Related topic: [How To] Basic System Security
firewalld - Advanced firewall
Installation commands assumes your system is fully up-to-date
That is, you have run sudo pacman -Syu before installing any new packages.
firewalld is a daemon and console interface for nftables - more info at firewalld - ArchWiki
Depending on your use case you may want to ensure only allowed services are accessible by implementing a firewall.
installation
sudo pacman -S firewalld
Optionally install GUI tools
| toolkit | install command | |
|---|---|---|
| GUI Configuration | sudo pacman -S firewall-config |
|
| System Tray Applet | GTK | sudo pacman -S firewall-applet |
| Plasma | sudo pacman -S plasma-firewall |
|
Then enable and start the service
sudo systemctl enable --now firewalld
configuration headlines
firewalld is configured using the term application since an application is merely a definition of which ports should be allowed - e.g. a http application or ssh or smtp.
When you configure the firewall you use zones to define where you are and services to define what you allow.
When firewalld is enabled and started the default zone is public which allows the computer to be visible but all ports closed.
Adding a specific service (application) is done using the command line but if you install the package firewall-config you get a nice GUI.
A systray application is available if you install the package firewall-applet.
Adding services has immediate effect - no need to reload the service. Simply add the service to the allowed service to the desired zone.
If you want changes to persist - use the GUI → Options → runtime to permanent.
On console you add --permanent to the command.
configure local ssh service
sudo firewall-cmd --permanent --zone=home --add-service=ssh
share printer on trusted network
sudo firewall-cmd --permanent --zone=home --add-port=631/tcp
configure for samba filesharing
sudo firewall-cmd --permanent --zone=home --add-service=samba
configure for public ssh
Example - adding ssh to public zone
sudo firewall-cmd --zone=public --add-service=ssh
It is important to realize that changes you make on the fly are not permanent. To make a certain service available permanently, add the --permanent argument
sudo firewall-cmd --permanent --zone=public --add-service=ssh
custom ssh
What if you want to add your own service definition? Continuing with ssh - you want to run your ssh server on a non default port.
Browse the folder /usr/lib/firewalld/services and make a copy of an appropriate service definition.
Copy the ssh.xml service definition to /etc/firewalld/services
sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/my-ssh.xml
Edit the service definition
sudo micro /etc/firewalld/services/my-ssh.xml
Change the port to match your service and the short name to distinguish from the original service.
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>My SSH service</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="30022"/>
</service>
Wait 5-10 seconds for the service file to be recognized and activate it (Same rule on permanent applies)
sudo firewall-cmd --zone=public --add-service=my-ssh --permanent