RHEL BasedRocky Linux

How To Install FirewallD on Rocky Linux 10

r00t

Install FirewallD on Rocky Linux 10

In this tutorial, we will show you how to install FirewallD on Rocky Linux 10. Securing your Rocky Linux 10 server starts with implementing a robust firewall solution. FirewallD serves as the default dynamic firewall management tool for Rocky Linux, providing administrators with powerful capabilities to control network traffic and protect system resources. This comprehensive guide walks you through the complete installation and configuration process, ensuring your server maintains optimal security while remaining accessible for legitimate traffic.

Rocky Linux 10 users benefit from FirewallD’s zone-based approach to network security, which simplifies complex firewall rules and provides flexible management options. Whether you’re managing a web server, database system, or multi-service environment, understanding FirewallD installation and configuration is essential for maintaining enterprise-level security standards.

Understanding FirewallD Fundamentals

What is FirewallD?

FirewallD represents a significant evolution in Linux firewall management technology. Unlike traditional iptables configurations that require complete rule reloads, FirewallD operates as a dynamic firewall daemon that manages netfilter rules through the D-Bus interface. This architecture enables real-time configuration changes without disrupting existing network connections or requiring service restarts.

The framework serves as a sophisticated frontend to the kernel’s netfilter subsystem, specifically designed to work with nftables in modern Linux distributions. FirewallD abstracts complex low-level firewall rules into manageable zones and services, making network security configuration more intuitive for system administrators. The tool supports both IPv4 and IPv6 protocols natively, ensuring comprehensive network protection across different addressing schemes.

Rocky Linux 10 ships with FirewallD as the preferred firewall solution due to its integration capabilities with systemd and NetworkManager. The daemon automatically adapts to network interface changes, maintains persistent configurations across reboots, and provides both command-line and graphical management interfaces.

Key Features and Benefits

FirewallD’s zone-based management system represents its most distinctive feature. Zones define trust levels for network connections, allowing administrators to apply different security policies based on network location or interface type. This approach simplifies complex network environments where different interfaces require varying security levels.

The runtime versus permanent configuration model provides exceptional flexibility for testing and deployment scenarios. Administrators can implement temporary rules for immediate testing, then apply permanent configurations once validated. This dual-mode operation prevents accidental lockouts while ensuring configurations persist across system reboots.

Dynamic rule management eliminates the need for complete firewall restarts when modifying configurations. Traditional iptables implementations required flushing and reloading entire rule sets, potentially causing brief network interruptions. FirewallD updates individual rules in real-time, maintaining continuous network protection during configuration changes.

Integration with NetworkManager ensures automatic firewall policy application when network interfaces change state. This feature proves particularly valuable for laptops and mobile devices that frequently connect to different networks, as FirewallD automatically applies appropriate zone policies based on network detection.

Prerequisites and System Requirements

Before installing FirewallD on Rocky Linux 10, verify your system meets the necessary requirements and prepare your environment for safe firewall configuration. Rocky Linux 10 requires minimal hardware specifications, but firewall operations can impact system performance on resource-constrained environments.

Administrative privileges are essential for firewall installation and configuration. Ensure your user account has sudo access or direct root privileges. Most firewall operations require elevated permissions due to their system-level nature and security implications.

Network connectivity planning prevents accidental lockouts during firewall configuration. If you’re managing a remote server via SSH, document your current SSH configuration and ensure you understand recovery procedures. Consider establishing multiple access methods or console access before implementing restrictive firewall policies.

Create system backups before making significant firewall changes. While FirewallD provides rollback capabilities, maintaining complete system backups ensures recovery options in worst-case scenarios. Document your current network configuration, including active services, open ports, and existing security policies.

Step-by-Step FirewallD Installation Process

Checking Current Firewall Status

Begin by examining your Rocky Linux 10 system’s current firewall configuration. Multiple firewall solutions can conflict with each other, potentially causing unpredictable network behavior or security vulnerabilities.

Execute the following command to check FirewallD’s current status:

sudo systemctl status firewalld

This command reveals whether FirewallD is already installed, running, or configured for automatic startup. If the service doesn’t exist, you’ll see an error message indicating the need for installation.

Verify no conflicting firewall services are active:

sudo systemctl status iptables
sudo systemctl status ip6tables
sudo systemctl status ufw

Disable any active conflicting services before proceeding with FirewallD installation. Multiple firewall services can create rule conflicts and unpredictable network behavior.

Check current network configuration and active connections:

ss -tuln
netstat -tuln

Document currently listening services and ports. This information proves valuable when configuring FirewallD rules to maintain service accessibility.

Installing FirewallD Package

Rocky Linux 10 includes FirewallD in its default repositories, simplifying the installation process through the dnf package manager. The installation typically includes the core daemon, command-line tools, and essential configuration files.

Update your system package database before installation:

sudo dnf update -y

Install FirewallD using the following command:

sudo dnf install firewalld -y

The package manager automatically resolves dependencies and installs required components. FirewallD installation typically includes the following components:

  • firewalld daemon
  • firewall-cmd command-line utility
  • Default zone and service configuration files
  • systemd service files

Verify successful installation by checking the installed package version:

rpm -qi firewalld

This command displays detailed package information, including version numbers, installation date, and description. Successful installation enables the next configuration phase.

Install optional GUI management tools if you prefer graphical interfaces:

sudo dnf install firewall-config -y

The firewall-config package provides a GTK-based graphical interface for FirewallD management, particularly useful for desktop environments or remote GUI sessions.

Enabling and Starting FirewallD Service

After successful installation, configure FirewallD for automatic startup and immediate activation. SystemD service management ensures FirewallD starts automatically during system boot and maintains consistent operation.

Enable and start FirewallD simultaneously:

sudo systemctl enable --now firewalld

This command combines enabling the service for automatic startup and starting it immediately. The --now flag eliminates the need for separate enable and start commands.

Verify FirewallD is running and active:

sudo systemctl status firewalld

Look for “active (running)” status and “enabled” state in the output. These indicators confirm successful service activation and automatic startup configuration.

Test FirewallD’s operational status using its built-in state command:

sudo firewall-cmd --state

This command should return “running” if FirewallD is properly operational. Any other response indicates configuration issues requiring troubleshooting.

Configure FirewallD to start automatically on system boot:

sudo systemctl is-enabled firewalld

This verification command should return “enabled,” confirming automatic startup configuration. If disabled, execute the enable command separately:

sudo systemctl enable firewalld

Basic FirewallD Configuration and Management

Essential Command-Line Tools

The firewall-cmd utility serves as FirewallD’s primary command-line interface, providing comprehensive access to all firewall management functions. Understanding its syntax and common parameters enables efficient firewall administration and troubleshooting.

Basic firewall-cmd syntax follows this pattern:

firewall-cmd [options] [zone] [action]

The --permanent flag distinguishes between runtime and persistent configurations. Runtime changes take effect immediately but don’t survive system reboots. Permanent changes require explicit reload commands but persist across reboots.

View current firewall configuration:

sudo firewall-cmd --list-all

This comprehensive command displays the current zone’s complete configuration, including active services, open ports, and special rules. Use this command regularly to verify configuration changes and troubleshoot connectivity issues.

Display available zones and services:

sudo firewall-cmd --get-zones
sudo firewall-cmd --get-services

These commands reveal all available zones and predefined services, helping plan your firewall configuration strategy.

Reload FirewallD configuration to apply permanent changes:

sudo firewall-cmd --reload

Execute this command after making permanent configuration changes to activate them in the runtime environment.

Zone Management Concepts

FirewallD’s zone-based architecture organizes network interfaces and connections into trust levels, each with predefined security policies. Understanding zone concepts is crucial for implementing effective network security strategies.

Rocky Linux 10 includes several predefined zones:

  • public: Default zone for public networks with minimal trust
  • trusted: Allows all network connections
  • home: Suitable for home networks with moderate trust
  • internal: Designed for internal network segments
  • work: Configured for workplace environments
  • dmz: Demilitarized zone for publicly accessible services

View the current default zone:

sudo firewall-cmd --get-default-zone

Most Rocky Linux 10 installations use “public” as the default zone, providing conservative security settings suitable for internet-connected servers.

List all zones and their configurations:

sudo firewall-cmd --list-all-zones

This command displays comprehensive information about all available zones, including their services, ports, and special configurations.

Assign network interfaces to specific zones:

sudo firewall-cmd --zone=public --change-interface=eth0 --permanent

Interface-to-zone assignments determine which security policies apply to network traffic from specific network adapters.

Set a new default zone:

sudo firewall-cmd --set-default-zone=home

Default zone changes affect how FirewallD handles unassigned network interfaces and new connections.

Basic Rule Configuration

FirewallD rule configuration involves adding services, ports, and special rules to zones. Start with essential services required for system operation and gradually add additional rules based on specific requirements.

View current zone configuration:

sudo firewall-cmd --zone=public --list-all

Replace “public” with your target zone name to examine specific zone configurations.

Add essential services for server operation. SSH access is typically the first priority:

sudo firewall-cmd --permanent --zone=public --add-service=ssh

This command ensures SSH access remains available through the firewall. Always configure SSH access before implementing restrictive policies to prevent lockouts.

Add multiple services simultaneously:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https

Web server configurations typically require both HTTP and HTTPS services for complete functionality.

Configure custom ports when predefined services don’t meet requirements:

sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp

Port-specific rules provide flexibility for applications using non-standard ports or custom service configurations.

Remove services or ports when no longer needed:

sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --permanent --zone=public --remove-port=8080/tcp

Regular rule auditing and cleanup maintains optimal firewall performance and security posture.

Apply permanent changes to runtime configuration:

sudo firewall-cmd --reload

Always reload the configuration after making permanent changes to ensure they take effect immediately.

Configuring Common Services and Ports

Web Server Configuration

Web servers represent the most common service requiring firewall configuration on Rocky Linux 10 systems. Proper HTTP and HTTPS configuration ensures web applications remain accessible while maintaining security standards.

Configure standard web services using predefined service definitions:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https

These commands open ports 80 and 443 respectively, covering standard web traffic requirements for most applications.

For custom web server configurations using non-standard ports, specify port numbers explicitly:

sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp
sudo firewall-cmd --permanent --zone=public --add-port=8443/tcp

Development environments often use alternative ports to avoid conflicts with production services or to run multiple web servers simultaneously.

Configure SSL/TLS-specific considerations for secure web applications. Modern web applications typically redirect HTTP traffic to HTTPS for security compliance:

sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="80" accept'

Verify web service configuration:

sudo firewall-cmd --zone=public --list-services
sudo firewall-cmd --zone=public --list-ports

These verification commands ensure your web server ports are properly configured and accessible.

Remote Access Services

Remote access configuration requires careful balance between accessibility and security. SSH represents the most critical remote access service for Linux server management.

Secure SSH access configuration:

sudo firewall-cmd --permanent --zone=public --add-service=ssh

SSH service configuration automatically handles standard port 22 access. For enhanced security, consider changing SSH to non-standard ports:

sudo firewall-cmd --permanent --zone=public --remove-service=ssh
sudo firewall-cmd --permanent --zone=public --add-port=2222/tcp

Remember to update SSH daemon configuration in /etc/ssh/sshd_config to match firewall port changes.

Configure VPN services for secure remote access:

sudo firewall-cmd --permanent --zone=public --add-service=openvpn
sudo firewall-cmd --permanent --zone=public --add-port=1194/udp

VPN configurations often require both TCP and UDP ports depending on the specific VPN implementation and client requirements.

Remote desktop protocol configuration for graphical access:

sudo firewall-cmd --permanent --zone=public --add-port=3389/tcp  # RDP
sudo firewall-cmd --permanent --zone=public --add-port=5900/tcp  # VNC

Remote desktop services should be carefully considered for security implications and potentially restricted to specific source networks.

Apply all remote access configurations:

sudo firewall-cmd --reload

Test remote access functionality immediately after applying firewall changes to ensure continued connectivity.

Advanced FirewallD Features

Rich Rules Implementation

Rich rules provide advanced firewall functionality beyond basic service and port configurations. These rules enable complex traffic filtering based on source addresses, protocols, and logging requirements.

Create source-based access restrictions:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'

This rule restricts SSH access to specific network ranges, enhancing security for administrative access.

Implement time-based rules for scheduled access:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="http" log prefix="HTTP Access" level="info" accept'

Rich rules with logging provide detailed audit trails for security monitoring and compliance requirements.

Configure port forwarding for service redirection:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" forward-port port="80" protocol="tcp" to-port="8080"'

Port forwarding enables transparent service redirection without modifying application configurations.

GUI Management Options

Graphical interfaces simplify FirewallD management for administrators preferring visual tools over command-line interfaces.

Install the desktop firewall configuration tool:

sudo dnf install firewall-config -y

Launch the graphical interface:

sudo firewall-config

The GUI provides point-and-click access to all FirewallD features, including zone management, service configuration, and rich rule creation.

For web-based management, configure Cockpit integration:

sudo dnf install cockpit cockpit-firewalld -y
sudo systemctl enable --now cockpit.socket

Access Cockpit through your web browser at https://your-server:9090 for comprehensive system and firewall management.

Offline Configuration

Offline configuration capabilities enable firewall setup during system installation or automated deployment scenarios.

Use firewall-offline-cmd for system installation scripts:

sudo firewall-offline-cmd --zone=public --add-service=ssh
sudo firewall-offline-cmd --zone=public --add-service=http

Offline commands modify configuration files directly without requiring the FirewallD daemon to be running.

Integrate firewall configuration into Kickstart files for automated deployments:

%post
firewall-offline-cmd --zone=public --add-service=ssh
firewall-offline-cmd --zone=public --add-service=http
systemctl enable firewalld
%end

This approach ensures consistent firewall configurations across multiple system deployments.

Security Best Practices and Hardening

Initial Security Setup

Implement security hardening immediately after FirewallD installation to establish robust baseline protection. The principle of least privilege should guide all firewall configuration decisions.

Start with a restrictive default configuration:

sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --zone=public --remove-service=dhcpv6-client
sudo firewall-cmd --zone=public --remove-service=cockpit

Remove unnecessary default services to minimize attack surface. Only enable services explicitly required for your specific use case.

Configure logging for security monitoring:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" service name="ssh" log prefix="SSH-ACCESS" level="info" accept'

Comprehensive logging enables security incident detection and forensic analysis.

Implement fail2ban integration for automated intrusion prevention:

sudo dnf install fail2ban -y
sudo systemctl enable --now fail2ban

Fail2ban automatically analyzes log files and temporarily blocks IP addresses showing malicious behavior patterns.

Ongoing Maintenance

Regular firewall maintenance ensures continued security effectiveness and optimal performance. Establish routine procedures for configuration review and update management.

Schedule periodic configuration audits:

sudo firewall-cmd --list-all-zones > /var/log/firewall-audit-$(date +%Y%m%d).log

Regular audits help identify unnecessary rules, configuration drift, and potential security gaps.

Monitor firewall logs for suspicious activity:

sudo journalctl -u firewalld -f
sudo tail -f /var/log/messages | grep -i firewall

Active log monitoring enables rapid response to security incidents and configuration issues.

Implement configuration backup procedures:

sudo cp -r /etc/firewalld /backup/firewalld-$(date +%Y%m%d)

Regular backups ensure rapid recovery from configuration errors or system failures.

Update FirewallD and related packages regularly:

sudo dnf update firewalld -y

Security updates often include patches for newly discovered vulnerabilities and improved functionality.

Troubleshooting Common Issues

Service-Related Problems

FirewallD service issues can prevent proper firewall operation and leave systems vulnerable or inaccessible. Systematic troubleshooting approaches resolve most common problems quickly.

Diagnose service startup failures:

sudo systemctl status firewalld -l
sudo journalctl -u firewalld --no-pager

These commands provide detailed error messages and diagnostic information for service startup problems.

Resolve permission-related issues:

sudo restorecon -R /etc/firewalld
sudo chmod 644 /etc/firewalld/zones/*.xml
sudo chmod 644 /etc/firewalld/services/*.xml

SELinux context problems and incorrect file permissions can prevent FirewallD from reading configuration files.

Fix configuration corruption:

sudo cp /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/
sudo firewall-cmd --reload

Corrupted configuration files can be restored from default templates in the /usr/lib/firewalld directory.

Rule Configuration Issues

Configuration syntax errors and logical conflicts cause many firewall rule problems. Methodical testing and validation prevent most issues.

Test configuration syntax before applying permanent changes:

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --list-services

Runtime testing validates configuration changes before making them permanent.

Debug connectivity problems systematically:

sudo firewall-cmd --zone=public --list-all
sudo ss -tuln | grep :80
sudo netstat -tuln | grep :80

Verify both firewall rules and service binding to identify connectivity issues.

Reset zones to default configurations when problems persist:

sudo firewall-cmd --permanent --zone=public --remove-service=all
sudo cp /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/
sudo firewall-cmd --reload

Zone resets provide clean starting points for reconfiguration when troubleshooting complex issues.

Alternative Management Methods

Temporarily Disabling FirewallD

Emergency situations sometimes require temporary firewall disabling for troubleshooting or maintenance. These procedures should be used carefully and only when necessary.

Stop FirewallD temporarily:

sudo systemctl stop firewalld

This command halts firewall protection immediately. Use only in secure environments or emergency situations.

Disable FirewallD permanently (not recommended):

sudo systemctl disable firewalld

Permanent disabling removes firewall protection entirely. Consider this only for specialized environments with alternative security measures.

Re-enable firewall protection:

sudo systemctl enable --now firewalld

Always re-enable firewall protection as quickly as possible after completing emergency procedures.

Integration with Other Tools

FirewallD integrates with various system management and automation tools, enhancing operational efficiency and consistency.

Ansible integration for automated management:

- name: Configure FirewallD
  firewalld:
    service: http
    permanent: yes
    state: enabled

Infrastructure automation tools enable consistent firewall configurations across multiple systems.

NetworkManager integration ensures automatic zone assignment based on network connections. This integration particularly benefits mobile devices and multi-network environments.

Third-party management tools like Webmin and cPanel often include FirewallD integration modules, providing web-based management interfaces for hosting environments.

Congratulations! You have successfully installed FirewallD. Thanks for using this tutorial for installing the FirewallD firewall management tool on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Rocky Linux website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button