๐ฅ AlmaLinux Firewall Configuration: Complete Security Setup Guide
Ready to protect your server with enterprise-grade firewall security? ๐ Today weโll configure firewalld on AlmaLinux - the powerful, dynamic firewall thatโs your first line of defense against cyber threats! Whether youโre securing a web server, database server, or desktop system, this guide makes firewall configuration simple and effective! ๐ฏ
๐ค Why is Firewall Configuration Important?
AlmaLinux firewall configuration delivers critical benefits:
- ๐ Essential security layer - Blocks malicious traffic and unauthorized access
- ๐ง Enterprise-grade protection - Dynamic firewall with zone-based security
- ๐ Easy management - User-friendly commands and configuration options
- ๐ Advanced features - Rich rules, traffic filtering, and service management
- โญ Perfect integration - Works seamlessly with AlmaLinux and enterprise applications
๐ฏ What You Need
Before configuring AlmaLinux firewall:
- โ AlmaLinux 9 system (server or desktop)
- โ Root or sudo access
- โ Basic understanding of network ports and services
- โ Knowledge of your serverโs intended use
- โ List of services you want to allow/block
๐ Step 1: Understanding firewalld Basics
Letโs explore AlmaLinuxโs powerful firewall system! ๐ ๏ธ
Check Firewall Status and Basic Information
# Check if firewalld is installed and running
sudo systemctl status firewalld
# Start firewalld if not running
sudo systemctl start firewalld
# Enable firewalld to start at boot
sudo systemctl enable firewalld
# Get basic firewall information
sudo firewall-cmd --state
# running
# Check default zone
sudo firewall-cmd --get-default-zone
# public
# List all available zones
sudo firewall-cmd --get-zones
# block dmz drop external home internal public trusted work
# Show active zones and interfaces
sudo firewall-cmd --get-active-zones
echo "โ
Firewalld is active and configured!"Understanding Firewall Zones
# Understanding firewall zones concept
echo "=== AlmaLinux Firewall Zones Explained ==="
# Show zone information
sudo firewall-cmd --list-all-zones | head -30
# Detailed information about public zone
sudo firewall-cmd --zone=public --list-all
# Show what services are allowed in current zone
sudo firewall-cmd --list-services
# Show what ports are open in current zone
sudo firewall-cmd --list-ports
# Show rich rules (advanced rules)
sudo firewall-cmd --list-rich-rules
echo "โ
Firewall zones and rules displayed!"
echo "Zones: trusted > home > work > public > external > dmz > block > drop"๐ง Step 2: Configure Basic Firewall Rules
Set up essential firewall rules for common services:
Allow Common Web Services
# Allow HTTP traffic (port 80)
sudo firewall-cmd --permanent --add-service=http
# Allow HTTPS traffic (port 443)
sudo firewall-cmd --permanent --add-service=https
# Allow SSH traffic (usually already enabled)
sudo firewall-cmd --permanent --add-service=ssh
# Alternative: Allow specific ports directly
# sudo firewall-cmd --permanent --add-port=80/tcp
# sudo firewall-cmd --permanent --add-port=443/tcp
# sudo firewall-cmd --permanent --add-port=22/tcp
# Reload firewall to apply changes
sudo firewall-cmd --reload
# Verify the rules were added
sudo firewall-cmd --list-services
# Check specific service status
sudo firewall-cmd --query-service=http
sudo firewall-cmd --query-service=https
echo "โ
Web services allowed through firewall!"Configure Database and Mail Services
# Allow database services
echo "=== Configuring Database and Mail Services ==="
# MySQL/MariaDB (if running database server)
sudo firewall-cmd --permanent --add-service=mysql
# Alternative: sudo firewall-cmd --permanent --add-port=3306/tcp
# PostgreSQL
sudo firewall-cmd --permanent --add-service=postgresql
# Alternative: sudo firewall-cmd --permanent --add-port=5432/tcp
# MongoDB
sudo firewall-cmd --permanent --add-port=27017/tcp
# Redis
sudo firewall-cmd --permanent --add-port=6379/tcp
# Mail services
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --permanent --add-service=smtp-submission
sudo firewall-cmd --permanent --add-service=smtps
sudo firewall-cmd --permanent --add-service=imap
sudo firewall-cmd --permanent --add-service=imaps
sudo firewall-cmd --permanent --add-service=pop3
sudo firewall-cmd --permanent --add-service=pop3s
# FTP services
sudo firewall-cmd --permanent --add-service=ftp
# DNS services (if running DNS server)
sudo firewall-cmd --permanent --add-service=dns
# Reload to apply all changes
sudo firewall-cmd --reload
# Verify database and mail services
sudo firewall-cmd --list-services | grep -E "(mysql|postgresql|smtp|imap)"
echo "โ
Database and mail services configured!"๐ Step 3: Advanced Firewall Configuration
Set up advanced rules and security policies:
Configure Zone-Based Security
# Advanced zone configuration
echo "=== Advanced Zone-Based Firewall Security ==="
# Create custom zone for web servers
sudo firewall-cmd --permanent --new-zone=webserver
# Set description for custom zone
sudo firewall-cmd --permanent --zone=webserver --set-description="Web Server Zone"
# Configure webserver zone with specific services
sudo firewall-cmd --permanent --zone=webserver --add-service=http
sudo firewall-cmd --permanent --zone=webserver --add-service=https
sudo firewall-cmd --permanent --zone=webserver --add-service=ssh
# Create database zone
sudo firewall-cmd --permanent --new-zone=database
# Configure database zone
sudo firewall-cmd --permanent --zone=database --set-description="Database Server Zone"
sudo firewall-cmd --permanent --zone=database --add-service=mysql
sudo firewall-cmd --permanent --zone=database --add-service=ssh
# Reload to activate new zones
sudo firewall-cmd --reload
# List custom zones
sudo firewall-cmd --get-zones
# Show configuration of custom zones
sudo firewall-cmd --zone=webserver --list-all
sudo firewall-cmd --zone=database --list-all
# Move interface to specific zone (example)
# sudo firewall-cmd --permanent --zone=webserver --change-interface=eth0
# sudo firewall-cmd --reload
echo "โ
Custom security zones created and configured!"Configure Rich Rules for Advanced Filtering
# Advanced rich rules for specific security needs
echo "=== Advanced Security Rich Rules ==="
# Allow SSH only from specific IP range (replace with your admin network)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
# Block SSH from all other sources (remove default SSH rule first)
sudo firewall-cmd --permanent --remove-service=ssh
# Allow HTTP access only during business hours (example - requires additional setup)
# sudo firewall-cmd --permanent --add-rich-rule='rule service name="http" audit limit value="50/m" accept'
# Allow MySQL access only from web server IP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="mysql" accept'
# Block specific IP address completely
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/24" drop'
# Rate limit HTTP connections to prevent DDoS
sudo firewall-cmd --permanent --add-rich-rule='rule service name="http" audit limit value="25/m" accept'
# Allow ping but rate limit it
sudo firewall-cmd --permanent --add-rich-rule='rule protocol value="icmp" audit limit value="10/m" accept'
# Log dropped packets for monitoring
sudo firewall-cmd --permanent --add-rich-rule='rule audit limit value="5/m" log prefix="FIREWALL-DROPPED: " level="warning" drop'
# Reload firewall
sudo firewall-cmd --reload
# Show all rich rules
sudo firewall-cmd --list-rich-rules
echo "โ
Advanced rich rules configured for enhanced security!"โ Step 4: Port Management and Service Control
Manage specific ports and create custom service definitions:
Custom Port Configuration
# Custom port management
echo "=== Custom Port Management ==="
# Open custom application ports
sudo firewall-cmd --permanent --add-port=8080/tcp # Alternative HTTP
sudo firewall-cmd --permanent --add-port=8443/tcp # Alternative HTTPS
sudo firewall-cmd --permanent --add-port=3000/tcp # Node.js development
sudo firewall-cmd --permanent --add-port=8000/tcp # Python development
sudo firewall-cmd --permanent --add-port=4000/tcp # Rails development
# Open port ranges for application clusters
sudo firewall-cmd --permanent --add-port=9000-9100/tcp
# UDP ports for specific services
sudo firewall-cmd --permanent --add-port=1194/udp # OpenVPN
sudo firewall-cmd --permanent --add-port=51820/udp # WireGuard
# Remove ports (example)
# sudo firewall-cmd --permanent --remove-port=8080/tcp
# Reload firewall
sudo firewall-cmd --reload
# List all open ports
sudo firewall-cmd --list-ports
# Query specific port status
sudo firewall-cmd --query-port=8080/tcp
echo "โ
Custom ports configured successfully!"Create Custom Service Definitions
# Create custom service definitions
echo "=== Creating Custom Service Definitions ==="
# Create custom service for Node.js application
sudo tee /etc/firewalld/services/nodejs-app.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Node.js Application</short>
<description>Custom Node.js web application running on port 3000</description>
<port protocol="tcp" port="3000"/>
</service>
EOF
# Create custom service for Docker API
sudo tee /etc/firewalld/services/docker-api.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Docker API</short>
<description>Docker Remote API access</description>
<port protocol="tcp" port="2376"/>
</service>
EOF
# Create custom service for Minecraft server
sudo tee /etc/firewalld/services/minecraft.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Minecraft Server</short>
<description>Minecraft game server</description>
<port protocol="tcp" port="25565"/>
<port protocol="udp" port="25565"/>
</service>
EOF
# Reload firewalld to recognize new services
sudo firewall-cmd --reload
# Add custom services to firewall
sudo firewall-cmd --permanent --add-service=nodejs-app
sudo firewall-cmd --permanent --add-service=minecraft
# Reload to apply
sudo firewall-cmd --reload
# List all available services (including custom ones)
sudo firewall-cmd --get-services | grep -E "(nodejs|docker|minecraft)"
# Verify custom services are active
sudo firewall-cmd --list-services
echo "โ
Custom service definitions created and activated!"๐ฎ Quick Examples
Example 1: Complete Web Server Firewall Setup ๐
# Complete firewall configuration for web server
echo "=== Web Server Firewall Configuration ==="
# Reset to clean state (CAUTION: This removes all rules)
# sudo firewall-cmd --complete-reload
# Essential web server services
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=ssh
# Database access (only from web server if separate)
sudo firewall-cmd --permanent --add-service=mysql
# Mail services for web applications
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --permanent --add-service=smtp-submission
# FTP for file uploads
sudo firewall-cmd --permanent --add-service=ftp
# Custom ports for web applications
sudo firewall-cmd --permanent --add-port=8080/tcp # Admin panel
sudo firewall-cmd --permanent --add-port=9000/tcp # API server
# Security: Limit SSH to admin network
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
# Rate limiting for web services
sudo firewall-cmd --permanent --add-rich-rule='rule service name="http" audit limit value="100/m" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule service name="https" audit limit value="100/m" accept'
# Block known bad networks (example)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/24" drop'
# Enable logging for dropped packets
sudo firewall-cmd --permanent --set-log-denied=all
# Reload firewall
sudo firewall-cmd --reload
# Show final configuration
sudo firewall-cmd --list-all
echo "โ
Web server firewall configuration complete!"
echo "Services: HTTP, HTTPS, MySQL, SSH (restricted), SMTP"
echo "Security: Rate limiting, network restrictions, logging enabled"Example 2: Database Server Security Setup ๐๏ธ
# Secure database server firewall configuration
echo "=== Database Server Security Configuration ==="
# Minimal services for database server
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=mysql
sudo firewall-cmd --permanent --add-service=postgresql
# Create dedicated database zone
sudo firewall-cmd --permanent --new-zone=dbserver
sudo firewall-cmd --permanent --zone=dbserver --set-description="Secure Database Server Zone"
# Configure database zone
sudo firewall-cmd --permanent --zone=dbserver --add-service=ssh
sudo firewall-cmd --permanent --zone=dbserver --add-service=mysql
sudo firewall-cmd --permanent --zone=dbserver --add-service=postgresql
# Restrict database access to specific application servers
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="mysql" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.101" service name="mysql" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="postgresql" accept'
# Remove default database services (use rich rules instead)
sudo firewall-cmd --permanent --remove-service=mysql
sudo firewall-cmd --permanent --remove-service=postgresql
# Restrict SSH to admin network only
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
# Add monitoring ports for database monitoring tools
sudo firewall-cmd --permanent --add-port=9104/tcp # MySQL Exporter
sudo firewall-cmd --permanent --add-port=9187/tcp # PostgreSQL Exporter
# Enhanced logging and monitoring
sudo firewall-cmd --permanent --set-log-denied=all
sudo firewall-cmd --permanent --add-rich-rule='rule audit limit value="5/m" log prefix="DB-ACCESS: " level="info" accept'
# Reload configuration
sudo firewall-cmd --reload
# Show database server firewall status
sudo firewall-cmd --list-all
sudo firewall-cmd --list-rich-rules
echo "โ
Database server security configuration complete!"
echo "Database access restricted to specific IPs only"
echo "SSH access limited to admin network"
echo "Enhanced logging enabled for security monitoring"Example 3: Development Environment Firewall โก
# Development environment with security and convenience
echo "=== Development Environment Firewall ==="
# Essential development services
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=ssh
# Database development access
sudo firewall-cmd --permanent --add-service=mysql
sudo firewall-cmd --permanent --add-service=postgresql
# Development server ports
sudo firewall-cmd --permanent --add-port=3000/tcp # React/Node.js
sudo firewall-cmd --permanent --add-port=3001/tcp # Additional Node.js
sudo firewall-cmd --permanent --add-port=8080/tcp # Java/Spring
sudo firewall-cmd --permanent --add-port=8000/tcp # Python/Django
sudo firewall-cmd --permanent --add-port=4000/tcp # Ruby/Rails
sudo firewall-cmd --permanent --add-port=5000/tcp # Python/Flask
sudo firewall-cmd --permanent --add-port=9000/tcp # PHP/Xdebug
# Docker development
sudo firewall-cmd --permanent --add-port=2375/tcp # Docker API (insecure - dev only)
# Allow broader access for development team
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
# Git server access
sudo firewall-cmd --permanent --add-service=git
# IDE and debugging ports
sudo firewall-cmd --permanent --add-port=9229/tcp # Node.js debugging
sudo firewall-cmd --permanent --add-port=5005/tcp # Java debugging
# Hot reload and development tools
sudo firewall-cmd --permanent --add-port=35729/tcp # LiveReload
sudo firewall-cmd --permanent --add-port=3030-3050/tcp # Development server range
# Webpack dev server
sudo firewall-cmd --permanent --add-port=8080-8090/tcp
# Reload configuration
sudo firewall-cmd --reload
# Create convenient script to toggle dev/production mode
tee ~/toggle-firewall-mode.sh << 'EOF'
#!/bin/bash
# Toggle between development and production firewall modes
MODE=${1:-status}
case $MODE in
dev)
echo "๐ง Enabling development mode firewall..."
sudo firewall-cmd --set-default-zone=trusted
echo "โ
Development mode enabled - all traffic allowed"
;;
prod)
echo "๐ Enabling production mode firewall..."
sudo firewall-cmd --set-default-zone=public
echo "โ
Production mode enabled - restricted access"
;;
status)
echo "Current firewall status:"
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --list-all
;;
*)
echo "Usage: $0 {dev|prod|status}"
echo " dev - Enable development mode (trusted zone)"
echo " prod - Enable production mode (public zone)"
echo " status - Show current firewall status"
;;
esac
EOF
chmod +x ~/toggle-firewall-mode.sh
# Show development environment status
sudo firewall-cmd --list-all
echo "โ
Development environment firewall configured!"
echo "Development ports: 3000, 8080, 8000, 4000, 5000, 9000"
echo "Docker, Git, and debugging support enabled"
echo "Use ~/toggle-firewall-mode.sh to switch modes"๐จ Fix Common Problems
Problem 1: Canโt Access Service After Opening Port โ
Symptoms:
- Port appears open but service not accessible
- Connection timeouts or refused connections
Try this:
# Check if service is actually running
sudo systemctl status service-name
# Verify port is listening
sudo ss -tlnp | grep :port-number
# Check if rules are applied
sudo firewall-cmd --list-ports
sudo firewall-cmd --list-services
# Reload firewall rules
sudo firewall-cmd --reload
# Check for SELinux issues
sudo setsebool -P httpd_can_network_connect 1
# Test from localhost first
curl -I http://localhost:port
# Check iptables rules directly
sudo iptables -L -nProblem 2: Firewall Rules Not Persistent โ
Try this:
# Always use --permanent flag for persistent rules
sudo firewall-cmd --permanent --add-service=http
# Reload after adding permanent rules
sudo firewall-cmd --reload
# Check persistent configuration
sudo firewall-cmd --permanent --list-all
# If rules disappear, check for configuration conflicts
sudo firewall-cmd --check-config
# Manually save configuration
sudo firewall-cmd --runtime-to-permanent
# Restart firewalld service
sudo systemctl restart firewalldProblem 3: Locked Out After Firewall Changes โ
Prevention and recovery:
# ALWAYS test before making permanent
# 1. Test temporary rule first
sudo firewall-cmd --add-service=ssh
# 2. Verify it works, then make permanent
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
# If locked out, access via console/local access
# Emergency: Disable firewall temporarily
sudo systemctl stop firewalld
# Or set default zone to trusted temporarily
sudo firewall-cmd --set-default-zone=trusted
# Always keep a backup
sudo cp -r /etc/firewalld /etc/firewalld.backup
# Use panic mode to block all traffic (emergency)
sudo firewall-cmd --panic-on
sudo firewall-cmd --panic-off๐ Simple Commands Summary
| Task | Command |
|---|---|
| ๐ Check firewall status | sudo firewall-cmd --state |
| ๐ List active rules | sudo firewall-cmd --list-all |
| ๐ง Add service permanently | sudo firewall-cmd --permanent --add-service=http |
| ๐ Add port permanently | sudo firewall-cmd --permanent --add-port=8080/tcp |
| โป๏ธ Reload firewall | sudo firewall-cmd --reload |
| ๐งช List all zones | sudo firewall-cmd --get-zones |
| ๐ Check open ports | sudo firewall-cmd --list-ports |
๐ก Tips for Success
- Always use โpermanent flag ๐ - Temporary rules disappear on reboot
- Test before making permanent ๐ - Avoid locking yourself out
- Use zones effectively ๐ - Organize rules by network trust levels
- Monitor firewall logs ๐ - Enable logging to track blocked traffic
- Document your rules ๐ - Keep notes on why each rule exists
๐ What You Learned
Congratulations! Now you can:
- โ Configure firewalld with zones, rules, and advanced policies
- โ Set up service-based and port-based firewall rules
- โ Create custom zones and service definitions
- โ Implement rich rules for advanced security filtering
- โ Troubleshoot common firewall configuration issues
๐ฏ Why This Matters
Your AlmaLinux firewall configuration provides:
- ๐ Essential security layer protecting against network-based attacks
- ๐ Granular control over network traffic and service access
- ๐ Enterprise-grade protection with dynamic rule management
- โก Flexible policies adapting to different network environments and trust levels
Remember: A properly configured firewall is your first and most important line of defense against cyber threats. With firewalld on AlmaLinux, you have enterprise-grade security thatโs both powerful and manageable! โญ
Youโve successfully mastered AlmaLinux firewall configuration! Your server now has robust network security protection with dynamic rules and zone-based policies! ๐
