Configure firewalld to Allow Web Traffic in Linux | CompTIA Linux+

Introduction

In this lab, you will learn the essential steps to configure firewalld on a Linux system to allow web traffic through hands-on practice with real servers. You will use the firewall-cmd command-line utility to manage firewall zones and services, a fundamental skill for any system administrator responsible for securing servers. The primary goal is to open the standard ports for HTTP and HTTPS, making a web server accessible from the outside while maintaining a secure default posture.

You will start by checking the status of the firewalld service, ensuring it is installed, running, and enabled to launch at boot. You will then proceed to set the default firewall zone to public, and experience the practical impact of firewall rules by running a simple Python web server. Through adding and removing firewall rules for the http and https services, you will witness firsthand how these configurations affect actual network connectivity. The lab concludes by showing you how to verify your configurations and explore other available firewall-cmd options for further learning.

This is a Guided Lab, which provides step-by-step instructions to help you learn and practice. Follow the instructions carefully to complete each step and gain hands-on experience. Historical data shows that this is a beginner level lab with a 90% completion rate. It has received a 92% positive review rate from learners.

Check the Status and Default Zone of firewalld

In this step, you will begin working with firewalld, a powerful and flexible firewall management tool for Linux. Before making any configuration changes, it's essential to check if the service is installed and running, and to identify its current default settings. This ensures you have a clear baseline to work from.

First, let's ensure firewalld is installed on your system. While it may already be present, running the installation command is a safe way to confirm. Open your terminal and execute the following commands to update your package list and install firewalld:

sudo apt-get update && sudo apt-get install -y firewalld

Once the installation is complete, firewalld should be active by default. To verify this, check the status of the firewalld service using the systemctl command, which is used for managing services in modern Linux distributions.

Run this command to see if firewalld is active:

sudo systemctl status firewalld

The output should show active (running), indicating the firewall is operational.

With the service running, you can now inspect its configuration. firewalld uses "zones" to manage trust levels for network connections. A zone is a predefined set of rules. Let's find out which zone is currently set as the default.

Use the firewall-cmd utility, the primary command-line interface for firewalld, to get the default zone:

sudo firewall-cmd --get-default-zone

The command will likely return public, which is the default zone for new installations.

public

You have now successfully checked the status of firewalld and identified its default zone. In the next steps, you will learn how to modify this configuration.

Set the Default Zone to public

In this step, you will learn how to set the default zone for firewalld. The default zone is applied to any network interface that is not explicitly assigned to another zone. While the default zone is often public on a new installation, knowing how to set it is a fundamental skill for managing your firewall. The public zone is typically used for public, untrusted networks. You do not trust the other computers on networks to not harm your computer.

To change the default zone, you will use the firewall-cmd command with the --set-default-zone option. This change is persistent and will be applied immediately.

In your terminal, execute the following command to set the default zone to public:

sudo firewall-cmd --set-default-zone=public

After running the command, firewalld will confirm that the change was successful.

success

It's always a good practice to verify that your changes have been applied correctly. You can do this by running the --get-default-zone command again, just as you did in the previous step.

sudo firewall-cmd --get-default-zone

The output should confirm that the default zone is now public.

public

You have now successfully set and verified the default zone for your firewall. This ensures a baseline security posture for any network connections. In the following steps, you will add rules to this zone to allow specific types of traffic.

Add the http Service to the public Zone and Test with a Web Server

In this step, you will add a rule to your firewall to allow web traffic and then demonstrate the practical impact by running a simple web server. By default, firewalld blocks most incoming traffic to protect your system. To allow specific connections, you must add rules for the services you want to expose. firewalld uses predefined "services" which are easy-to-remember names for standard network ports. For example, the http service corresponds to TCP port 80, the standard port for unencrypted web traffic.

First, let's check the current firewall status for the public zone before making changes:

sudo firewall-cmd --zone=public --list-services

You'll notice that http is not in the list initially, which means external connections to port 80 are blocked.

Now, let's add the http service to the public zone. You will use the firewall-cmd command with the --add-service option, specifying the zone you want to modify:

sudo firewall-cmd --zone=public --add-service=http

This command tells firewalld to modify the public zone by adding the http service rule. The change is applied to the runtime configuration, meaning it takes effect immediately. You should see a confirmation message:

success

Let's verify the service was added by checking the services list again:

sudo firewall-cmd --zone=public --list-services

You should now see http in the list of allowed services.

To demonstrate the practical impact, let's start a simple web server. We'll use Python's built-in HTTP server on port 80:

cd /tmp
echo "<h1>Welcome to LabEx Firewall Demo</h1><p>This server is running on port 80</p>" > index.html
sudo python3 -m http.server 80

Note that we need sudo because port 80 is a privileged port (below 1024). Keep this server running in a separate terminal.

Now, from another terminal, test the connection:

curl http://localhost

The connection works because the http service is now allowed through the firewall. Note that localhost connections may bypass firewall rules, but the key point is that external connections to port 80 would now be permitted by the firewall.

To further illustrate the firewall's management capabilities, let's temporarily remove the HTTP service:

sudo firewall-cmd --zone=public --remove-service=http

Check the services list to confirm it's removed:

sudo firewall-cmd --zone=public --list-services

You should notice that http is no longer in the list. Now add the service back:

sudo firewall-cmd --zone=public --add-service=http

Verify it's added again:

sudo firewall-cmd --zone=public --list-services

You have now successfully learned how to manage the HTTP service in the firewall and demonstrated the configuration changes. The key concept is that without the http service rule, external connections to port 80 would be blocked by the firewall, even if a web server is running. You can stop the web server with Ctrl+C when you're done with the demonstration.

Add the https Service to the public Zone and Test HTTPS Configuration

In this step, you will continue configuring your firewall by adding the https service. While http allows for standard web traffic, modern web communication relies on https (HTTP Secure) for encryption and security. The https service corresponds to TCP port 443 and is essential for any server that handles sensitive information.

Before adding the HTTPS service, let's first check what happens when we try to test HTTPS connectivity without the firewall rule. Run the following command to check the current firewall services:

sudo firewall-cmd --zone=public --list-services

You should see http in the list, but not https.

Now, let's add the https service to the public zone. You will use the firewall-cmd --add-service command to allow https traffic through the public zone. This ensures that your server can accept secure connections from external users.

In your terminal, run the following command to add the https service:

sudo firewall-cmd --zone=public --add-service=https

This command modifies the runtime configuration of the public zone to include a rule for the https service. firewalld will confirm the successful addition of the rule.

success

Now let's verify that the HTTPS service has been added by checking the services list again:

sudo firewall-cmd --zone=public --list-services

You should now see both http and https in the output, confirming that your firewall is configured to allow both types of web traffic.

To demonstrate the practical difference, you can also check which ports are now open:

sudo firewall-cmd --zone=public --list-ports
sudo firewall-cmd --zone=public --list-services

The --list-services command shows the services by name, while you can see that the http service corresponds to port 80 and https to port 443.

You have now configured your firewall to allow both standard (http) and secure (https) web traffic. This is a common and necessary setup for hosting websites that handle any sensitive information or require secure connections.

Verify Web Services are Added to the public Zone

In this step, you will confirm that the http and https services were successfully added to the public zone. After making configuration changes, it is a critical best practice to verify that they have been applied as expected. This ensures your firewall is in the desired state and helps with troubleshooting.

To see the list of all services currently allowed in a zone, you can use the firewall-cmd command with the --list-services option. Since you added the services to the public zone, you must specify it in the command.

Execute the following command in your terminal to list the active services for the public zone:

sudo firewall-cmd --list-services --zone=public

The output will display a list of service names. You should see http and https in this list, along with other services that might be enabled by default, such as dhcpv6-client and ssh.

dhcpv6-client ssh http https

Seeing http and https in the output confirms that you have successfully configured the firewall to allow incoming web traffic. Your system is now ready to serve web content on both standard and secure ports.

Explore Available Commands with firewall-cmd --help

In this final step, you will learn how to explore the capabilities of firewall-cmd on your own. Command-line tools often have many options and features, and knowing how to access their built-in documentation is a crucial skill for any Linux user. The --help option is a universal way to get a quick overview of a command's syntax and available options.

To see all the available commands and options for firewall-cmd, run the following in your terminal. Note that this command does not require sudo as it only displays information.

firewall-cmd --help

This command will print a long list of options to your terminal. You can scroll up to see all of it. The output will start something like this:

Usage: firewall-cmd [OPTIONS...]

General Options
  -h, --help            Prints a short help text and exists
  -V, --version         Print the version string of firewalld
  -q, --quiet           Do not print status messages

Status Options
  --state               Get state of firewalld
  --reload              Reload firewall rules and keep state information
  --complete-reload     Reload firewall rules and lose state information
  --runtime-to-permanent
                        Save runtime configuration to permanent
...

Take a moment to look through the output. You will see sections for "Zone Options", "Service Options", "Port Options", and many more. This is an excellent resource for discovering new features or reminding yourself of the syntax for a command you don't use often. For example, you can see the --remove-service option, which is the counterpart to the --add-service command you used earlier.

Congratulations! You have completed this lab and learned the basic operations of firewalld. You can now check its status, manage zones, and add services to allow specific traffic.

Summary

In this lab, you learned the fundamental steps to manage and configure firewalld on a Linux system with practical demonstrations of its impact. You started by ensuring the firewalld service was installed, then used systemctl commands to start, enable, and check its status. You also identified the active default zone and learned how to change it to public using firewall-cmd, establishing a clear baseline for firewall rules.

The key highlight of this lab was the hands-on demonstration of firewall effects using a real web server. You set up a simple Python HTTP server and experienced firsthand how firewall rules control network access. By adding and removing the http service from the public zone, you witnessed the immediate impact on web connectivity, making the abstract concept of firewall rules tangible and practical.

Building on this foundation, you configured the firewall to permit both standard and secure web traffic by adding the http and https services to the public zone. You learned to verify your changes using various firewall-cmd options and explored the relationship between service names and their corresponding port numbers. Finally, you discovered how to access the comprehensive help documentation for firewall-cmd, empowering you to explore advanced features independently.