firewalld is the new default firewall for Fedora and RHEL/CentOS. Learning new things can be intimidating at first but after a quick primer I think you’ll find that
firewalld is easier to use for most firewall setups when compared to basic
--permanent argument tells firewalld to remember your rule so that its applied automatically when firewalld starts. However,
--permanent rules do not effect the currently running firewall. Therefore, the best way to use firewalld is:
- Add your rule without
--permanent. This takes effect immediately.
- Test your new rule to verify its working as you expect.
- Add your rule once again, this time with
--permanent, so that its remembered on subsequent reboots.
This way, you never have to completely reload the firewall which can potentially cause issues with existing connections.
The third step is particularly easy because you can usually just press the up arrow in your console to get to your previous command and add
--permanent to the end.
--permanent can be shortened to just
--perm and if you have the
bash-completion package installed, you can autocomplete firewall-cmd’s switches using the tab key.
List all currently active firewall rules
Note that this will only show us the firewall rules for our default “zone”. I’ll explain zones a little further on.
Allow a TCP port
firewall-cmd --add-port=1234/tcp firewall-cmd --add-port=1234/tcp --permanent
Allow a UDP port
firewall-cmd --add-port=1234/udp firewall-cmd --add-port=1234/udp --permanent
Allow a service
firewall-cmd --add-service=ssh firewall-cmd --add-service=ssh --permanent
List all supported services
This can be handy if you’re unsure what the service name is. Services not listed here are not currently supported by firewalld in which case you should use port numbers instead.
Query a port or service
This will report whether a particular port or service is currently being blocked or allowed:
firewall-cmd --query-port=1234/tcp firewall-cmd --query-service=ssh
Add rich rules
For more advanced firewall rules, use the “rich rules” feature. There are a lot of possibilities with rich rules and I won’t cover them all here. If you’re interested, take a look at the wiki page for more information, particularly the examples section.
One basic example of a common rich rule is to allow access to a port only for a particular source IP:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="18.104.22.168" port port="1234" protocol="tcp" accept' firewall-cmd --add-rich-rule='rule family="ipv4" source address="22.214.171.124" port port="1234" protocol="tcp" accept' --permanent
By default, your NIC will be added to the default zone and
firewall-cmd will assume the default zone if no zone is specified. Therefore, on most machines that are using the default firewalld configuration, specifying
--zone is unnecessary and that is why I’ve not specified a zone in the commands above.
However, if you’d like to apply a different set of firewall rules based on the network you’re connecting to or the network interface being used, you can accomplish this by utilizing separate zones. For example, on a laptop you may want to allow certain ports only when you are connected to your home network. Or, on a server, you may want to apply a separate set of firewall rules to your public and private NICs.
Get the default zone
List active zones (and the interfaces assigned to them)
List all zones (and their rules)
Set the default zone
Set the zone for an interface
firewall-cmd --zone=public --change-interface=eth0
NOTE: This is a runtime change only. To permanently change an interface’s zone you should configure it in NetworkManager or by adding the
ZONE= line to your interface’s ifcfg file in
Bind a network to a zone
firewall-cmd --zone=private --add-source=192.168.1.0/24 firewall-cmd --zone=private --add-source=192.168.1.0/24 --permanent
Apply rules to a specific zone
firewall-cmd --zone=internal --add-port=1234/tcp firewall-cmd --zone=internal --add-port=1234/tcp --permanent firewall-cmd --zone=internal --add-service=ssh firewall-cmd --zone=internal --add-service=ssh --permanent
Getting More Information
For more information, have a look at
man firewall-cmd or the Fedora wiki page for firewalld.
If you need to, you can disable firewalld and use iptables instead by following these simple instructions.