Firewalld is the default firewall program that comes pre-installed on Red Hat Enterprise Linux and its derivative Linux distributions, such as AlmaLinux.

By default, the firewall is turned on, meaning that a very limited number of services are able to receive incoming traffic. This is a nice security feature, but it means that the user must be knowledgeable enough to configure the firewall whenever they install a new service on the system, like HTTPD or SSH for example. Otherwise, connections from the internet can't reach these services.

Also, Linux users may want to know the following:

• How to allow a port or service through the firewall on AlmaLinux.
• How to reload the firewall for changes to take effect.
• How to check what ports and services are open in the firewall.
• How to close a port after having it configured as open.
• Command examples for allowing the most common ports through firewall.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related firewall queries.

In this context, we shall look into how to enable the firewall on AlmaLinux for our customers.

How to enable Firewall On AlmaLinux?

By default, the firewall is turn on, meaning that a very limited number of services are able to receive incoming traffic.

Here, you will learn how to disable or enable the firewall in AlmaLinux, along with checking the status of the firewall.

These are good troubleshooting options when trying to determine if a firewall rule is blocking traffic to or from a particular service.

firewalld is simply a front end for the system’s nftables (formerly iptables) firewall.

This makes the firewall easier to interact with.

But essentially firewalld just translates all our commands into corresponding nft commands.

Before proceeding with this task, ensure that you are using a Linux user with Privileged access as root or via the sudo command.

How to Check the status of firewall on AlmaLinux ?

We can interact with the firewalld service through systemd.

To see whether firewalld is currently running, execute the following systemctl command in a terminal:

$ systemctl status firewalld

This will show whether firewalld is currently running and it is set to enabled.

If it is enabled, then it will start automatically whenever the system boots up.

To see what services firewalld has configured, try the following command:

$ sudo firewall-cmd –list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

We can see that firewalld currently has rules configured for cockpit, DHCP and SSH.

How to Stop or start firewall on AlmaLinux ?

Use the following systemd commands to stop or start the firewalld service.

To stop the firewall:

$ sudo systemctl stop firewalld

We can confirm that the firewall is off by checking its status once again.

Since firewalld is currently enabled (set to start automatically at boot), the service will stay disabled until we manually start it again or reboot the system.

To start the firewall again, execute the following command:

$ sudo systemctl start firewalld

If all we need to do is restart the process, we can do that as well:

$ sudo systemctl restart firewalld

How to permanently enable or disable firewall on AlmaLinux ?

By default, firewalld starts automatically when our system loads in. To change this behavior, we can issue the systemctl disable command. This, combined with the systemctl stop command, will permanently disable firewalld:

$ sudo systemctl disable firewalld

You can re-enable firewalld at any time by executing the following command:

$ sudo systemctl enable firewalld

How to Allow a port through firewall on AlmaLinux ?

Follow the steps given below, to allow ports or services through firewalld on AlmaLinux.

1. When checking for open firewall ports on RHEL 8/CentOS 8 Linux, it is important to know that firewall ports we can open in two main different ways.

Firstly, the firewall port can be opened as part of a pre-configured service. For instance, open the port for HTTP to the public zone:

# firewall-cmd –zone=public –add-service=http –permanent

Of course, adding the HTTP service to firewalld is the equivalent of opening port 80.

2. Secondly, the ports can be open directly as custom user predefined ports. For instance, open port 8080:

# firewall-cmd –zone=public –add-port 8080/tcp –permanent

Since 8080 does not have an associated service, it is necessary for us to specify the port number rather than a service name if we want to open this port.

3. To check which service ports are open, execute the following command:

# firewall-cmd –zone=public –list-services
cockpit dhcpv6-client http https ssh

The above services (cockpit, DHCP, HTTP, HTTPS, and SSH) have their relevant port numbers open.

4. To check which port numbers are open, use this command:

# firewall-cmd –zone=public –list-ports
20/tcp 8080/tcp

The above ports, 20 and 8080, are open to incoming traffic.

5. After we have allowed our ports and services through the firewall, we have to reload firewalld for the changes to take effect. All rules with the –permanent option will now become part of the runtime configuration. Rules without this option will be discarded:

# firewall-cmd –reload

6. We can also see a list of all open services and ports by using the –list-all option:

# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client http ssh
ports: 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

7. Firewalld works with zones. Depending on which zone our network interface(s) is using.

We may need to add our allowed port to that particular zone.

The first step above shows how to add a rule to the "public" zone.

To see the rules for that zone specifically, continue using the –zone= syntax :

# firewall-cmd –list-all –zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client http ssh
ports: 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

8. In case we need to close one of the previously configured open ports, we can use the following command syntax.

In this example, we close the port for HTTPS:

# firewall-cmd –zone=public –permanent –remove-service=https

[Facing file permission or firewall issues on any Linux Distribution? We'd be happy to help you. ]