How To Install FirewallD on Fedora 43

13 minutes read

Securing your Fedora 43 system starts with implementing proper firewall protection. FirewallD provides dynamic firewall management capabilities that protect your server from unauthorized access while allowing legitimate traffic to flow freely. Unlike traditional firewall solutions that require complete service restarts for configuration changes, FirewallD enables real-time rule modifications without disrupting active connections.

This comprehensive guide walks you through the complete installation and configuration process for FirewallD on Fedora 43. You’ll learn how to install the firewall daemon, configure essential security rules, manage zones effectively, and troubleshoot common issues. Whether you’re setting up a web server, mail server, or general-purpose Linux system, mastering FirewallD is fundamental to maintaining a secure environment.

The zone-based architecture of FirewallD simplifies network security management by allowing different trust levels for various network interfaces and connections. By the end of this tutorial, you’ll have a fully functional firewall protecting your Fedora system with customized rules tailored to your specific requirements.

Table of Contents

What is FirewallD?

Overview and Key Features

FirewallD is a dynamic firewall management tool that provides a D-Bus interface for managing firewall rules on Linux systems. The daemon creates a bridge between low-level iptables/nftables functionality and user-friendly zone-based configuration. This architecture allows administrators to implement sophisticated firewall policies without mastering complex iptables syntax.

The zone-based model represents one of FirewallD’s most powerful features. Each zone defines a trust level and associated rules that can be applied to network interfaces or connection sources. The firewall supports both IPv4 and IPv6 protocols natively, ensuring comprehensive network protection across modern networking standards.

FirewallD distinguishes between runtime and permanent configurations. Runtime changes take effect immediately but disappear after a system reboot, while permanent configurations persist across restarts. This dual-mode system provides flexibility for testing rules before committing them permanently.

Why Choose FirewallD for Fedora 43?

Fedora has adopted FirewallD as its default firewall solution since Fedora 18, making it the natural choice for system administrators working with Fedora 43. The tight integration with systemd ensures smooth service management and reliable startup behavior.

The dynamic nature of FirewallD eliminates the need for service restarts when modifying firewall rules. This capability proves invaluable in production environments where connection interruptions could disrupt critical services. Traditional iptables configurations required flushing all rules and reloading the entire ruleset, potentially dropping active connections.

FirewallD’s command-line interface offers intuitive syntax that accelerates the learning curve for new administrators. The firewall-cmd utility provides clear, self-documenting options that make common tasks straightforward. For administrators migrating from iptables, FirewallD maintains compatibility while offering enhanced functionality.

Prerequisites

Before beginning the FirewallD installation process, ensure your system meets the following requirements. A Fedora 43 installation—either a fresh setup or an existing system—provides the foundation for this tutorial.

Root privileges or sudo access are essential for installing packages and modifying system-level firewall configurations. Standard user accounts lack the necessary permissions to manage firewall rules or system services. Verify your account has sudo privileges by running sudo -v in the terminal.

Basic familiarity with command-line operations will help you follow along efficiently. You should understand how to execute commands, interpret output messages, and navigate the terminal interface. Terminal access can be obtained through direct console access or SSH connections to remote servers.

An active internet connection is required for downloading FirewallD packages from Fedora repositories. If you’re working with a server behind a corporate firewall, ensure DNF can reach Fedora’s package mirrors. While not strictly required, a foundational understanding of networking concepts like TCP/UDP protocols, port numbers, and IP addressing will enhance your comprehension of firewall rules.

Step 1: Verify System and Check Existing FirewallD Installation

Update System Packages

Starting with a fully updated system ensures compatibility and security. Open your terminal and execute the system update command:

sudo dnf update

This command connects to Fedora repositories, checks for available updates, and prompts you to confirm the installation. Enter ‘y’ when prompted to proceed with the updates. The update process may take several minutes depending on the number of packages requiring updates and your internet connection speed.

System updates patch security vulnerabilities, fix bugs, and ensure all dependencies are current. Keeping your Fedora 43 installation up to date creates a stable foundation for FirewallD installation and reduces potential conflicts.

Check if FirewallD is Already Installed

Fedora distributions typically include FirewallD by default as part of the base system installation. Verify whether FirewallD is already present on your system:

firewall-cmd --version

If FirewallD is installed, this command displays the version number, such as 0.9.11 or newer. The absence of a version number or a “command not found” error indicates FirewallD needs to be installed.

You can also check package installation status using DNF:

dnf list installed firewalld

This command queries the package database and displays installation details if the firewalld package is present on your system. Take note of the current status before proceeding to the next step.

Step 2: Install FirewallD Package

Installation Command

If FirewallD is not already installed, use the DNF package manager to install it from Fedora’s official repositories:

sudo dnf install firewalld -y

The dnf install command retrieves the firewalld package and its dependencies from configured repositories. The -y flag automatically answers “yes” to installation prompts, streamlining the process. Without this flag, DNF will ask for confirmation before proceeding.

During installation, DNF resolves package dependencies automatically. FirewallD requires several supporting packages including firewall-config (GUI tool), python3-firewall, and associated libraries. The package manager handles all dependency resolution transparently.

The installation process typically completes within 30-60 seconds on systems with reasonable internet connectivity. Watch for the “Complete!” message that indicates successful installation. If errors occur, they usually relate to repository connectivity or package conflicts.

Verify Successful Installation

Confirm the installation succeeded by checking the FirewallD version again:

firewall-cmd --version

A version number confirms successful installation. For additional verification, query detailed package information:

dnf info firewalld

This command displays comprehensive package details including version, release, architecture, installation size, and repository source. The “Installed Packages” section confirms FirewallD is now part of your system.

Fedora 43 typically includes recent FirewallD versions that incorporate the latest features and security enhancements. Version information helps when troubleshooting issues or researching feature availability in documentation.

Step 3: Start and Enable FirewallD Service

Start the FirewallD Service

With FirewallD installed, activate the daemon using systemd service management:

sudo systemctl start firewalld

The systemctl start command initializes the FirewallD daemon and applies default firewall rules. Systemd manages the process lifecycle, ensuring proper startup sequencing and resource allocation.

Successful execution produces no output—the command simply returns you to the shell prompt. This silent success is standard Unix behavior. If errors occur during startup, systemd displays diagnostic messages indicating the problem.

Enable FirewallD at Boot

Starting the service manually only keeps FirewallD active until the next reboot. Configure automatic startup at system boot:

sudo systemctl enable firewalld

The enable command creates symbolic links in systemd’s configuration that trigger FirewallD startup during the boot sequence. This ensures your firewall protection persists across system restarts, preventing security gaps when servers reboot for maintenance or updates.

For convenience, you can combine both operations in a single command:

sudo systemctl enable firewalld --now

The --now flag tells systemd to both enable the service for future boots and start it immediately.

Verify Service Status

Confirm FirewallD is running correctly by checking its service status:

sudo systemctl status firewalld

This command displays detailed service information including active state, process ID, memory usage, and recent log entries. Look for “active (running)” in green text, which indicates the daemon is functioning properly. The “enabled” status confirms automatic startup is configured.

Alternatively, use FirewallD’s built-in status command:

sudo firewall-cmd --state

This command returns either “running” or “not running” as a simple status indicator. The streamlined output is useful for shell scripts and automation workflows.

Step 4: Understanding FirewallD Zones

What Are Zones?

Zones form the cornerstone of FirewallD’s configuration model. Each zone represents a trust level and contains rules defining which services, ports, and protocols are permitted. This abstraction layer simplifies firewall management by grouping rules logically rather than managing individual iptables chains.

Think of zones as security profiles applicable to different network environments. Your laptop might use a restrictive zone on public WiFi but a more permissive zone on your trusted home network. FirewallD allows dynamic zone switching as network contexts change.

Zones apply to network interfaces, connection sources, or both. When traffic arrives, FirewallD evaluates which zone governs that particular connection and applies the corresponding rules. This flexibility accommodates complex network topologies with multiple interfaces and security requirements.

List Available Zones

FirewallD includes several predefined zones optimized for common scenarios:

sudo firewall-cmd --get-zones

This command lists all available zones: block, dmz, drop, external, home, internal, public, trusted, and work. Each zone implements different trust assumptions:

drop: Most restrictive; drops all incoming connections without response
block: Rejects incoming connections with an ICMP message
public: Default zone for untrusted public networks; allows selected services
external: For external-facing interfaces with NAT masquerading
dmz: For demilitarized zone systems with limited public access
work: For work environments with trusted peers
home: For home networks where you trust most devices
internal: For internal network segments
trusted: Accepts all network connections

Check Default and Active Zones

Determine which zone FirewallD currently uses as the default:

sudo firewall-cmd --get-default-zone

Fedora typically sets “public” as the default zone, providing a balanced security posture for servers and workstations. The default zone applies to network interfaces without explicit zone assignments.

View which zones are actively protecting network interfaces:

sudo firewall-cmd --get-active-zones

This command displays active zones and their associated network interfaces. On a fresh installation with one network interface, you’ll typically see the public zone assigned to your primary interface like enp0s3 or eth0.

Step 5: Configure Basic FirewallD Rules

View Current Zone Configuration

Before making changes, examine the current configuration of your default zone:

sudo firewall-cmd --list-all

The output displays comprehensive zone information including target policy, interfaces, services, ports, protocols, and special rules. Understanding the baseline configuration helps you make informed decisions about necessary modifications.

You can also check specific zones by adding the --zone parameter:

sudo firewall-cmd --zone=public --list-all

This command shows configuration details for the specified zone regardless of whether it’s currently active.

Allow Services Through Firewall

FirewallD includes predefined service definitions for common network applications. These definitions abstract away port numbers and protocols, making rule management more intuitive:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent

These commands allow HTTP (port 80) and HTTPS (port 443) traffic, essential for web servers. The --permanent flag saves these rules to the permanent configuration so they persist after reboot.

List all available predefined services:

sudo firewall-cmd --get-services

The extensive list includes services like SSH, FTP, DNS, SMTP, MySQL, PostgreSQL, and hundreds more. Using service names instead of port numbers improves configuration readability and reduces errors.

For SSH access, ensure the ssh service is enabled to maintain remote connectivity:

sudo firewall-cmd --add-service=ssh --permanent

Accidentally blocking SSH on remote servers can lock you out, requiring console access to recover.

Allow Specific Ports

When services lack predefined definitions, specify ports and protocols directly:

sudo firewall-cmd --add-port=8080/tcp --permanent

This rule allows TCP connections on port 8080, commonly used for alternative HTTP servers or application servers. Always specify the protocol (tcp or udp) to avoid ambiguity.

Allow port ranges efficiently:

sudo firewall-cmd --add-port=10000-10100/tcp --permanent

This syntax opens all ports between 10000 and 10100 for TCP traffic.

Remove ports when no longer needed:

sudo firewall-cmd --remove-port=8080/tcp --permanent

Regularly auditing and removing unused rules maintains a minimal attack surface.

Reload FirewallD to Apply Changes

Permanent configuration changes don’t take effect until you reload the firewall:

sudo firewall-cmd --reload

The reload operation applies permanent rules to the runtime configuration without dropping existing connections. This graceful reload distinguishes FirewallD from traditional iptables management.

Verify changes took effect:

sudo firewall-cmd --list-all

Confirm your newly added services and ports appear in the output.

Step 6: Advanced FirewallD Configuration

Set Custom Default Zone

Modify the default zone to match your security requirements:

sudo firewall-cmd --set-default-zone=home

This command changes the default zone to “home,” which trusts more services by default. Choose zones appropriate for your deployment environment—public for internet-facing servers, home or internal for private networks.

The default zone change takes effect immediately and persists across reboots. All interfaces without explicit zone assignments inherit the new default zone.

Assign Zone to Specific Interface

Systems with multiple network interfaces often require different security policies per interface. Assign specific zones to individual interfaces:

sudo firewall-cmd --zone=public --add-interface=eth0 --permanent

This configuration binds the eth0 interface to the public zone. First identify your network interfaces:

ip addr show

This command lists all network interfaces with their names, IP addresses, and status. Common interface names include eth0, enp0s3, wlan0, or ens33 depending on your hardware and naming scheme.

For servers with separate internal and external network interfaces, apply appropriate zones to each:

sudo firewall-cmd --zone=public --add-interface=eth0 --permanent
sudo firewall-cmd --zone=internal --add-interface=eth1 --permanent
sudo firewall-cmd --reload

This configuration restricts external-facing traffic while allowing more permissive rules for internal communications.

Create Rich Rules for Advanced Control

Rich rules provide granular control beyond simple service and port allowances. Allow connections from specific IP addresses:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept' --permanent

This rule accepts all traffic from the specified IP address regardless of port or service. Rich rules support complex conditions and actions including logging, limiting, and forwarding.

Allow SSH only from a trusted subnet:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept' --permanent

Limit connection rates to prevent abuse:

sudo firewall-cmd --add-rich-rule='rule service name="http" limit value="100/m" accept' --permanent

This rule limits HTTP connections to 100 per minute, providing basic DDoS protection.

Log dropped packets for security monitoring:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" drop log prefix="Dropped: "' --permanent

Rich rules unlock sophisticated firewall behaviors while maintaining FirewallD’s user-friendly management interface.

Step 7: Verify FirewallD Configuration

Check Firewall Status

Regularly verify your firewall remains active and properly configured:

sudo firewall-cmd --state

The “running” response confirms the daemon is active and protecting your system. Incorporate this check into monitoring scripts or post-maintenance verification procedures.

Query specific configuration elements:

sudo firewall-cmd --list-services
sudo firewall-cmd --list-ports

These commands display currently allowed services and ports respectively, providing quick configuration snapshots.

Test Port Connectivity

Verify services are accessible through the firewall using local testing tools. Check listening ports and services:

sudo ss -tlnp

The ss command (socket statistics) displays active listening ports and associated processes. Confirm your services appear in this list before testing external connectivity.

From another system, test specific port accessibility:

telnet your-server-ip 80

Successful connections indicate the firewall allows traffic on the specified port. Connection refusals suggest firewall rules are blocking access.

Online port checking services provide external perspective, useful for diagnosing connectivity issues through complex network paths. Be cautious with online tools—only test ports you control and avoid sharing sensitive system information.

Managing FirewallD: Essential Commands Reference

Mastering key management commands streamlines daily firewall administration. List all zones with full details:

sudo firewall-cmd --list-all-zones

This comprehensive output shows configuration for every zone, helpful for auditing and documentation.

Remove services when no longer needed:

sudo firewall-cmd --remove-service=http --permanent

Similarly, remove ports:

sudo firewall-cmd --remove-port=8080/tcp --permanent

Always reload after making permanent changes.

FirewallD stores configuration in /etc/firewalld/. Back up this directory to preserve custom configurations:

sudo tar -czf firewalld-backup.tar.gz /etc/firewalld/

This backup captures zone definitions, service customizations, and rich rules.

Reset to default configuration when necessary:

sudo firewall-cmd --complete-reload

This command reloads from saved configuration files, discarding runtime-only changes. Use cautiously as it drops all temporary rules.

Temporarily disable the firewall for troubleshooting:

sudo systemctl stop firewalld

Remember to restart when testing completes to restore protection.

Add trusted IP address ranges:

sudo firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent

This rule trusts all traffic from the specified subnet.

Query panic mode status (emergency traffic block):

sudo firewall-cmd --query-panic

Enable panic mode to immediately block all incoming and outgoing traffic during security incidents.

Troubleshooting Common Issues

FirewallD Won’t Start

Service startup failures typically stem from configuration errors or conflicting services. Examine systemd logs for diagnostic information:

sudo journalctl -u firewalld -n 50

This command displays the last 50 log entries for the firewalld service. Look for error messages indicating configuration syntax problems or missing dependencies.

Conflict with legacy iptables service causes common startup failures. Ensure iptables service is disabled:

sudo systemctl disable iptables
sudo systemctl stop iptables
sudo systemctl start firewalld

FirewallD and iptables services cannot run simultaneously—choose one firewall management approach.

Configuration file corruption occasionally prevents startup. Rename problematic configuration files and restart:

sudo mv /etc/firewalld/firewalld.conf /etc/firewalld/firewalld.conf.backup
sudo systemctl start firewalld

FirewallD recreates default configuration files if they’re missing.

Rules Not Applying

The most frequent mistake involves forgetting to reload after making permanent changes. Runtime and permanent configurations exist independently:

sudo firewall-cmd --reload

Always reload to synchronize permanent rules to active runtime configuration.

Verify rule syntax carefully. Missing quotes, incorrect protocol specifications, or typos prevent rules from applying:

sudo firewall-cmd --list-all

Compare intended rules against actual configuration.

Check zone assignments for your network interfaces. Rules apply only to traffic entering through interfaces assigned to the relevant zone:

sudo firewall-cmd --get-active-zones

Ensure interfaces are bound to expected zones.

Connection Issues After Installation

Overly restrictive default configurations sometimes block essential services. If you lose SSH access to a remote server, recovery requires console access through your hosting provider’s control panel or KVM connection.

Prevent SSH lockout by explicitly allowing SSH before applying restrictive rules:

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Never close your existing SSH session until you’ve verified new sessions can connect successfully.

For emergency access recovery, boot into rescue mode or single-user mode to disable the firewall temporarily:

sudo systemctl stop firewalld

Then adjust rules appropriately before re-enabling protection.

Security Best Practices

Follow Principle of Least Privilege

Configure firewalls to deny everything by default, explicitly allowing only required services. Avoid opening broad port ranges when specific ports suffice. Review firewall rules quarterly, removing services and ports no longer needed.

Restrict source IP addresses whenever possible. If administrative access originates from known networks, limit SSH to those addresses:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.0/24" service name="ssh" accept' --permanent

This approach significantly reduces attack surface.

Document all firewall changes including date, administrator, and business justification. Documentation aids troubleshooting and security audits.

Keep FirewallD Updated

Security vulnerabilities occasionally affect FirewallD like any software. Apply system updates regularly:

sudo dnf update firewalld

Subscribe to Fedora security announcements through the fedora-announce mailing list to receive timely vulnerability notifications. Enable automatic security updates for critical systems:

sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

This configuration applies security patches automatically, reducing vulnerability windows.

Implement Logging and Monitoring

Enable logging to detect attack patterns and troubleshoot connectivity issues. Log dropped packets with rich rules:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" drop log prefix="DROP: " limit value="5/m"' --permanent

The rate limit prevents log flooding during attacks.

Monitor firewall logs regularly:

sudo journalctl -u firewalld -f

This command follows log entries in real-time, useful during troubleshooting.

Integrate FirewallD logs with centralized logging systems like rsyslog or systemd-journal-remote for comprehensive security monitoring. Forward logs to SIEM platforms for correlation with other security events.

Congratulations! You have successfully installed FirewallD. Thanks for using this tutorial to install and configure FirewallD on Fedora 43 Linux system. For additional help or useful information, we recommend you check the Fedora website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!