Firewall Setup on Alpine Linux with Firewalld

Alpine Linux is renowned for its small footprint, security focus, and efficiency, making it a popular choice for containers, embedded devices, and servers where resources are at a premium. Unlike larger distributions, Alpine starts with a bare-bones system, meaning you’ll need to manually configure essential services like a firewall. This article will guide you through setting up a firewall on Alpine Linux using firewalld, a dynamic firewall management tool that simplifies rule configuration.

Why firewalld?

While iptables offers granular control, firewalld provides a higher-level abstraction, managing iptables (or nftables in newer kernels) rules behind the scenes. Its key advantages include:

  • Zones: firewalld uses security zones (e.g., public, home, internal) to define different trust levels for network connections, making it easier to apply different rules based on the network interface.
  • Dynamic Updates: Rules can be added, removed, or modified without reloading the entire firewall, allowing for seamless updates.
  • Services: It offers predefined services (like http, ssh, dns) that abstract away port numbers, simplifying rule creation.
  • Persistent Configuration: Changes made with firewall-cmd can be made permanent easily.

Prerequisites

  • An Alpine Linux instance (physical or virtual).
  • Root access or a user with sudo privileges.
  • Basic understanding of networking concepts (ports, IP addresses, TCP/UDP).

Step 1: Install firewalld

firewalld is available in the Alpine Linux community repository.

sudo apk add firewalld firewalld-openrc

The firewalld-openrc package provides the necessary OpenRC init scripts for firewalld to integrate properly with Alpine’s service management.

Step 2: Start and Enable firewalld

Once installed, start the firewalld service and enable it to run on boot.

sudo rc-service firewalld start
sudo rc-update add firewalld default

Verify the service status:

sudo firewall-cmd --state

You should see running.

Step 3: Understand firewalld Zones

firewalld uses zones to define different trust levels. Each network interface can be assigned to a zone. By default, firewalld assigns interfaces to the public zone, which is a reasonably secure default.

To see the active zones and interfaces:

sudo firewall-cmd --get-active-zones

To list all available zones:

sudo firewall-cmd --get-zones

To see the default zone:

sudo firewall-cmd --get-default-zone

You can change the default zone if needed, for example, to drop for a very restrictive default:

sudo firewall-cmd --set-default-zone=drop

Caution: Setting the default zone to drop might cut off your SSH connection if you don’t immediately add rules to allow SSH. Proceed with care, especially in a remote session.

Step 4: Configure Firewall Rules

Now, let’s add rules to allow essential traffic within your chosen zone (e.g., public).

1. Allow SSH (if applicable)

If you’re accessing your Alpine system via SSH, you must allow SSH traffic. This example adds SSH to the public zone permanently.

sudo firewall-cmd --zone=public --add-service=ssh --permanent

After adding or modifying rules with --permanent, you need to reload firewalld for the changes to take effect:

sudo firewall-cmd --reload

You can verify the services allowed in the public zone:

sudo firewall-cmd --zone=public --list-services

2. Allow Other Essential Services

Add rules for any other services your Alpine system provides.

  • HTTP (Web Server):
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload
  • HTTPS (Secure Web Server):
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload
  • DNS (for your system to resolve domain names if acting as a DNS server):
sudo firewall-cmd --zone=public --add-service=dns --permanent
sudo firewall-cmd --reload

3. Opening Specific Ports

If a service isn’t predefined, you can open specific ports. Replace YOUR_PORT and PROTOCOL (tcp or udp).

# Example: Open port 8080 for a custom web application
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

4. Allowing Outgoing Connections

By default, firewalld often allows outgoing connections in zones like public. If your default zone is drop, or you want to be explicit, you can allow outgoing traffic using the --add-forward-port or add-rich-rule options, but for simple outgoing internet access from the host, the default setup with public usually suffices. If you need to allow all outgoing connections:

# This is generally not recommended for security unless strictly necessary.
# Firewalld usually allows established/related outgoing traffic implicitly.
# To explicitly allow all outgoing to an interface (less common for client systems):
# sudo firewall-cmd --zone=public --add-interface=eth0 --permanent
# sudo firewall-cmd --reload

For typical server setups, allowing outgoing for established connections (--ctstate ESTABLISHED,RELATED in iptables terms) is handled by firewalld‘s default zone configurations. You mostly focus on allowing incoming connections.

5. Restricting Access to Specific IPs

You can restrict access to a service from specific source IP addresses.

# Allow SSH only from YOUR_TRUSTED_IP
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="YOUR_TRUSTED_IP" service name="ssh" accept' --permanent
sudo firewall-cmd --reload

Note: If you added ssh as a service earlier, you might need to remove it first before adding the rich rule to avoid conflicts.

sudo firewall-cmd --zone=public --remove-service=ssh --permanent
sudo firewall-cmd --reload

Step 5: Verify Your Firewall Rules

To list all rules for a specific zone:

sudo firewall-cmd --zone=public --list-all

This will show you services, ports, source addresses, and rich rules configured for that zone.

Step 6: Advanced firewalld Concepts (Briefly)

  • Direct Rules: For highly specific or complex iptables commands that firewalld‘s higher-level syntax doesn’t cover, you can use direct rules. However, this largely defeats the purpose of firewalld‘s abstraction and should be used sparingly.
  • Port Forwarding / NAT: firewalld supports port forwarding, which is essential if your Alpine system acts as a router or gateway.
sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
sudo firewall-cmd --reload

This redirects incoming traffic on port 80 to port 8080 on the same machine. For forwarding to a different internal IP:

sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.1.100 --permanent
sudo firewall-cmd --reload
  • Source-based Routing/Zones: You can assign specific source IP ranges to different zones, allowing for highly dynamic firewall behavior.

Conclusion

Setting up firewalld on Alpine Linux provides a flexible and powerful way to manage your firewall rules. By leveraging its zone-based approach and predefined services, you can efficiently secure your system without delving into the complexities of raw iptables commands. Remember to always test your firewall changes cautiously, especially when configuring remote access, to ensure you don’t inadvertently lock yourself out of your system.

One thought on “Firewall Setup on Alpine Linux with Firewalld”

  1. Pingback: How to Install Alpine Linux: A Step-by-Step Guide – brygger.dk

Leave a Reply

Your email address will not be published. Required fields are marked *