Install and Use FirewallD on Ubuntu 22.04

Welcome to this tutorial on how to install and Use FirewallD on Ubuntu 22.04. FirewallD is similar to other Linux firewalls except the special feature it has called zones to control traffic entering your system. Firewalld uses firewall-cmd utility to manage all the firewall rules.

Since you have Ubuntu 22.04 installed, ensure you have root privileges then continue to install and Use FirewallD on Ubuntu 22.04.

Install and Use FirewallD on Ubuntu 22.04

Ubuntu 22.04 has UFW installed by default. It is best practice to use one firewall only. So disable UFW:

sudo ufw disable

Then update system packages:

sudo apt update

Next step is to install firewalld from the apt repository

sudo apt -y install firewalld

Confirm installation of firewalld by checking the version

sudo firewall-cmd --version

Check if the firewall is running

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor pre>
     Active: active (running) since Fri 2022-07-15 17:50:18 EAT; 1min 44s ago
       Docs: man:firewalld(1)
   Main PID: 3531 (firewalld)
      Tasks: 2 (limit: 3498)
     Memory: 25.6M
        CPU: 2.270s
     CGroup: /system.slice/firewalld.service
             └─3531 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Jul 15 17:50:01 itnixpro systemd[1]: Starting firewalld - dynamic firewall daem>
Jul 15 17:50:18 itnixpro systemd[1]: Started firewalld - dynamic firewall daemo>

Enable firewalld service

To enable firewalld to run at system boot, use the command below.

sudo systemctl enable firewalld

Using Firewalld on Ubuntu 22.04

Now that you have firewalld installed, let’s see how we can use it to manage traffic in the system.

List all zones

Check all the available zones by using firewall-cmd --list-all-zones command:

sudo firewall-cmd --list-all-zones

Opening a port

To permanently open a port in all the zones, you need to use sudo firewall-cmd --add-port=port/protocol--permanent syntax.

For instance, open TCP port 26267

sudo firewall-cmd --zone=public --add-port=26267/tcp --permanent

To add multiple ports, separate them with commas. For example, to open ports 8080, 8081 and 8082, use the command

sudo firewall-cmd --zone=public --add-port={8080,8081,8082}/tcp --permanent

Once you have added the ports, reload firewalld to apply changes

sudo firewall-cmd --reload

In case you want to use UDP port, replace TCP with UDP.

Display all open ports

Just use firewall-cmd --list-ports command to display open ports

Output:

sudo firewall-cmd --list-ports

8080/tcp 8081/tcp 8082/tcp 26267/tcp

List rules configured

Use the command below to list rules configured in the firewall.

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 26267/tcp 8080/tcp 8081/tcp 8082/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

List services that can be enabled/disabled

Get a full list of services which can be enabled or disabled:

sudo firewall-cmd --get-services

Enable service

To allow a service on the firewall, use the command syntax:

sudo firewall-cmd --add-service="servicename" --permanent

For example, enable https service

sudo firewall-cmd --add-service="https" --permanent

Reload the firewall

sudo firewall-cmd --reload

To add multiple services, separate the services with commas i.e.

sudo firewall-cmd --add-service={http,https,smtp,imap} --permanent --zone=public

Create a new zone

To create a new firewall zone, use the command:

sudo firewall-cmd --new-zone=zonename --permanent

For example, itnixpro zone then followed by reloading the firewall.

sudo firewall-cmd --new-zone=itnixpro --permanent
sudo firewall-cmd --reload

Enable service/port on a specific zone

To enable a service/port in a specific zone, replace the zone, service, protocol and port in the commands below.

sudo firewall-cmd --zone=<zone> --add-port=<port>/protocol--permanent  
sudo firewall-cmd --zone=<zone> --add-service=<service> --permanent

Do the same with multiple services:

sudo firewall-cmd --zone=<zone> --add-service={service1,service2,service3} --permanent

Add an interface to a zone

If your system has more than one interface, you can add an interface to a zone. For instance, Backend web servers to private zone, and fronted applications to public zone.

sudo firewall-cmd --get-zone-of-interface=eth3 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth3 --permanent

Allow access to a port from specific subnet/IP

Access to a service or port can be restricted to be from specific IP address or subnet with the use of rich rules.

Replace address with the correct IP address.

$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="192.168.8.10/24" accept' --permanent

List rich rules

List rich rules with the command:

sudo firewall-cmd --list-rich-rules

Configure Port forwarding

Enable masquerading:

sudo firewall-cmd --add-masquerade --permanent

Port forward to a different port within same server ( 22 > 2022):

sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent

Port forward to same port on a different server (local:22 > 192.168.8.10:22):

sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.8.10:22 --permanent

Port forward to different port on a different server (local:7071 > 192.168.8.50:22:9071):

sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=192.168.8.50 --permanent

Removing a port or service

Replace --add with –-remove in each command used above to remove a specific port/service.

Conclusion

You have come to the end of this tutorial on how to install and Use FirewallD on Ubuntu 22.04.

Read more on on firewalld official website.

Install and Use FirewallD on Ubuntu 22.04