Firewalld
Firewalld is a command line front end for iptables/nftables for implementing persistent network traffic rules, i.e. controlling what networking traffic is permitted, rejected, or denied. This page is for installing (if needed), configuring, and controlling Firewalld.
Installing Firewalld
Firewalld is included by default on many Linux distributions (CentOS/RHEL/Fedora), so no installation steps may be necessary on these distributions.
If it is NOT installed, the below commands will install it:
Ubuntu/Debian
To update the system and then install the Firewalld packages:
sudo apt update && sudo apt install firewalld
To disable UFW, another firewall solution included in Ubuntu/Debian distributions:
sudo ufw disable
Controlling The Firewalld Service
To start Firewalld and enable it to start itself on boot:
sudo systemctl start firewalld sudo systemctl enable firewalld
To stop Firewalld and disable it to longer start itself on boot:
sudo systemctl stop firewalld sudo systemctl disable firewalld
To check the status of Firewalld:
sudo firewalld-cmd --state
This command should only output 'running' or 'not running'.
To check the status of the daemon for Firewalld:
sudo systemctl status firewalld
Configuring Firewalld
Configuration Sets
Firewalld uses two configuration sets, Runtime and Permanent. Changes made to the Runtime set are used temporarily and are not retained on boot, while changes made to the Permanent set are persistent on boot, but are not immediately made to an already running system.
Runtime
To add a rule to the Runtime set that would permit incoming HTTP traffic:
sudo firewall-cmd --zone=public --add-service=http
Permanent
To add a rule to the Permanent set that would permit incoming HTTP traffic:
sudo firewall-cmd --zone=public --add-service=http --permanent
To reload the Firewalld service after updating the Permanent set to allow the changes to take effect:
sudo firewall-cmd --reload
Configure By Service
To view the available services by default:
sudo firewall-cmd --get-services
To make modifications to the firewall on a service level:
sudo firewall-cmd --zone=ZONE_SELECTION --[add/remove]-service=SERVICE_NAME [--permanent]
Examples to enable/disable the HTTP service:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --remove-service=http --permanent
Configure By Port/Protocol
To enable/disable traffic in specific zones for specific ports and/or protocols:
sudo firewall-cmd --zone=ZONE_SELECTION --[add/remove]-port=PORT_NUMBER/PROTOCOL [--permanent]
Some examples:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent sudo firewall-cmd --zone=home --remove-port=22/tcp --permanent sudo firewall-cmd --zone=DMZ --add-port=9999/udp
Port Forwarding
To Another Port On The Same Server
Example:
sudo firewall-cmd --zone="ZONE_SELECTION" --add-forward-port=port=PORT_NUMBER:proto=PROTOCOL:toport=DESTINATION_PORT sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345
To A Port On Another Server
Activate the masquerade in the desired zone you are port forwarding from:
sudo firewall-cmd --zone=ZONE_SELECTION --add-masquerade
Add the forwarding rule:
sudo firewall-cmd --zone="ZONE_WITH_MASQUERADE" --add-forward-port=port=PORT_NUMBER:proto=PROTOCOL:toport=DESTINATION_PORT:toaddr=A.B.C.D
Firewall Zones
Zones are pre-constructed rulesets for specific use-cases, i.e. home, public, DMZ, trusted. These can also be applied specifically to network interfaces and any interface not given a specific zone is given the default.
To view the default:
sudo firewall-cmd --get-default-zone
To change the default:
sudo firewall-cmd --set-default-zone=ZONE_SELECTION
To see zones in use:
sudo firewall-cmd --get-active-zones
To see the configuration for a particular zone:
sudo firewall-cmd --zone=public --list-all
To see the configuration for all the zones:
sudo firewall-cmd --list-all-zones