One of the most crucial layers of Linux server security is a properly configured firewall. Firewalld is the default firewall management service used by AlmaLinux 10, providing a modern, flexible approach to managing network traffic, opening ports, securing SSH access, and protecting production servers.

In this tutorial, you’ll create a simple firewall setup on AlmaLinux 10 using firewalld – service, start and stop firewalld, enable SSH and web ports to firewalld, open custom ports, add zones to firewalld, reload firewalld rules, and check firewalld settings safely.

Table of Content

• What is firewalld in AlmaLinux 10?
• Why You Should Configure a Firewall on AlmaLinux 10
• How to Configure firewalld on AlmaLinux 10 for Basic Server Security
• firewalld vs nftables in AlmaLinux 10
• Final Thoughts
  

What is firewalld in AlmaLinux 10?

firewalld is a dynamic firewall management daemon for AlmaLinux, Rocky Linux, CentOS Stream, and Red Hat Enterprise Linux (RHEL)-based distributions. Administrators can use simple commands to manage firewall policies, rather than manually editing complex rules in nftables or iptables.

AlmaLinux 10 uses firewalld as its backend firewall framework, which is based on the nftables library. It supports:

• Firewall zones
• Services and ports
• Runtime and permanent rules
• IP filtering
• Rich rules
• Masquerading and NAT
• Dynamic rule changes without restarting connections

By default, AlmaLinux 10 has public as its zone, which is suitable for Internet connection servers.

Why You Should Configure a Firewall on AlmaLinux 10

A Linux firewall will decrease attack surfaces and limit incoming traffic from unsolicited sources. Even when your server is hosted on a cloud server with a cloud firewall, it is important to add firewalld to your local security setup.

Some advantages of the use of firewalld on AlmaLinux 10 are:

• Protecting SSH access
• Allowing only required ports
• Blocking unused network services
• Securing web servers and databases
• Improving Linux server hardening
• Reducing brute-force attack exposure
• Supporting enterprise security policies
  

In the majority of production settings, the solution is to only permit the services you need for your server.

How to Configure firewalld on AlmaLinux 10 for Basic Server Security

It is very easy to install a basic firewall on AlmaLinux using the firewalld service. You will need to check that the service is running and enabled at boot, then use the firewall-cmd utility to set up rules. Use the –permanent flag for rules and reload the firewall after changing any rules. Remember to use rules persistently.

Step 1: Verify that firewalld Is Installed

The firewalld package is usually installed in AlmaLinux 10. Verify installation using:

sudo dnf list installed firewalld

If the firewalld service is not installed, then install it using:

sudo dnf install firewalld -y

Step 2: Enable and Start firewalld

Start the service firewall:

sudo systemctl start firewalld

To load firewalld at startup, use:

sudo systemctl enable firewalld

Check the status of the service:

sudo systemctl status firewalld

You can also check the state of the firewall directly:

sudo firewall-cmd –state

Step 3: Check the Default Firewall Zone

The zones are used by firewalld to determine the trust level of network traffic.

Show the default zone:

sudo firewall-cmd –get-default-zone

List enabled firewall zones:

sudo firewall-cmd –get-active-zones

Show the entire setup of the public area:

sudo firewall-cmd –zone=public –list-all

This command helps you verify which services and ports are currently allowed.

Step 4: Allow SSH Access Safely

Always make sure that SSH access is used when making firewall changes over a remote server. Otherwise, you might end up locked out of the system!

Allow SSH permanently:

sudo firewall-cmd –permanent –add-service=ssh

Restart the firewall settings:

sudo firewall-cmd –reload

Verify SSH access:

sudo firewall-cmd –list-services

Step 5: Allow HTTP and HTTPS Traffic

For any website, Web application, or Apache server/Nginx server, please enable both HTTP and HTTPS traffic.

Allow HTTP:

sudo firewall-cmd –permanent –add-service=http

Allow HTTPS:

sudo firewall-cmd –permanent –add-service=https

Apply the changes:

sudo firewall-cmd –reload

Verify enabled services:

sudo firewall-cmd –list-services

These commands open:

• Port 80 for HTTP
• Port 443 for HTTPS

Step 6: Open a Custom Port in firewalld

There are applications that need custom ports, as opposed to pre-defined services.

To enable one instance of the TCP port 8080:

sudo firewall-cmd –permanent –add-port=8080/tcp

Reload the firewall:

sudo firewall-cmd –reload

Verify open ports:

sudo firewall-cmd –list-ports

To remove a port later:

sudo firewall-cmd –permanent –remove-port=8080/tcp sudo firewall-cmd –reload

Step 7: Understand Runtime vs Permanent Rules

There is one of the most crucial ideas in firewalld: runtime vs. permanent configuration.

Runtime Rules

The runtime rules take effect as soon as they are set, but are lost when the firewall restarts or when you reboot.

Example:

sudo firewall-cmd –add-service=http

Permanent Rules

Permanent rules can be stored in the firewall configuration and are kept after a reboot.

Example:

sudo firewall-cmd –permanent –add-service=http

Once permanent rules have been added, reload the firewall:

sudo firewall-cmd –reload

Permanent rules are suggested for production servers.

Step 8: List All Firewall Rules

To view all the active firewall settings:

sudo firewall-cmd –list-all

To display permanent configurations:

sudo firewall-cmd –permanent –list-all

These commands help troubleshoot Linux firewall configuration issues quickly.

Step 9: Remove Unnecessary Services

To enhance the security of the Linux Server, eliminate services that are not needed.

For example, to remove Cockpit access:

sudo firewall-cmd –permanent –remove-service=cockpit sudo firewall-cmd –reload

Regularly check active services and minimize exposure.

Step 10: Reload or Restart firewalld

After modifying firewall rules, reload the configuration:

sudo firewall-cmd –reload

To restart the service completely:

sudo systemctl restart firewalld

Reloading is preferred because it applies changes without interrupting active network connections.

firewalld vs nftables in AlmaLinux 10

In AlmaLinux 10, firewalld uses nftables internally as the backend packet filtering framework. Administrators interact with firewall-cmd, while nftables handles low-level rule processing.

This approach simplifies firewall administration while still providing enterprise-grade performance and flexibility.

Firewalld is the perfect solution for many administrators who can’t or don’t need to get into the details of firewalls, but still want to use a powerful firewall. It is the default firewall in modern RHEL-derived Linux distributions with its support of zones, permanent rules, dynamic updates, and integration with nftables.

Final Thoughts

firewalld on AlmaLinux 10 provides a secure and dynamic way to manage Linux firewall rules using zones, services, and ports, helping protect servers from unauthorized access while keeping SSH, HTTP, and HTTPS traffic accessible. Properly configuring firewalld with permanent rules, nftables integration, and minimal open ports is a critical Linux server hardening practice for production environments.

One of the first and most important server steps is to install a firewall on AlmaLinux 10 with firewalld. You can use only the necessary services on your Linux servers, like SSH, HTTP, and HTTPS, to enhance their security without compromising access to your applications.