Firewalld
Firewalld is a command line front end for iptables/nftables for implementing persistent network traffic rules, i.e. controlling what networking traffic is permitted, rejected, or denied. This page is for installing (if needed), configuring, and controlling Firewalld.
Installing Firewalld
Firewalld is included by default on many Linux distributions (CentOS/RHEL/Fedora), so no installation steps may be necessary on these distributions.
If it is NOT installed, the below commands will install it:
RHEL Systems
To update the system and then install the Firewalld packages:
sudo dnf upgrade && sudo dnf install firewalld
Ubuntu/Debian
To update the system and then install the Firewalld packages:
sudo apt update && sudo apt install firewalld
To disable UFW, another firewall solution included in Ubuntu/Debian distributions:
sudo ufw disable
Controlling The Firewalld Service
To start Firewalld and enable it to start itself on boot:
sudo systemctl start firewalld sudo systemctl enable firewalld
To stop Firewalld and disable it to longer start itself on boot:
sudo systemctl stop firewalld sudo systemctl disable firewalld
To check the status of Firewalld:
sudo firewalld-cmd --state
This command should only output 'running' or 'not running'.
To check the status of the daemon for Firewalld:
sudo systemctl status firewalld
Configuring Firewalld
Configuration Sets
Firewalld uses two configuration sets, Runtime and Permanent. Changes made to the Runtime set are used temporarily and are not retained on boot, while changes made to the Permanent set are persistent on boot, but are not immediately made to an already running system.
Runtime
To add a rule to the Runtime set that would permit incoming HTTP traffic:
sudo firewall-cmd --zone=public --add-service=http
Permanent
To add a rule to the Permanent set that would permit incoming HTTP traffic:
sudo firewall-cmd --zone=public --add-service=http --permanent
To reload the Firewalld service after updating the Permanent set to allow the changes to take effect:
sudo firewall-cmd --reload
Configure By Service
To view the available services by default:
sudo firewall-cmd --get-services
To make modifications to the firewall on a service level:
sudo firewall-cmd --zone=ZONE_SELECTION --[add/remove]-service=SERVICE_NAME [--permanent]
Examples to enable/disable the HTTP service:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --remove-service=http --permanent
Configure By Port/Protocol
To enable/disable traffic in specific zones for specific ports and/or protocols:
sudo firewall-cmd --zone=ZONE_SELECTION --[add/remove]-port=PORT_NUMBER/PROTOCOL [--permanent]
Some examples:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent sudo firewall-cmd --zone=home --remove-port=22/tcp --permanent sudo firewall-cmd --zone=DMZ --add-port=9999/udp
Port Forwarding
To Another Port On The Same Server
Example:
sudo firewall-cmd --zone="ZONE_SELECTION" --add-forward-port=port=PORT_NUMBER:proto=PROTOCOL:toport=DESTINATION_PORT sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345
To A Port On Another Server
Activate the masquerade in the desired zone you are port forwarding from:
sudo firewall-cmd --zone=ZONE_SELECTION --add-masquerade
Add the forwarding rule:
sudo firewall-cmd --zone="ZONE_WITH_MASQUERADE" --add-forward-port=port=PORT_NUMBER:proto=PROTOCOL:toport=DESTINATION_PORT:toaddr=A.B.C.D
ICMP Block Inversion
ICMP Block Inversion means that the firewall will invert the block handling of ICMP traffic.
In other words, with ICMP Block Inversion DISABLED (typically by Default), the firewall will ALLOW all ICMP traffic that is NOT explicitly restricted/blocked by other rules. With ICMP Block Inversion ENABLED, the firewall will BLOCK all ICMP traffic that is NOT explicitly permitted.
Pictured:
While disabled (typically Default):
1.1.1.1 pings 2.2.2.2 >>> 2.2.2.2 ALLOWS the ICMP traffic unless there are rules in place stating NOT to explicitly.
While enabled:
1.1.1.1 pings 2.2.2.2 >>> 2.2.2.2 DENIES the ICMP traffic unless there are rules in place stating to ALLOW it explicitly.
To enable:
sudo firewall-cmd --add-icmp-block-inversion --permanent sudo firewall-cmd --reload
To disable:
sudo firewall-cmd --remove-icmp-block-inversion --permanent sudo firewall-cmd --reload
Firewall Zones
Zones are pre-constructed rulesets for specific use-cases, i.e. home, public, DMZ, trusted. These can also be applied specifically to network interfaces and any interface not given a specific zone is given the default.
To view the default:
sudo firewall-cmd --get-default-zone
To change the default:
sudo firewall-cmd --set-default-zone=ZONE_SELECTION
To see zones in use:
sudo firewall-cmd --get-active-zones
To see the configuration for a particular zone:
sudo firewall-cmd --zone=public --list-all
To see the configuration for all the zones:
sudo firewall-cmd --list-all-zones
Working With Rulesets
To configure a ruleset that would be appropriate for a basic web server with a DMZ zone:
Assign the DMZ zone as the default zone to a network interface:
sudo firewall-cmd --set-default-zone=dmz sudo firewall-cmd --zone=dmz --add-interface=eth0
Add permanent rules to the Permanent set for HTTP/HTTPS services:
sudo firewall-cmd --zone=dmz --add-service=http --permanent sudo firewall-cmd --zone=dmz --add-service=https --permanent
Reload the firewall for the rules to take effect, because they are Permanent set modifications:
sudo firewall-cmd --reload
To verify the rules are in place and are as desired:
sudo firewall-cmd --zone-dmz --list-all