Back to main index

Firewalld

1. Introduction

Rockylinux firewalld for beginners.

RedHat 8 using and configuring firewalld

The official firewalld documentation.

If firewalld is not already enabled on your machine, you can do that with:

systemct enable --now firewalld

Check firewalld with:

systemctl status firewalld
systemctl stop firewalld
systemctl restart firewalld

Basic firewalld configuration and management commands:

firewall-cmd --state
firewall-cmd --reload
firewall-cmd --list-all

All changes to firewalld are temporary. Save them permanently with:

firewall-cmd --runtime-to-permanent

2. Managing Zones

The default zones are:

zone info
drop all incomming connections are dropped
block incomming connections are rejected
public untrusted networks, allow selected incoming connections
external external network with the firewall as gateway, NAT masquerading
internal internal network with the firewall as gateway, trustworthy side
dmz isolated computers that will not have access to the rest of the network
work trust most of the computers in the network, used for work
home trust most of the other computers in the network
trusted trust all computers in the network

All zones:

firewall-cmd --get-zones

Active zones:

firewall-cmd --get-active-zones

Default zone:

firewall-cmd --get-default-zone

Change the default zone to "work":

firewall-cmd --set-default-zone work

Remove an interface from a zone:

firewall-cmd --zone=work --remove-interface=enp1s0

Add a network interface to a zone:

firewall-cmd --zone=work --add-interface=enp1s0

Change the zone of a network interface:

firewall-cmd --zone=public --change-interface=enp1s0

Set back the default zone to "public":

firewall-cmd --set-default-zone public

3. Managing Ports

List all open in all zones:

firewall-cmd --list-ports

List all open in one zone:

firewall-cmd --zone=public --list-ports

Open a port:

firewall-cmd --zone=public --add-port=9001/tcp

Remove a port:

firewall-cmd --zone=public --remove-port=9001/tcp

Open a range:

firewall-cmd --zone=public --add-port=1-22/tcp
firewall-cmd --zone=public --add-port=1-22/udp

List what happened:

firewall-cmd --zone=public --list-all

Remove a range:

firewall-cmd --zone=public --remove-port=1-22/tcp
firewall-cmd --zone=public --remove-port=1-22/udp

4. Managing Services

This is the preferred way to open up the ports for the common services: http, https, ftp, ssh, samba

List all available services you could potentially add to your firewall with:

firewall-cmd --get-services

List active services in use:

firewall-cmd --list-services

Open up a service:

firewall-cmd --zone=public --add-service=http

Remove a service:

firewall-cmd --zone=public --remove-service=http

Open all ports for a single ip (whitelist 1 ip):

firewall-cmd --zone=public --add-source=192.168.1.0

Open all ports for a range of ips (whitelist a range):

firewall-cmd --zone=public --add-source=192.168.1.0/24

Remove a range of ips (revert the whitelist range):

firewall-cmd --zone=public --remove-source=192.168.1.0/24

5. Restricting Access

Rich rules explained with examples.

List rich rules:

firewall-cmd --list-rich-rules
firewall-cmd --list-all

Add a rich rule:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'

Remove a rich rule:

firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'


Back to main index