Graphical tools for firewall configuration


Out of the box, firewalld assigns one zone to each of the interfaces physically present in the system. However, a static zone definition is useless for mobile systems that often seek wireless access to the Internet from a wide variety of places. Therefore, you can assign a different zone to each interface at any time. To do this, select Options | Change Zones of Connections and set up a new connection zone (Figure 4).

Figure 4: Thanks to different zones, you can individually adjust the security level of the firewall at any time.

Additionally, you can change the default zone for all interfaces in the system at any time by selecting one of the zones offered in the pop-up window in the Options | Change Default Zone menu. After clicking OK and authenticating as an admin, the firewall changes the default zone on the fly.

Panic Mode and Applet

The Options | Panic Mode setting blocks all connections so that firewalld does not forward any incoming or outgoing packets. An applet installed by the firewall-applet package also lets you control the application with a mouse click. The applet automatically sets up shop in the system tray after installation, displaying a red wall icon with a PC behind it. On mouse over, it shows the interface used, the default zone, and – if this has changed – the active zone. For WiFi connections, the applet displays the SSID (Figure 5).

Figure 5: A firewalld applet gives you a quick overview.

Clicking on the applet lets you change the active zone. You can open a small window on the desktop in which to select a new zone without restarting. For the applet to display additional firewall messages (e.g., when zones change or the firewall reloads settings), some distributions also need to change the /etc/firewall/applet.conf configuration file. The value of the notifications and show-inactive options must be set to true.

In panic mode, the applet displays an appropriate icon so that you can see that the firewall blocks all packet transfers.


Contrary to the norm, the firewalld GUI supports virtually no logging functions, which restricts your options for retroactive packet analysis. You can activate logging of all rejected and discarded packets by selecting the Options | Change Log Denied entry in the configuration interface and then selecting all in the selection field.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Persistent iptables

    The Linux iptables packet filter lacks an easy way to load rules automatically after restarting a system, but you can automate this process several ways.

  • Firewalld and OpenSnitch

    For maximum security, you'd better watch traffic in both directions. This hands-on workshop takes you through the steps of setting up firewalls for outgoing as well as incoming traffic.

  • Firewalls Intro

    Firewalls are becoming evermore sophisticated. Luckily, the tools for managing firewalls are becoming simpler and more accessible for ordinary users

  • Shorewall

    When users think about their workstations at home, they often forget about security. But danger is out there,waiting to pounce on the unsuspecting. Shorewall helps everyday Linux users keep the intruders away.

  • KTools: KMyFirewall

    Linux has a fantastic selection of firewalls for securing stand-alone computers or whole networks. Although you can use IPTables to set up a firewall, the configuration is often the most difficult step. KMyFirewall offers a powerful, user-friendly, GUI-based approach.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More