Bobcares
Client Area
Emergency Support
Latest | Linode

Setup Guide of Linode Firewalld

by | Nov 11, 2024

To know more about the use of Firewalld on Linode, read our latest blog. Bobcares, as a part of our Linode Managed Services offers solutions to every query that comes our way.

Overview
  1. Firewalld on Linode
  2. Why Firewalld?
  3. Installation of Firewalld on Linode
  4. Configuration of Firewalld on Linode
  5. Advanced Firewalld Features
  6. Using Firewalld with Linode Cloud Firewall
  7. Best Practices
  8. Security Practices
  9. Troubleshooting Common Issues
  10. Conclusion

Firewalld on Linode

Firewalld is a powerful, user-friendly tool that makes managing firewall rules on Linux servers easy and effective. It’s commonly found on RHEL-based distributions (such as CentOS, AlmaLinux, and Rocky Linux), CentOS Stream, Fedora, and openSUSE Leap.

Why Firewalld?

Firewalld is a frontend tool for nftables (or iptables in older setups), providing dynamic, simplified firewall management. Here’s why it’s great for managing firewalls on Linode servers:

  • Ease of Use: Simplifies firewall setup compared to manually configuring iptables.
  • Enhanced Security: Controls network traffic, adding a layer of protection to the server.

linode firewalld

  • Flexibility: Makes real-time rule updates without disrupting active connections.
  • Seamless Integration: Works well with Linode, complementing its security features.

Installation of Firewalld on Linode

Prerequisites

  • A Linode VPS running CentOS, Fedora, or RHEL.
  • Root or sudo access.

Installation Steps

1. Update Packages

sudo yum update -y # For CentOS/RHEL
sudo dnf update -y # For Fedora

2. Install Firewalld

sudo yum install firewalld -y # For CentOS/RHEL
sudo dnf install firewalld -y # For Fedora

3. Start and Enable Firewalld

sudo systemctl start firewalld
sudo systemctl enable firewalld

4. Verify Status

sudo systemctl status firewalld

Configuration of Firewalld on Linode

1. Understanding Zones

Firewalld organizes network connections into “zones,” each with preset security levels:

Drop: Blocks all incoming connections without notification.

Public: For use in public, untrusted networks.

Home/Work: Trusted networks like home or workplace.

DMZ: For isolated servers in a Demilitarized Zone.

Trusted: Allows all network connections.

2. Common Commands

i. List Zones

sudo firewall-cmd --get-zones

ii. Set Default Zone

sudo firewall-cmd --set-default-zone=public

iii. View Active Zone

sudo firewall-cmd --get-active-zones

3. Managing Services and Ports

i. Allow HTTP and HTTPS Traffic

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload

ii. Open a Custom Port (e.g., 8080)

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

iii. Remove a Service (e.g., SSH – use with caution)

sudo firewall-cmd --zone=public --remove-service=ssh --permanent
sudo firewall-cmd --reload

Advanced Firewalld Features

Rich Rules: Rich rules offer advanced control for fine-tuning security:

Example: Allow SSH access only from a specific IP:

sudo firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="203.0.113.4"
service name="ssh" accept'
sudo firewall-cmd --reload

Masquerading (NAT)

Enable masquerading to allow the server to function as a router (useful for NAT setups):

sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --reload

Using Firewalld with Linode Cloud Firewall

Linode Cloud Firewall offers an added security layer at the network level, filtering unwanted traffic before it reaches the server. Here’s how using both firewalls together can improve security:

  • Defense in Depth: Multiple firewalls add protection layers, making unauthorized access more challenging.
  • Improved Performance: Linode Cloud Firewall blocks traffic before it reaches the server, saving resources.
  • Enhanced Flexibility: Firewalld handles real-time changes, while Cloud Firewall manages broad, static rules.

Best Practices

  • Consistency: Ensure both firewalls allow essential ports/services.
  • Rule Order: Cloud Firewall rules apply first, followed by firewalld rules.
  • Testing: Test connections after configuring to confirm access for legitimate traffic.

Security Practices

  • Use the Least Privilege Principle: Open only the necessary ports/services.
  • Stay Updated: Regularly update firewalld and system packages.
  • Monitor Traffic: Review logs and monitor traffic for any unusual activity.
  • Backup Configuration: Save firewall settings to restore them if needed.

Troubleshooting Common Issues

1. If we can’t connect to a service, we’ve to check firewalld Rules: Verify if the service or port is open:

sudo firewall-cmd --zone=public --list-all

Confirm the Linode Cloud Firewall allows the service.

2. If firewalld Not Starting, then, check Status:

sudo systemctl status firewalld

View Logs:

sudo journalctl -xe

By following this guide, we’ll have a secure, flexible firewall setup on Linode, combining firewalld’s easy management with Linode’s Cloud Firewall for comprehensive protection and smooth performance!

[Searching solution for a different question? We’re happy to help.]

Conclusion

By following this guide, we’ll have a secure, flexible firewall setup on Linode, combining firewalld’s easy management with Linode’s Cloud Firewall for comprehensive protection and smooth performance.

Related posts:

  1. cPanel Linode DNS Synchronization: Easy set up Guide
  2. Linode Error Creating Image: Easy solve
  3. Generate SSH Key Linode: How to?
  4. Linode Deployment with StackScript Automation

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. cPanel Linode DNS Synchronization: Easy set up Guide
  2. Linode Error Creating Image: Easy solve
  3. Generate SSH Key Linode: How to?
  4. Linode Deployment with StackScript Automation

Never again lose customers to poor
server speed! Let us help you.

GET STARTED

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF