There are several Firewall options to use on Arch, I prefer firewalld, let’s install it.

Let’s head over to the Arch package database for firewalld and check the dependencies. There are a few optional dependencies, but those will likely already be included by something else. If you have any issues, check the option dependencies just in case. Open a terminal and install firewalld, enable, and start it:

$ sudo pacman -S firewalld
$ sudo systemctl enable firewalld.service
$ sudo systemctl start firewalld.service

There are command line options for configuring the firewall, but I prefer a GUI application if it’s available and it is! Search in your respectable application menu for “firewall” or open a terminal and type:

$ firewall-config

The way Firewalld works is you have zones, which have rules, which can be applied to connections. There is a default zone that will be used until a zone is set for a connection, it is generally the public zone.

The default configuration wont save changes, so you have to set Configuration to Permanent. In the screenshot above it is set to Runtime. Changing this setting to Permanent will save the changes you make. If you leave it set to Runtime, any changes you make will revert once you close firewall-config.

Select the home zone and make sure under Services, you have the services you need selected, perhaps:

  • dhcpv6-client
  • mdns
  • samba-client
  • ssh

If you click the Services tab next to Zones, you can add, edit, or view Services. This is also helpful if you want to see which ports a service will open.

This home zone will be your Connection zone. Select your connection, under Connections in the left panel (mine is DARTS…) and then click the Change Zone button below the left panel. Select home in the dropdown that opens and click Ok.

Optionally, you can add home to be the default for all connections on this interface: by adding the interface in home‘s Interfaces tab (in the above screenshot it is hidden by the arrows next to the inline tabs along with Services, Ports, etc. The interface name you’d enter is the same as is in parenthesis next to your current connection’s name. If you are using a laptop or a device that sometimes connects to insecure networks, I would personally not set a default for my wifi interface, unless I wanted it to override my Default Zone.

Additionally, you can change the default zone for all new connections (not specifically set and not set by interface), by clicking Options in the top menu, then clicking Change Default Zone. If you are using a laptop or a device that sometimes connects to insecure networks, I would personally leave the default zone as public.

That is the basic set up. This should allow you to use a network printer, a router, ssh, and file sharing. Of course if you are streaming, gaming, or something else, you’ll probably want to add services or ports for those.

I don’t claim to be an expert, I’m just sharing what I’ve learned. If you have any input, corrections, etc. please comment and let me know!