Document Type


Publication Date


Publication Source

Linux Journal

Issue Number


First Page


Last Page



Belltown Media, Inc.




Stories of compromised servers and data theft fill today's news. It isn't difficult for someone who has read an informative blog post to access a system via a misconfigured service, take advantage of a recently exposed vulnerability, or gain control using a stolen password. Any of the many internet services found on a typical Linux server could harbor a vulnerability that grants unauthorized access to the system.

Since it's an impossible task to harden a system at the application level against every possible threat, firewalls provide security by limiting access to a system. Firewalls filter incoming packets based on their IP of origin, their destination port, and their protocol. This way, only a few IP/port/protocol combinations interact with the system, and the rest do not.

Linux firewalls are handled by netfilter, which is a kernel level framework. For over a decade, iptables has provided the userland abstraction layer for netfilter. Iptables subjects packets to a gauntlet of rules where, if the IP/port/protocol combination of the rule matches the packet, the rule is applied causing the packet to be accepted, rejected, or dropped.

Firewalld is a newer userland abstraction layer for netfilter. Unfortunately, its power and flexibility are underappreciated due to a lack of documentation describing multi-zoned configurations. This article provides examples to remedy this situation.


firewalls, firewall, Linux, netfilter, firewalld