Oracle Linux Basic Administration Series - Part 12 - How to Configure the Firewall Using firewalld in Oracle Linux

A firewall protects your Oracle Linux server from unauthorized access.

firewalld is a flexible firewall tool built on iptables/nftables.

It uses zones and services to define different trust levels.

In this blog, you’ll learn to:

• Check and start firewalld

• Allow or block services and ports

• Manage interfaces and rules

• Verify your configuration

Step 1: Check and Start firewalld

Check if active:

sudo systemctl status firewalld

If not installed:

sudo dnf install -y firewalld

Enable and start:

sudo systemctl enable --now firewalld

Step 2: Zones Overview

Zones represent different levels of trust.

Common zones:

public – default, for most servers

home – for trusted networks

dmz – for publicly accessible servers

block/drop – blocks everything unless allowed

List zones and default:

sudo firewall-cmd --get-zones
sudo firewall-cmd --get-default-zone

Step 3: View Current Rules

sudo firewall-cmd --list-all

Step 4: Manage Services

Allow HTTP service:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

Remove a service:

sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --reload

Step 5: Manage Ports

Open port 8080:

sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload

Remove the port:

sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --reload

Step 6: Assign Interfaces to Zones

List interfaces:

nmcli device status

Assign interface to zone:

sudo firewall-cmd --zone=public --change-interface=enp0s6 --permanent
sudo firewall-cmd --reload

Step 7: Masquerading and Port Forwarding

Enable NAT masquerading:

sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --reload

Forward port 8080 to 80:

sudo firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80 --permanent
sudo firewall-cmd --reload

Step 8: Rich Rules

Allow SSH from a single IP:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'
sudo firewall-cmd --reload

Block a specific IP:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.10.5" reject'
sudo firewall-cmd --reload

Step 9: Verify and Test

Check configuration:

sudo firewall-cmd --list-all

List ports:

sudo firewall-cmd --list-ports

Check open ports locally:

sudo ss -tuln

Step 10: Disable or Stop firewalld (not recommended)

Stop temporarily:

sudo systemctl stop firewalld

Disable permanently:

sudo systemctl disable firewalld

Note: Do not leave production servers without an active firewall.

Conclusion

You now know how to secure Oracle Linux with firewalld. You can control which services and ports are accessible and define rules per network zone.

Next topic: setting up SELinux for additional security.