Difference between revisions of "Firewalld"

Firewalld is a command line front end for iptables/nftables for implementing persistent network traffic rules, i.e. controlling what networking traffic is permitted, rejected, or denied. This page is for installing (if needed), configuring, and controlling Firewalld.

Installing Firewalld

Firewalld is included by default on many Linux distributions (CentOS/RHEL/Fedora), so no installation steps may be necessary on these distributions.

If it is NOT installed, the below commands will install it:

Ubuntu/Debian

To update the system and then install the Firewalld packages:

sudo apt update && sudo apt install firewalld

To disable UFW, another firewall solution included in Ubuntu/Debian distributions:

sudo ufw disable

Controlling The Firewalld Service

To start Firewalld and enable it to start itself on boot:

sudo systemctl start firewalld
sudo systemctl enable firewalld

To stop Firewalld and disable it to longer start itself on boot:

 sudo systemctl stop firewalld
 sudo systemctl disable firewalld

To check the status of Firewalld:

sudo firewalld-cmd --state

This command should only output 'running' or 'not running'.

To check the status of the daemon for Firewalld:

sudo systemctl status firewalld

Configuring Firewalld

Configuration Sets

Firewalld uses two configuration sets, Runtime and Permanent. Changes made to the Runtime set are used temporarily and are not retained on boot, while changes made to the Permanent set are persistent on boot, but are not immediately made to an already running system.

Runtime

To add a rule to the Runtime set that would permit incoming HTTP traffic:

sudo firewall-cmd --zone=public --add-service=http

Permanent

To add a rule to the Permanent set that would permit incoming HTTP traffic:

sudo firewall-cmd --zone=public --add-service=http --permanent

To reload the Firewalld service after updating the Permanent set to allow the changes to take effect:

sudo firewall-cmd --reload

Configure By Service

To view the available services by default:

sudo firewall-cmd --get-services

To make modifications to the firewall on a service level:

sudo firewall-cmd --zone=ZONE_SELECTION --[add/remove]-service=SERVICE_NAME [--permanent]

Examples to enable/disable the HTTP service:

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --remove-service=http --permanent

Configure By Port/Protocol

To enable/disable traffic in specific zones for specific ports and/or protocols:

sudo firewall-cmd --zone=ZONE_SELECTION --[add/remove]-port=PORT_NUMBER/PROTOCOL [--permanent]

Some examples:

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=home --remove-port=22/tcp --permanent
sudo firewall-cmd --zone=DMZ --add-port=9999/udp

Port Forwarding

To Another Port On The Same Server

Example:

sudo firewall-cmd --zone="ZONE_SELECTION" --add-forward-port=port=PORT_NUMBER:proto=PROTOCOL:toport=DESTINATION_PORT
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

To A Port On Another Server

Activate the masquerade in the desired zone you are port forwarding from:

sudo firewall-cmd --zone=ZONE_SELECTION --add-masquerade

Add the forwarding rule:

sudo firewall-cmd --zone="ZONE_WITH_MASQUERADE" --add-forward-port=port=PORT_NUMBER:proto=PROTOCOL:toport=DESTINATION_PORT:toaddr=A.B.C.D

Firewall Zones

Zones are pre-constructed rulesets for specific use-cases, i.e. home, public, DMZ, trusted. These can also be applied specifically to network interfaces and any interface not given a specific zone is given the default.

To view the default:

sudo firewall-cmd --get-default-zone

To change the default:

sudo firewall-cmd --set-default-zone=ZONE_SELECTION 

To see zones in use:

sudo firewall-cmd --get-active-zones

To see the configuration for a particular zone:

sudo firewall-cmd --zone=public --list-all

To see the configuration for all the zones:

sudo firewall-cmd --list-all-zones

Working With Rulesets

More Info