firewall-config

Managing firewalld with firewall-config

firewall-config is the graphical tool that can be used instead of the command line to manage your firewall. Normally, this will be installed along with firewalld if you have installed a desktop environment such as Gnome.

(To configure your firewall from the command line see the section firewall-cmd.)

To check that the tool firewall-config is installed, issue the following command:

dnf info firewalld firewall-config


# dnf info firewalld firewall-config
Last metadata expiration check: 1:19:48 ago on Sun 06 Jun 2021 12:37:38 BST.
Installed Packages
Name         : firewall-config
Version      : 0.8.2
Release      : 6.el8
Architecture : noarch
Size         : 1.1 M
Source       : firewalld-0.8.2-6.el8.src.rpm
Repository   : @System
From repo    : appstream
Summary      : Firewall configuration application
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : The firewall configuration application provides an configuration interface for
             : firewalld.

Name         : firewalld
Version      : 0.8.2
Release      : 6.el8
Architecture : noarch
Size         : 1.9 M
Source       : firewalld-0.8.2-6.el8.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : A firewall daemon with D-Bus interface providing a dynamic firewall
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : firewalld is a firewall service daemon that provides a dynamic customizable
             : firewall with a D-Bus interface.

firewall-config - Graphical Administration tool

To start the "firewall-config" tool, you can type "firewall" into the search box under activities (Gnome Desktop). Either click on the icon or press enter on your keyboard to open the application tool.

Firewall-Config GUI Tool

firewall-config GUI:

Firewall-Config GUI Tool

Notice the word "Connection to firewalld established" in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld.

The following tabs are available by clicking on the ">" right arrow on the centre menu bar: Port Forwarding, ICMP Filter, Rich Rules, <interface> and Sources.

Changing Firewall Settings

To make changes immediately to the firewall's current configuration, make sure that the current view is set to "Runtime". If your changes only need to be applied at the next system reboot or re-load of your firewall, then select the "Permanent" option from the drop down list.

Runtime Mode: Changes take immediate effect when you set or clear the check box associated with the service.

Permanent Mode: Your selections will only take effect when you reload the firewall or the system is re-booted.

Reloading Firewall: The firewall can be reloaded/restarted from the icon below the File menu, or by clicking the Options menu and selecting "Reload Firewall".

Adding an Interface to a Zone

Interfaces can be assigned or added to a selected zone by selecting Options from the main menu bar, then selecting Change Zones of Connections from the drop down menu. A connection list is then displayed. Next select the connection (interface) to be reassigned. You should now see the Select Zone for Connection window appear. Now select the new firewall zone from the drop down menu and click OK.

Firewall-Config GUI Tool

Setting the Default Zone

To specify the default zone that a new interface will be assigned to. Select Options from the main menu bar, then select Change Default Zone from the drop down menu. The Default Zone window should now appear. Now select the zone from the list that you want to become the default zone and click on OK.

Configuring Services

To enable or disable a service (custom or pre defined), select the network zone whose services you wish to configure, then select the Services tab. You can now select the check box for each type of service you want to trust or clear the check box to block a particular service. The example below shows that the service "ssh" is currently set to trusted.

Firewall-Config GUI Tool

Editing a Service

To edit a service, first change the mode to Permanent from the drop down selection menu labelled "Configuration:". Additional icons and menu buttons appear at the bottom of the Services window. Now select the service you wish to configure.

Firewall-Config GUI Tool

Changing Ports and Protocols for a service

The Ports and Protocols tab enables you to add, remove or amend the ports and protocols for a selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables you to limit traffic to a particular destination address and Internet Protocol (IPv4 or IPv6).

Firewall-Config GUI Tool

Opening Ports

Traffic is allowed to pass through a firewall only if a port has been specified as open. To open a port using the firewall-config tool, you first need to select the zone you wish to work with. Next select the ports tab and click on the Add button. The port and protocol window should now appear. It is from here that you can specify a port number or a range of ports that are to be permitted. The protocol can be selected from the drop down list.

Firewall-Config GUI Tool

Enabling IP Masquerading

The translation of an IPv4 address to a single external address can be achieved by using the IP Masquerading tab. Here you first select the network zone whose addresses are to be translated, then select the Masquerading tab and check the box to enable the translation of the IPv4 address to a single address.

Firewall-Config GUI Tool

Port Forwarding

The forwarding of inbound network traffic is configured from the Port Forwarding tab. First IP Masquerading has to be enabled, then select the Port Forwarding tab. Select the protocol for the inbound traffic and the port range of ports from the upper section of the window. To forward locally (to a port on the same system), select the local forwarding check box. Next enter the local port or range of ports for the traffic to be sent to.

To forward traffic to another address, select the "Forward to another port" check box. Next enter the IP destination address and port or port range. The default is to send to the same port if the port field is left empty. Next click OK to apply the changes.

Firewall-Config GUI Tool

Configuring an ICMP Filter

To enable or disable an ICMP filter, first select the the network zone whose messages are to be filtered. Next select the ICMP Filter tab and select the check box for each type of ICMP message that is to be filtered. To disable a filter, simply remove the check box entry.

Rich Rules

Rich rules adds a rich (high level) language to firewalld, this allows the creation of complex firewall rules without the knowledge of iptables syntax. For full details relating to the syntax of "rich rules" see the following wiki: Rich Rules