rules as application requirements change. Document all firewall modifications for future reference and troubleshooting.

Consider performance implications when implementing complex rule sets, especially on high-traffic servers. Test firewall changes in development environments before applying them to production systems.

Troubleshooting Common Issues

When FirewallD doesn’t start properly, check for conflicting services:

sudo systemctl status iptables
sudo systemctl disable iptables

If services fail to load after configuration changes, verify syntax in configuration files:

sudo firewall-cmd --check-config

For connectivity issues, temporarily disable FirewallD to isolate problems:

sudo systemctl stop firewalld

Remember to restart FirewallD after troubleshooting:

sudo systemctl start firewalld

Congratulations! You have successfully installed FirewallD. Thanks for using this tutorial for installing the FirewallD firewall management tool on your AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official AlmaLinux website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button