firewall-cmd: Managing Firewalld Firewall

Overview

firewall-cmd interacts with the firewalld service to control your system's network traffic. It allows for the application of both permanent and runtime rules, and provides flexible security policies through various network zones. This helps enhance server security by allowing or blocking access to specific services.

Key Features

Port and service management (add/remove)
Network zone configuration and management
IP address and network-based rules (Rich Rules)
Runtime and permanent rule application
Masquerading and port forwarding configuration

Key Options

firewall-cmd allows you to query and configure firewall rules using a variety of options.

Rule Application and Management

Querying Information

Generated command:

Try combining the commands.

Description:

`firewall-cmd` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Various examples of configuring and managing firewall rules using firewall-cmd.

Check Current Active Zone and Rules

firewall-cmd --list-all

Checks all current runtime settings for the default zone (public).

Check All Settings for a Specific Zone

firewall-cmd --zone=internal --list-all

Checks all settings for a specified zone (e.g., internal).

Add HTTP Service (Runtime)

sudo firewall-cmd --zone=public --add-service=http

Temporarily allows the HTTP service in the public zone. This will be lost upon reboot.

Add HTTP Service (Permanent)

sudo firewall-cmd --zone=public --add-service=http --permanent

Permanently allows the HTTP service in the public zone. Requires --reload to apply changes.

Reload Firewall Rules

sudo firewall-cmd --reload

Applies all permanently configured rules to the current runtime firewall.

Add Port 8080/tcp (Permanent)

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

Permanently allows TCP port 8080 in the public zone. Requires reload after application.

Remove SSH Service (Permanent)

sudo firewall-cmd --zone=public --remove-service=ssh --permanent

Permanently removes the SSH service from the public zone. Requires reload after application.

Apply All Permanent Rules

sudo firewall-cmd --reload

Immediately applies all permanently changed rules.

Installation

firewall-cmd is part of the firewalld package. It is usually installed by default on most modern Linux distributions or can be easily installed.

CentOS/RHEL/Fedora

sudo dnf install firewalld

Installs firewalld on Red Hat-based Linux distributions.

Ubuntu/Debian

sudo apt install firewalld

Installs firewalld on Debian-based Linux distributions.

Start and Enable Service

sudo systemctl start firewalld
sudo systemctl enable firewalld

After installation, start the firewalld service and enable it to run automatically on system boot.

Tips & Precautions

Points to note and useful tips when using firewall-cmd.

Runtime vs. Permanent Rules

Without the `--permanent` option, rules only apply to the current session and are lost upon reboot.
To apply rules permanently, use `--permanent` and then apply the changes with the `firewall-cmd --reload` command.

Understanding Zones

firewalld manages network interfaces by assigning them to different security zones. Each zone can have a different security level.
The default zone is `public`, which is used for most external connections. There are various other zones like `home`, `internal`, `trusted`, etc.

Using Service Names

Using predefined service names like `http`, `https`, `ssh` instead of port numbers (e.g., 80/tcp) is recommended for readability and ease of management.
You can check the list of available services with the command `firewall-cmd --get-services`.

Backup and Test

Before making significant changes, it's advisable to record the current settings using the command `firewall-cmd --list-all --zone=<zone>`.
After applying changes, always test to ensure the relevant services are functioning correctly.