3 ways to Create a Linux Firewall Service

Discover three effective methods to create a Linux firewall service with our detailed guide. Learn how to configure firewall rules using firewalld, to secure your Linux server. #centlinux #linux #firewall

What is Firewalld?

Firewalld is a firewall management tool for Linux operating systems licensed under GNU General Public License 2.

Firewalld is the default firewall management tool in RHEL based Linux distros from version 7 onwards, where it replaces the legacy firewall management tool i.e. iptables. Firewalld is a dynamically managed firewall with support for network zones, IPv4, IPv6, ethernet bridges and IP sets.

Firewalld is a dynamic firewall management tool for Linux systems that provides a flexible and user-friendly way to configure firewall rules and manage network traffic. It is designed to be more intuitive and versatile than older firewall management tools like iptables.

Here’s a detailed overview of Firewalld, including its features, components, and how to use it:

Key Features of Firewalld

1. Dynamic Firewall Management:
   • Real-Time Changes: Firewalld allows you to apply changes to firewall rules without restarting the firewall service. This means you can modify rules on-the-fly, which is useful for maintaining active services without downtime.
2. Zone-Based Configuration:
   • Predefined Zones: Firewalld uses zones to apply different sets of rules based on network connections. Each zone defines a security level and specifies which services and ports are allowed or denied.
   • Common Zones: Includes predefined zones like public, private, internal, and dmz for different security requirements.
3. Rich Language for Rules:
   • Simplified Syntax: Firewalld provides a user-friendly interface for defining rules. You can specify services, ports, and IP addresses in a straightforward manner.
4. Service Management:
   • Service Definitions: Firewalld supports service management, allowing you to enable or disable predefined services (like HTTP, SSH) with simple commands.
5. Firewall Backends:
   • Backend Options: Firewalld supports multiple backend firewall technologies, including iptables, ip6tables, and nftables, allowing you to choose the best backend for your needs.
6. Support for IPv4, IPv6, and Network Zones:
   • Comprehensive Support: Manages rules for both IPv4 and IPv6 traffic, and organizes network traffic based on different zones.
7. Logging and Monitoring:
   • Traffic Logging: Firewalld can log traffic that matches specific rules, helping you monitor and analyze network activity.

Components of Firewalld

Zones:

• Definition: Zones represent different levels of trust for network connections.
• Examples:
  • Public: For public networks where you don’t trust other computers.
  • Home: For home networks where you trust the other devices.
  • Work: For work networks where you trust the other devices but require higher security.
  • Internal: For internal networks with moderate trust.
  • Trusted: All traffic is allowed.

Services:

• Definition: Predefined configurations for common network services.
• Examples:
  • http: Web server
  • ssh: Remote server access

Rich Rules:

• Definition: Advanced rules for complex configurations.
• Examples: Allowing traffic from a specific IP address or network.

Direct Rules:

• Definition: Low-level rules that interact directly with the backend firewall technologies.
• Examples: Custom iptables rules for advanced configurations.

Use Cases for Firewalld

1. Network Security:
   • Protect Services: Secure services and applications from unauthorized access.
   • Traffic Control: Manage inbound and outbound traffic to protect your system.
2. System Administration:
   • Configuration Management: Apply firewall rules and manage network traffic.
   • Service Management: Enable or disable services based on network security requirements.
3. Multi-Zone Environments:
   • Segregation: Use different zones for various network interfaces and security levels.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Linux Server Specification

Consider a scenario where we are running an Oracle Database 19c instance on CentOS 8 server.

Default Oracle Listener uses the service port 1521/tcp. We have also configured another Oracle Listener service that is using port 1522/tcp.

In short, we have two Oracle listeners running on ports 1521/tcp and 1522/tcp simultaneously.

Our objective is to create a custom Linux firewall service to control access to our Oracle Listener ports.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

1. Create a Linux Firewall Service using CLI

In this method, we will create a Linux firewall service using firewall-cmd command.

Create a new service for Oracle Listener ports.

# firewall-cmd --permanent --new-service=oranet
success

Add long description of the service.

# firewall-cmd --permanent --service=oranet 
> --set-description="Oracle Listener Service"
success

Add short description of the service.

# firewall-cmd --permanent --service=oranet 
> --set-short=oranet
success

Add Oracle Listener service ports.

# firewall-cmd --permanent --service=oranet --add-port=1521/tcp
success

# firewall-cmd --permanent --service=oranet --add-port=1522/tcp
success

Reload firewalld configurations.

# firewall-cmd --reload
success

Display configurations of CentOS firewall.

# firewall-cmd --info-service=oranet
oranet
  ports: 1521/tcp 1522/tcp
  protocols:
  source-ports:
  modules:
  destination:

We can add more settings to our service in similar way. You can refer to Firewalld Documentation for more details.

2. Create a Linux Firewall Service from XML file

In this method, we will define the firewalld service settings in an XML file and then use firewall-cmd command to create a custom service in our Linux firewall.

# vi ~/oranet.xml

and add following XML code therein.

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>oranet</short>
 <description>Oracle Listener Service</description>
 <port protocol="tcp" port="1521" />
 <port protocol="tcp" port="1522" />
</service>

Now use firewall-cmd command to create Linux firewall service.

# firewall-cmd --permanent --new-service-from-file=oranet.xml
success

Reload firewalld configurations and check oranet service.

# firewall-cmd --reload
success

# firewall-cmd --info-service=oranet
oranet
  ports: 1521/tcp 1522/tcp
  protocols:
  source-ports:
  modules:
  destination:

3. Create a Linux Firewall Service from Definition File

This method is normally used by software packages during installation to create their respective firewalld services.

In this method, we create a custom service definition file in firewalld configuration directory.

# vi /etc/firewalld/services/oranet.xml

Add following XML code therein.

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>oranet</short>
 <description>Oracle Listener Service</description>
 <port protocol="tcp" port="1521" />
 <port protocol="tcp" port="1522" />
</service>

Reload firewalld configurations and check service oranet service.

# firewall-cmd --reload
success

# firewall-cmd --info-service=oranet
oranet
  ports: 1521/tcp 1522/tcp
  protocols:
  source-ports:
  modules:
  destination:

We have explored all 3 ways to create a custom service in CentOS firewall.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Final Thoughts

Creating a robust Linux firewall service is essential for securing your server and network. This guide has explored three effective methods to help you choose the best approach for your needs.

If you’d prefer professional assistance or need help with configuring your Linux firewall, I offer expert services to set up and manage your firewall rules effectively. Visit my Fiverr profile for more details and to get started: Linux Cloud Engineer

Secure your Linux server with tailored firewall solutions from a trusted expert today!