An introduction to using firewalld commands

What is Firewalld?

firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.

firewall-config - Graphical Administration tool for firewalld

A graphical tool firewall-config is provided for the configuration of firewalld. To access this graphical tool, you must be running in the graphical mode (x windows). When running the firewall-config tool, you will be immediately prompted for the root password.

firewall-config Graphical Administration Tool

The "firewall-config" Administration tool has a drop down menu labelled Configuration. This allows you to select between "Runtime" and "Permanent" mode. If you have selected the Permanent mode, then an additional row of icons will be displayed in the left hand corner. These icons will only appear in the permanent configuration mode.

The firewall service provided by firewalld is dynamic rather than static. This means that changes can be made at any time and are implemented immediately. This allows for changes to be applied without any disruption to existing network connections.

firewall-cmd - Command Line Interface for firewalld

firewall-cmd is a command line interface for the administration of firewalld. It can be used to make permanent and non-permanent run-time changes. The runtime configuration in firewalld is separate from the permanent configuration. This means that changes can be made in either the runtime or permanent configuration.

The "firewall-cmd" command can be run by the "root" user or another user with the relevant administration permissions.

The configuration files for firewalld can be found in the following locations:

/usr/lib/firewalld/ and /etc/firewalld/

Differences between firewalld and iptables

The main differences between firewalld and the iptables service are:

The iptables service stores its configuration files in /etc/sysconfig/iptables whereas firewalld stores its configurations in various XML files.

The path /etc/sysconfig/iptables no longer exists on new installations using RHEL 7 as firewalld is installed by default. Systems that have been upgraded from version 6.x will still have this path. As mentioned earlier, firewalld can make dynamic changes without disruption, however, with iptables every rule change requires the flushing out of the old rules and then reading the new rules from the file /etc/sysconfig/iptables

Both of the above still use "iptables tool" to talk to the kernel packet filter.

Below depicts how changes are made between the different models:

system-config-firewall >> iptables service >> iptables command >> kernel netfilter

firewall-config >> firewalld >> iptables command >> kernel netfilter

firewall-cmd >>  iptables (command) >> kernel netfilter

Network Zones and firewalld

Under firewalld zones are used to separate networks into different zones based on a level of trust. The NetworkManager informs firewalld to which zone an interface belongs to.

The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface.

firewall-config Configuring Zones


Below is a list of the zones and a brief description:

drop zone

Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block zone

Any incoming network connections are rejected with an "icmp-host-prohibited" message for IPv4 and the message "icmp6-adm-prohibited" on IPv6. Only network connections initiated from within the system are possible.

public zone

For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

external zone

For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

dmz - demilitarized zone

For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.

work zone

For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home zone

For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal zone

For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted zone

All network connections are accepted.

It is possible to designate one of these zones to be the default zone. When interface connections are added to the NetworkManager, they are assigned to the "default zone". On installation, the "default zone" in firewalld is set to be the public zone.

Predefined Services

A service can be defined as a list of local ports/destinations as well as a list of firewall helper modules that are automatically loaded if a service is enabled. predefined services makes it easier for an administrator to enable and disable access to a given service.

firewall-config Predefined Services

From the above image, you can see the predefined services under the Services tab.

To list predefined services using the command line, issue the following command as the root user:

[root@rhel07a /]# ls /usr/lib/firewalld/services/
amanda-client.xml      ipp-client.xml   mysql.xml       rpc-bind.xml
bacula-client.xml      ipp.xml          nfs.xml         samba-client.xml
bacula.xml             ipsec.xml        ntp.xml         samba.xml
dhcpv6-client.xml      kerberos.xml     openvpn.xml     smtp.xml
dhcpv6.xml             kpasswd.xml      pmcd.xml        ssh.xml
dhcp.xml               ldaps.xml        pmproxy.xml     telnet.xml
dns.xml                ldap.xml         pmwebapis.xml   tftp-client.xml
ftp.xml                libvirt-tls.xml  pmwebapi.xml    tftp.xml
high-availability.xml  libvirt.xml      pop3s.xml       transmission-client.xml
https.xml              mdns.xml         postgresql.xml  vnc-server.xml
http.xml               mountd.xml       proxy-dhcp.xml  wbem-https.xml
imaps.xml              ms-wbt.xml       radius.xml

You should never attempt to edit the above files manually.

To list system or user created services, issue the following command as the root user:

ls /etc/firewalld/services/

Services can be added and removed using the graphical "firewall-config" tool or by manually editing the XML files in /etc/firewalld/services/.

If a Service has not been added or modified by an administrator, then corresponding XML files will be found in the path /etc/firewalld/services/.

Is firewalld already installed?

To check to see if firewalld is already installed on your system (RHEL based distributions), simply issue the following command:

yum install firewalld

[root@centos07b ~]# yum install firewalld firewall-config
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Package firewalld-0.3.9-7.el7.noarch already installed and latest version
Package firewall-config-0.3.9-7.el7.noarch already installed and latest version
Nothing to do

If "firewalld" is already installed, you will see output similar to the above. (Repositories will differ depending on which OS you are using). Notice, we also added the "firewall-config" to the command. This allowed us to also check that this configuration tool was installed.

If the above were not installed, you would then be prompted to install the relevant packages and any dependencies.

Checking the status of firewalld

You can use the following command to check the status of firewalld: systemctl status firewalld.service

[root@centos07b ~]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Fri 2014-10-10 14:15:44 BST; 8min ago
 Main PID: 618 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─618 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Oct 10 14:15:44 centos07b systemd[1]: Started firewalld - dynamic firewall ...n.
Hint: Some lines were ellipsized, use -l to show in full.

You can also check that "firewalld" is "running" by issuing the "firewall-cmd" command as follows: firewall-cmd --state

[root@centos07b ~]# firewall-cmd --state

Enabling firewalld to automatically start at reboot

If you have manually installed firewalld using the above "yum" command, then you will probably need to configure firewalld to start automatically at system boot. This can be achieved by issuing the following command: systemctl enable firewalld.service

[root@centos07b ~]# systemctl enable firewalld.service
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/'

To confirm that the service is enabled, you can issue the following command: systemctl list-unit-files | grep firewalld

[root@centos07b ~]# systemctl list-unit-files | grep firewalld
firewalld.service                           enabled 

Disabling and stopping firewalld

If you need to disable/stop firewalld, this can be achieved by issuing the following commands as the root user:

[root@centos07b ~]# systemctl stop firewalld.service

[root@centos07b ~]# systemctl disable firewalld.service
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/'

Manually starting firewalld

To manually start firewalld, issue the following command as the route user:

[root@centos07b ~]# systemctl start firewalld.service

Remember to enable the service for automatic starting at system reboot: systemctl enable firewalld.service