Using firewalld

firewalld is the new default firewall for Fedora and RHEL/CentOS. Learning new things can be intimidating at first but after a quick primer I think you’ll find that firewalld is easier to use for most firewall setups when compared to basic iptables.

Don’t forget --permanent !

The --permanent argument tells firewalld to remember your rule so that its applied automatically when firewalld starts. However, --permanent rules do not effect the currently running firewall. Therefore, the best way to use firewalld is:

  1. Add your rule without --permanent. This takes effect immediately.
  2. Test your new rule to verify its working as you expect.
  3. Add your rule once again, this time with --permanent, so that its remembered on subsequent reboots.

This way, you never have to completely reload the firewall which can potentially cause issues with existing connections.

The third step is particularly easy because you can usually just press the up arrow in your console to get to your previous command and add --permanent to the end.

Pro tip: --permanent can be shortened to just --perm and if you have the bash-completion package installed, you can autocomplete firewall-cmd’s switches using the tab key.

Firewall Rules

List all currently active firewall rules
firewall-cmd --list-all

Note that this will only show us the firewall rules for our default “zone”. I’ll explain zones a little further on.

Allow a TCP port
firewall-cmd --add-port=1234/tcp
firewall-cmd --add-port=1234/tcp --permanent
Allow a UDP port
firewall-cmd --add-port=1234/udp
firewall-cmd --add-port=1234/udp --permanent
Allow a service
firewall-cmd --add-service=ssh
firewall-cmd --add-service=ssh --permanent
List all supported services
firewall-cmd --get-services

This can be handy if you’re unsure what the service name is. Services not listed here are not currently supported by firewalld in which case you should use port numbers instead.

Query a port or service

This will report whether a particular port or service is currently being blocked or allowed:

firewall-cmd --query-port=1234/tcp
firewall-cmd --query-service=ssh
Add rich rules

For more advanced firewall rules, use the “rich rules” feature. There are a lot of possibilities with rich rules and I won’t cover them all here. If you’re interested, take a look at the wiki page for more information, particularly the examples section.

One basic example of a common rich rule is to allow access to a port only for a particular source IP:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="1.2.3.4" port port="1234" protocol="tcp" accept'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="1.2.3.4" port port="1234" protocol="tcp" accept' --permanent

Firewall Zones

By default, your NIC will be added to the default zone and firewall-cmd will assume the default zone if no zone is specified. Therefore, on most machines that are using the default firewalld configuration, specifying --zone is unnecessary and that is why I’ve not specified a zone in the commands above.

However, if you’d like to apply a different set of firewall rules based on the network you’re connecting to or the network interface being used, you can accomplish this by utilizing separate zones. For example, on a laptop you may want to allow certain ports only when you are connected to your home network. Or, on a server, you may want to apply a separate set of firewall rules to your public and private NICs.

Get the default zone
firewall-cmd --get-default-zone
List active zones (and the interfaces assigned to them)
firewall-cmd --get-active-zones
List all zones (and their rules)
firewall-cmd --list-all-zones
Set the default zone
firewall-cmd --set-default-zone=public
Set the zone for an interface
firewall-cmd --zone=public --change-interface=eth0

NOTE: This is a runtime change only. To permanently change an interface’s zone you should configure it in NetworkManager or by adding the ZONE= line to your interface’s ifcfg file in /etc/sysconfig/network-scripts/.

Bind a network to a zone
firewall-cmd --zone=private --add-source=192.168.1.0/24
firewall-cmd --zone=private --add-source=192.168.1.0/24 --permanent
Apply rules to a specific zone
firewall-cmd --zone=internal --add-port=1234/tcp
firewall-cmd --zone=internal --add-port=1234/tcp --permanent

firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-service=ssh --permanent

Getting More Information

For more information, have a look at man firewall-cmd or the Fedora wiki page for firewalld.

If you need to, you can disable firewalld and use iptables instead by following these simple instructions.

Leave a Reply

Your email address will not be published. Required fields are marked *