An introduction to using firewalld commands
What is Firewalld?
firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.
firewall-config - Graphical Administration tool for firewalld
A graphical tool firewall-config is provided for the configuration of firewalld. To access this graphical tool, you must be running in the graphical mode (x windows). When running the "firewall-config" tool, you will be immediately prompted for the root password.
The "firewall-config" Administration tool has a drop down menu labelled Configuration. This allows you to select between "Runtime" and "Permanent" mode. If you have selected the Permanent mode, then an additional row of icons will be displayed in the left hand corner. These icons will only appear in the permanent configuration mode.
The firewall service provided by firewalld is dynamic rather than static. This means that changes can be made at any time and are implemented immediately. This allows for changes to be applied without any disruption to existing network connections.
firewall-cmd - Command Line Interface for firewalld
firewall-cmd is a command line interface for the administration of firewalld. It can be used to make permanent and non-permanent run-time changes. The runtime configuration in firewalld is separate from the permanent configuration. This means that changes can be made in either the runtime or permanent configuration.
The "firewall-cmd" command can be run by the "root" user or another user with the relevant administration permissions.
The configuration files for firewalld can be found in the following locations:
/usr/lib/firewalld/ and /etc/firewalld/
Differences between firewalld and iptables
The main differences between firewalld and the iptables service are:
The iptables service stores its configuration files in "/etc/sysconfig/iptables" whereas firewalld stores its configurations in various XML files.
The path /etc/sysconfig/iptables no longer exists on new installations using RHEL 7 and above as firewalld is installed by default. Systems that have been upgraded from version 6.x will still have this path. As mentioned earlier, firewalld can make dynamic changes without disruption, however, with iptables every rule change requires the flushing out of the old rules and then reading the new rules from the file /etc/sysconfig/iptables.
Both of the above still use "iptables tool" to talk to the kernel packet filter.
Below depicts how changes are made between the different models:
system-config-firewall >> iptables service >> iptables command >> kernel netfilter firewall-config >> firewalld >> iptables command >> kernel netfilter firewall-cmd >> iptables (command) >> kernel netfilter
Network Zones and firewalld
Under firewalld zones are used to separate networks into different zones based on a level of trust. The NetworkManager informs firewalld to which zone an interface belongs to.
The zone settings in "/etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface.
Below is a list of the zones and a brief description:
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
Any incoming network connections are rejected with an "icmp-host-prohibited" message for IPv4 and the message "icmp6-adm-prohibited" on IPv6. Only network connections initiated from within the system are possible.
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz - demilitarized zone
For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to the NetworkManager, they are assigned to the "default zone". On installation, the "default zone" in firewalld is set to be the "public zone".
A service can be defined as a list of local ports/destinations as well as a list of firewall helper modules that are automatically loaded if a service is enabled. Predefined services makes it easier for an administrator to enable and disable access to a given service.
From the above image, you can see the predefined services under the Services tab.
To list predefined services using the command line, issue the following command as the root user:
# ls /usr/lib/firewalld/services/ amanda-client.xml ganglia-master.xml ms-wbt.xml sips.xml amanda-k5-client.xml git.xml murmur.xml sip.xml amqps.xml grafana.xml mysql.xml slp.xml amqp.xml gre.xml nfs3.xml smtp-submission.xml apcupsd.xml high-availability.xml nfs.xml smtps.xml audit.xml https.xml nmea-0183.xml smtp.xml bacula-client.xml http.xml nrpe.xml snmptrap.xml bacula.xml imaps.xml ntp.xml snmp.xml bb.xml imap.xml nut.xml spideroak-lansync.xml bgp.xml ipp-client.xml openvpn.xml spotify-sync.xml bitcoin-rpc.xml ipp.xml ovirt-imageio.xml squid.xml bitcoin-testnet-rpc.xml ipsec.xml ovirt-storageconsole.xml ssdp.xml bitcoin-testnet.xml ircs.xml ovirt-vmconsole.xml ssh.xml bitcoin.xml irc.xml plex.xml steam-streaming.xml bittorrent-lsd.xml iscsi-target.xml pmcd.xml svdrp.xml ceph-mon.xml isns.xml pmproxy.xml svn.xml ceph.xml jenkins.xml pmwebapis.xml syncthing-gui.xml cfengine.xml kadmin.xml pmwebapi.xml syncthing.xml cockpit.xml kdeconnect.xml pop3s.xml synergy.xml collectd.xml kerberos.xml pop3.xml syslog-tls.xml condor-collector.xml kibana.xml postgresql.xml syslog.xml ctdb.xml klogin.xml privoxy.xml telnet.xml dhcpv6-client.xml kpasswd.xml prometheus.xml tentacle.xml dhcpv6.xml kprop.xml proxy-dhcp.xml tftp-client.xml dhcp.xml kshell.xml ptp.xml tftp.xml distcc.xml kube-apiserver.xml pulseaudio.xml tile38.xml dns-over-tls.xml ldaps.xml puppetmaster.xml tinc.xml dns.xml ldap.xml quassel.xml tor-socks.xml docker-registry.xml libvirt-tls.xml radius.xml transmission-client.xml docker-swarm.xml libvirt.xml rdp.xml upnp-client.xml dropbox-lansync.xml lightning-network.xml redis-sentinel.xml vdsm.xml elasticsearch.xml llmnr.xml redis.xml vnc-server.xml etcd-client.xml managesieve.xml RH-Satellite-6.xml wbem-https.xml etcd-server.xml matrix.xml rpc-bind.xml wbem-http.xml finger.xml mdns.xml rquotad.xml wsmans.xml freeipa-4.xml memcache.xml rsh.xml wsman.xml freeipa-ldaps.xml minidlna.xml rsyncd.xml xdmcp.xml freeipa-ldap.xml mongodb.xml rtsp.xml xmpp-bosh.xml freeipa-replication.xml mosh.xml salt-master.xml xmpp-client.xml freeipa-trust.xml mountd.xml samba-client.xml xmpp-local.xml ftp.xml mqtt-tls.xml samba-dc.xml xmpp-server.xml galera.xml mqtt.xml samba.xml zabbix-agent.xml ganglia-client.xml mssql.xml sane.xml zabbix-server.xml
You should never attempt to edit the above files manually.
To list system or user created services, issue the following command as the root user:
Services can be added and removed using the graphical "firewall-config" tool or by manually editing the XML files in /etc/firewalld/services/.
If a Service has not been added or modified by an administrator, then corresponding XML files will be found in the path /etc/firewalld/services/.
Is firewalld already installed?
To check to see if firewalld is already installed on your system (RHEL based distributions), simply issue the following command:
# dnf info firewalld firewall-config Last metadata expiration check: 0:15:00 ago on Sun 06 Jun 2021 12:37:38 BST. Installed Packages Name : firewall-config Version : 0.8.2 Release : 6.el8 Architecture : noarch Size : 1.1 M Source : firewalld-0.8.2-6.el8.src.rpm Repository : @System From repo : appstream Summary : Firewall configuration application URL : http://www.firewalld.org License : GPLv2+ Description : The firewall configuration application provides an configuration interface for : firewalld. Name : firewalld Version : 0.8.2 Release : 6.el8 Architecture : noarch Size : 1.9 M Source : firewalld-0.8.2-6.el8.src.rpm Repository : @System From repo : anaconda Summary : A firewall daemon with D-Bus interface providing a dynamic firewall URL : http://www.firewalld.org License : GPLv2+ Description : firewalld is a firewall service daemon that provides a dynamic customizable : firewall with a D-Bus interface.
From the above we can see that both packages are installed on my CentOS 8 desktop
If the above were not present, then you could issue the following command to install:
dnf install firewalld firewall-config (Note: firewall-config is for a desktop system, omit if not using a desktop)
Checking the status of firewalld
You can use the following command to check the status of firewalld: systemctl status firewalld.service
# systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-06-06 12:10:40 BST; 46min ago Docs: man:firewalld(1) Main PID: 937 (firewalld) Tasks: 2 (limit: 24768) Memory: 31.8M CGroup: /system.slice/firewalld.service └─937 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid Jun 06 12:10:39 desktop01 systemd: Starting firewalld - dynamic firewall daemon... Jun 06 12:10:40 desktop01 systemd: Started firewalld - dynamic firewall daemon.
You can also check that "firewalld" is "running" by issuing the "firewall-cmd"" command as follows: firewall-cmd --state
# firewall-cmd --state running
Enabling firewalld to automatically start at reboot
If you have manually installed firewalld using the above "dnf" command, then you will probably need to configure firewalld to start automatically at system boot. This can be achieved by issuing the following command: systemctl enable firewalld.service
# systemctl enable firewalld.service Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service. # systemctl is-enabled firewalld enabled
The command "systemctl is-enabled firewalld" was used to verify the service is now "enabled".
Disabling and stopping firewalld
If you need to disable/stop firewalld, then this can be achieved by issuing the following commands as the root user:
# systemctl stop firewalld.service # systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. # systemctl enable firewalld.service Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service. # systemctl start firewalld.service