How to manage firewalld on Linux
Introduction to firewalld
From the firewalld website:
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
firewalld uses the command line utility firewall-cmd to configure it. This utility also has some important flags, primarily --permanent
and --reload
. --permanent
defines that the rule is permanent and should be retained. If you don’t use this flag, the rule will be removed when the system reboots. --reload
will restart firewalld gracefully and apply rules.
Starting, stopping, and enabling firewalld
firewalld is just a normal service and is very easy to interact with like other services.
If you want to ensure that firewalld starts when the server boots, which is recommended for a firewall, run the following command:
systemctl enable firewalld
When you’re troubleshooting, you may want to temporarily stop the firewall.
systemctl stop firewalld
To ensure that the service runs at startup, run:
systemctl enable firewalld
If you need to disable firewalld at startup, run:
systemctl disable firewalld
[mkb-info]We don’t recommend stopping or disabling firewalld unless you’re troubleshooting.[/mkb-info]
Run this command to see the status:
systemctl status firewalld
When firewalld is disabled, you’ll see this output:
[[email protected] ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
Managing firewalld and rules
Now that we have firewalld configured and running, we can add rules. Rules allow us to allow access to services, ports, and even allow specific IPs for access.
Allowing access to a service
You can allow access to a service easily.
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=ssh
Allowing access to a TCP or UDP port
You have to specify if the port is TCP or UDP.
firewall-cmd --permanent --add-port=80/TCP
firewall-cmd --permanent --add-port=53/UDP
Allow an IP address
You can allow a single IP address or an entire subnet.
firewall-cmd --permanent --add-source=192.168.1.100
firewall-cmd --permanent --add-source=192.168.1.1/24
Adding rich rules
Rich rules are special rules. If you’re familiar with iptables, these rules might seem familiar. They are a great way to get granular with your rules.
Blocking an IP address
To block access to your server, you can use the following rich rule:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
Likewise, you can also block access with an entire subnet:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1/24' reject"
Restrict access to a service
This type of rule is ideal for protecting management ports and services like Cockpit or SSH.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" accept'
Removing a rule
Removing a rule is as easy as adding them. Just replace “add” with “remove”. Look at the following examples:
firewall-cmd --permanent --remove-service=http
firewall-cmd --permanent --remove-port=22/TCP
firewall-cmd --permanent --remove-source=192.168.1.100
Saving firewall rules
When you’ve made all your firewall rules changes, make sure to run the following:
firewall-cmd --reload