How to set up a Firewall on Fedora

Edited 9 months ago by ExtremeHow Editorial Team

FedoraFirewallSecurityConfigurationNetworkOperating SystemAdvanced UsersBeginnersSystem AdministrationComputers

Fedora, a robust Linux distribution, is renowned for its cutting-edge features and secure environment. One of the key aspects of maintaining system security is having a properly configured firewall. A firewall acts as a barrier between your computer and the outside world, controlling the permission or denial of traffic based on a set of security rules. This guide will walk you through the process of setting up a firewall on Fedora, ensuring you have the tools you need to effectively protect your system. We'll use simple language and straightforward steps, so you'll find it easy to follow, even if you're new to Fedora or firewalls.

Understanding firewalls

Before getting into the specifics of setting up a firewall on Fedora, it's important to have a basic understanding of what a firewall is and what it does. A firewall is a network security tool that monitors and controls incoming and outgoing network traffic based on predefined security rules. Essentially, it acts as a gatekeeper, deciding which data packets are allowed to pass through and which are not.

Firewalls can be implemented as hardware, software, or a combination of both. In the context of Fedora, we will deal with a software firewall, which provides effective protection by configuring rules and policies that monitor the interaction between your system and the external network.

Getting started with Fedora's firewall

Fedora uses a tool called firewalld as its main firewall management system. This tool provides a dynamic firewall with support for network zones, allowing users to easily manage and configure firewall rules. By default, firewalld is installed and enabled on Fedora, ensuring that your system has a basic level of security.

Checking the firewall status

Before making any changes, let's first check the status of firewalld on your Fedora system. Open the terminal and run the following command:

sudo systemctl status firewalld

If the output shows that firewalld is active and running, it means that the firewall is currently enabled. If it is not running, you can start it using:

sudo systemctl start firewalld

To ensure that firewalld starts automatically when the system boots, use the following command:

sudo systemctl enable firewalld

Understanding zones in firewalling

Firewalld uses the concept of zones, which determine the level of trust for network connections. A zone is associated with a set of services and ports that the firewall will allow or deny. For example, you may have different settings for your home network than for a public Wi-Fi network.

Each network interface can be assigned a zone, and these zones can be configured to meet specific security requirements.

To view all available fields, use the command:

sudo firewall-cmd --get-zones

The output may include the following fields:

• public
• Home
• Work
• Reliance

Assigning an interface to a zone

Typically, when you connect to a network, the network interface will be assigned to the 'Public' zone by default, which is more restrictive. To assign the interface to another zone, you can use:

sudo firewall-cmd --zone=home --change-interface=eth0

Replace home with the desired zone and eth0 with your interface name.

Configuring services and ports in firewalld

After understanding zones, the next step is to configure what traffic should be allowed or blocked. Traffic can be controlled by specifying the services or ports allowed within a zone. Services are pre-defined sets of ports and protocols required for particular purposes such as HTTP or SSH.

Granting a service permission

If you want to allow a specific service, for example SSH, in a particular zone, you can use the following command:

sudo firewall-cmd --zone=public --add-service=ssh

The above command allows SSH traffic in the ‘public’ zone.

Granting port permissions

In some cases, you may want to allow a specific port instead of using the service name. For example, to allow traffic on port 8080, you could use:

sudo firewall-cmd --zone=public --add-port=8080/tcp

If you are using a different protocol, replace tcp with the appropriate protocol.

Making the changes permanent

By default, changes made using firewalld are temporary and will be lost upon reboot. To make them permanent, add --permanent flag to your command:

sudo firewall-cmd --zone=public --add-service=http --permanent

After making permanent changes, remember to reload the firewall to apply them:

sudo firewall-cmd --reload

Rich rules in firewall

For more complex firewall configurations, firewalld offers rich rules. These provide more flexibility by allowing you to specify detailed conditions and actions. Rich rules can be used to allow or block traffic based on IP addresses, protocols, ports, and more.

Adding rich rules

Suppose you want to allow traffic only from a specific IP address. You can create a rich rule using the following:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept'

This command allows incoming traffic from the IP address 192.168.1.100.

Blocking traffic with rich rules

To block traffic from an IP address you can use the following:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop'

Using rich rules, you can fine-tune your firewall to match the specific security policies you need for your network.

Firewall GUI tools

While command-line tools provide robust functionality, some users may prefer a graphical interface for managing the firewall. Fedora provides a GUI tool called firewall-config that makes it easy to manage zones and rules without typing commands.

Installing the firewall configuration

If not already installed, you can install the GUI tools using the following:

sudo dnf install firewall-config

Once installed, launch firewall-config application from your desktop environment. This will provide a user-friendly interface to manage your firewall rules and settings.

Testing and troubleshooting your firewall

After you've set up your firewall, it's important to test it to make sure your rules are working as expected. Testing typically involves trying to access services and verifying that they are correctly allowed or blocked.

Here are some general steps to test and troubleshoot firewall rules:

• Try accessing services (e.g., SSH, HTTP) from remote machines to verify that they are accessible if allowed, and blocked if denied.
• Use a network tool like nmap to scan your open ports and confirm your firewall settings.
• Check firewalld's status and logs for any errors or warnings.

Conclusion

Setting up a firewall on Fedora involves understanding the basics of firewalld and configuring zones, services, ports, and rich rules to suit your network's security needs. While the default settings provide a good starting point, customizing your firewall policies ensures that your Fedora system is protected from unauthorized access and potential threats.

By following this guide, you will now have a solid foundation for effectively managing your Fedora firewall, whether you prefer to use the command line or the graphical interface.

  Share This Article

If you find anything wrong with the article content, you can request an update