firewalld

*

LinWin

4/20/20

firewalld

Home

The firewall rules can be amended directly using the firewall-cmd command.

https://oracle-base.com/articles/linux/linux-firewall-firewalld

Install / Fedora

This article also assumes you have a single network interface and are happy to keep it set to the default zone (public).

cronjobs

Info (inxi)

firewall-cmd --help

help

Zones

Interfaces

Services

Desktops

1

FedoraServer

enp3s4

amanda-client

high-availability

libvirt-tls

postgresql

synergy

dnf

Check the current top-level firewall configuration using the following commands.

2

FedoraWorkstation

amanda-k5-client

http

mdns

privoxy

telnet

DNS

firewall-cmd --state

Check firewall state

3

block

bacula

https

mosh

proxy-dhcp

tftp

firewalld

firewall-cmd --get-active-zones

Check active zones

4

dmz

bacula-client

imaps

mountd

ptp

tftp-client

LVM

firewall-cmd --get-service

Check current active services

5

drop

cockpit

ipp

ms-wbt

puppetmaster

tinc

LVM2

firewall-cmd --get-service --permanent

Check services that will be active after next reload

6

external

wlan0

dhcp

ipp-client

mysql

radius

tor-socks

N.Neighbor'd

7

home

dhcpv6

ipsec

nfs

rpc-bind

transmission-client

NM

Lock down and unlock the firewall using the following commands.

8

internal

dhcpv6-client

iscsi-target

ntp

rsyncd

vdsm

Wireless

Response

9

public

dns

kadmin

openvpn

samba

vnc-server

Services

firewall-cmd --panic-on

success

10

trusted

dropbox-lansync

kerberos

pmcd

samba-client

wbem-https

Sys Jour

firewall-cmd --query-panic

yes

11

work

freeipa-ldap

kpasswd

pmproxy

sane

xmpp-bosh

firewall-cmd --panic-off

success

freeipa-ldaps

ldap

pmwebapi

smtp

xmpp-client

firewall-cmd --query-panic

no

freeipa-replication

ldaps

pmwebapis

squid

xmpp-local

ftp

libvirt

pop3s

ssh

xmpp-server

Reload the runtime configuration from the permanent files using the following command.

firewall-cmd --reload

reload

The firewall comes with predefined services, which are XML files is the "/usr/lib/firewalld/services/" directory.

/usr/lib/firewalld/services/

You shouldn't edit these. Instead, copy a specific service file to the "/etc/firewalld/services/" directory and edit it there.

amanda-client.xml

http.xml

libvirt.xml

pmwebapis.xml

ssh.xml

The firewalld service always uses files in "/etc/firewalld/services/" directory in preference to those in the "/usr/lib/firewalld/services/" directory.

bacula-client.xml

imaps.xml

mdns.xml

pmwebapi.xml

smtp.xml

Remember to reload the config after making any changes.

bacula.xml

ipp-client.xml

mountd.xml

pop3s.xml

telnet.xml

dhcpv6-client.xml

ipp.xml

ms-wbt.xml

postgresql.xml

tftp-client.xml

You need to decide if you want to make changes to either the runtime configuration, permanent configuration or both.

dhcpv6.xml

ipsec.xml

mysql.xml

proxy-dhcp.xml

tftp.xml

If you want to set both the runtime and permanent configuration you have two choices.

dhcp.xml

kerberos.xml

nfs.xml

radius.xml

transmission-client.xml

Set them both independently, or set the permanent configuration and reload the firewall.

dns.xml

dns.xml

kpasswd.xml

ntp.xml

vnc-server.xml

ftp.xml

ldaps.xml

openvpn.xml

rpc-bind.xml

wbem-https.xml

1

independently

firewall-cmd --zone=public --add-service=https

sets runtime

high-availability.xml

ldap.xml

pmcd.xml

samba-client.xml

firewall-cmd --permanent --zone=public --add-service=https

sets permanent

https.xml

libvirt-tls.xml

pmproxy.xml

samba.xml

2

permanent and

firewall-cmd --permanent --zone=public --add-service=https

sets permanent

reload

firewall-cmd --reload

sets runtime

All subsequent examples will assume you want to amend both the runtime and permanent configuration

and will only set the permanent configuration and then reload the runtime configuration.

Once you've amended the default configuration, the "/etc/firewalld/zones/public.xml" file will be created.

You can manually amend this file, but you will need to issue a reload for the changes to take effect.

firewall-cmd --zone=FedoraServer --list-services

check the runtime services in a zone

firewall-cmd --permanent --zone=FedoraServer --list-services

check the permanent services in a zone

firewall-cmd --permanent --zone=FedoraServer --add-service=https

Add an existing service to a zone

firewall-cmd --permanent --zone=FedoraServer --add-service=ftp

firewall-cmd --reload

firewall-cmd --permanent --zone=FedoraServer --remove-service=https

Remove a service from a zone

firewall-cmd --reload

firewall-cmd --permanent --zone=FedoraServer --add-port=21150/tcp

Open a specific port in a zone

firewall-cmd --permanent --zone=FedoraServer --add-port=21160-21170/tcp

Open a port range in a zone

firewall-cmd --reload

firewall-cmd --permanent --zone=FedoraServer --remove-port=21150/tcp

Remove a specific port in a zone

firewall-cmd --permanent --zone=FedoraServer --remove-port=8080-8081/tcp

Remove a port range in a zone

firewall-cmd --reload

firewall-cmd --zone=FedoraServer --list-ports

Check runtime port configuration

firewall-cmd --permanent --zone=FedoraServer --list-ports

Check permanent port configuration

Rich rules allow you to create more complex configurations.

firewall-cmd --permanent --zone=FedoraServer --add-rich-rule="rule family="ipv4" \

open HTTP access to a specific IP addres

The "/etc/firewalld/zones/public.xml" file now contains the rich rule

source address="192.168.0.4/24" service name="http" accept"

firewall-cmd --reload

firewall-cmd --permanent --zone=FedoraServer --remove-rich-rule="rule family="ipv4" \

The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option.

source address="192.168.0.4/24" service name="http" accept"

firewall-cmd --reload

firewall-cmd --permanent --zone=FedoraServer --add-rich-rule="rule family="ipv4" \

Opens port 8080 for a specific source IP address using a rich rule

The "/etc/firewalld/zones/public.xml" file now contains the rich rule

source address="192.168.0.4/24" \

port protocol="tcp" port="8080" accept"

firewall-cmd --reload

firewall-cmd --permanent --zone=FedoraServer --remove-rich-rule="rule family="ipv4" \

The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option.

source address="192.168.0.4/24" \

port protocol="tcp" port="8080" accept"

firewall-cmd --reload

Backups and Transfers of Firewall Configuration

As all non-default configuration is placed under the "/etc/firewalld/" directory, taking a copy of the contents of this directory and its sub-directories constitutes a backup of the firewall configuration.

Not surprisingly, transferring the contents of this directory will allow you to duplicate the firewall configuration in other servers.

Quick firewalld Setup

systemctl start firewalld.service

systemctl enable firewalld.service

firewall-cmd --permanent --zone=FedoraServer --add-port=5900/tcp

firewall-cmd --permanent --zone=FedoraServer --add-port=8067/tcp

firewall-cmd --permanent --zone=FedoraServer --add-port=8267/tcp

firewall-cmd --reload

lis

firewall-cmd  --permanent --zone=FedoraServer   --add-port=25/tcp

firewall-cmd --permanent --zone=FedoraServer --add-service=smtp

[Howto] Firewalld basics

https://liquidat.wordpress.com/2013/04/09/howto-firewalld-basics/

firewall-cmd --get-zones

firewall-cmd --get-active-zone

firewall-cmd --zone=external --change-interface=wlan0

change a zone on a network

firewall-cmd --zone=external --list-all

query everything

firewall-cmd  --zone=FedoraServer --list-all

FedoraServer (default, active)

interfaces: enp3s4

sources:

services: cockpit dhcpv6-client ssh

ports: 5900/tcp 8067/tcp 8267/tcp

masquerade: no

forward-ports:

icmp-blocks:

rich rules: