From the firewalld website:
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
firewalld uses the command line utility firewall-cmd to configure it. This utility also has some important flags, primarily --permanent
and --reload
. --permanent
defines that the rule is permanent and should be retained. If you don’t use this flag, the rule will be removed when the system reboots. --reload
will restart firewalld gracefully and apply rules.
firewalld is just a normal service and is very easy to interact with like other services.
If you want to ensure that firewalld starts when the server boots, which is recommended for a firewall, run the following command:
systemctl enable firewalld
When you’re troubleshooting, you may want to temporarily stop the firewall.
systemctl stop firewalld
To ensure that the service runs at startup, run:
systemctl enable firewalld
If you need to disable firewalld at startup, run:
systemctl disable firewalld
[mkb-info]We don’t recommend stopping or disabling firewalld unless you’re troubleshooting.[/mkb-info]
Run this command to see the status:
systemctl status firewalld
When firewalld is disabled, you’ll see this output:
[root@test2 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
Now that we have firewalld configured and running, we can add rules. Rules allow us to allow access to services, ports, and even allow specific IPs for access.
You can allow access to a service easily.
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=ssh
You have to specify if the port is TCP or UDP.
firewall-cmd --permanent --add-port=80/TCP
firewall-cmd --permanent --add-port=53/UDP
You can allow a single IP address or an entire subnet.
firewall-cmd --permanent --add-source=192.168.1.100
firewall-cmd --permanent --add-source=192.168.1.1/24
Rich rules are special rules. If you’re familiar with iptables, these rules might seem familiar. They are a great way to get granular with your rules.
To block access to your server, you can use the following rich rule:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
Likewise, you can also block access with an entire subnet:
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1/24' reject"
This type of rule is ideal for protecting management ports and services like Cockpit or SSH.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" accept'
Removing a rule is as easy as adding them. Just replace “add” with “remove”. Look at the following examples:
firewall-cmd --permanent --remove-service=http
firewall-cmd --permanent --remove-port=22/TCP
firewall-cmd --permanent --remove-source=192.168.1.100
When you’ve made all your firewall rules changes, make sure to run the following:
firewall-cmd --reload