An introduction to using firewalld commands

What is Firewalld?

firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.

firewall-config - Graphical Administration tool for firewalld

A graphical tool firewall-config is provided for the configuration of firewalld. To access this graphical tool, you must be running in the graphical mode (x windows). When running the "firewall-config" tool, you will be immediately prompted for the root password.

Firewall-Config GUI Too Firewalld

The "firewall-config" Administration tool has a drop down menu labelled Configuration. This allows you to select between "Runtime" and "Permanent" mode. If you have selected the Permanent mode, then an additional row of icons will be displayed in the left hand corner. These icons will only appear in the permanent configuration mode.

The firewall service provided by firewalld is dynamic rather than static. This means that changes can be made at any time and are implemented immediately. This allows for changes to be applied without any disruption to existing network connections.

firewall-cmd - Command Line Interface for firewalld

firewall-cmd is a command line interface for the administration of firewalld. It can be used to make permanent and non-permanent run-time changes. The runtime configuration in firewalld is separate from the permanent configuration. This means that changes can be made in either the runtime or permanent configuration.

The "firewall-cmd" command can be run by the "root" user or another user with the relevant administration permissions.

The configuration files for firewalld can be found in the following locations:

/usr/lib/firewalld/ and /etc/firewalld/

Differences between firewalld and iptables

The main differences between firewalld and the iptables service are:

The iptables service stores its configuration files in "/etc/sysconfig/iptables" whereas firewalld stores its configurations in various XML files.

The path /etc/sysconfig/iptables no longer exists on new installations using RHEL 7 and above as firewalld is installed by default. Systems that have been upgraded from version 6.x will still have this path. As mentioned earlier, firewalld can make dynamic changes without disruption, however, with iptables every rule change requires the flushing out of the old rules and then reading the new rules from the file /etc/sysconfig/iptables.

Both of the above still use "iptables tool" to talk to the kernel packet filter.

Below depicts how changes are made between the different models:


system-config-firewall >> iptables service >> iptables command >> kernel netfilter

firewall-config >> firewalld >> iptables command >> kernel netfilter

firewall-cmd >>  iptables (command) >> kernel netfilter

Network Zones and firewalld

Under firewalld zones are used to separate networks into different zones based on a level of trust. The NetworkManager informs firewalld to which zone an interface belongs to.

The zone settings in "/etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface.

Firewall-Config GUI Tool Firewalld

Zones

Below is a list of the zones and a brief description:

drop zone

Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block zone

Any incoming network connections are rejected with an "icmp-host-prohibited" message for IPv4 and the message "icmp6-adm-prohibited" on IPv6. Only network connections initiated from within the system are possible.

public zone

For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

external zone

For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

dmz - demilitarized zone

For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.

work zone

For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home zone

For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal zone

For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted zone

All network connections are accepted.

It is possible to designate one of these zones to be the default zone. When interface connections are added to the NetworkManager, they are assigned to the "default zone". On installation, the "default zone" in firewalld is set to be the "public zone".

Predefined Services

A service can be defined as a list of local ports/destinations as well as a list of firewall helper modules that are automatically loaded if a service is enabled. Predefined services makes it easier for an administrator to enable and disable access to a given service.

Firewall-Config GUI Tool Firewalld

From the above image, you can see the predefined services under the Services tab.

To list predefined services using the command line, issue the following command as the root user:


# ls /usr/lib/firewalld/services/

amanda-client.xml        ganglia-master.xml     ms-wbt.xml                sips.xml
amanda-k5-client.xml     git.xml                murmur.xml                sip.xml
amqps.xml                grafana.xml            mysql.xml                 slp.xml
amqp.xml                 gre.xml                nfs3.xml                  smtp-submission.xml
apcupsd.xml              high-availability.xml  nfs.xml                   smtps.xml
audit.xml                https.xml              nmea-0183.xml             smtp.xml
bacula-client.xml        http.xml               nrpe.xml                  snmptrap.xml
bacula.xml               imaps.xml              ntp.xml                   snmp.xml
bb.xml                   imap.xml               nut.xml                   spideroak-lansync.xml
bgp.xml                  ipp-client.xml         openvpn.xml               spotify-sync.xml
bitcoin-rpc.xml          ipp.xml                ovirt-imageio.xml         squid.xml
bitcoin-testnet-rpc.xml  ipsec.xml              ovirt-storageconsole.xml  ssdp.xml
bitcoin-testnet.xml      ircs.xml               ovirt-vmconsole.xml       ssh.xml
bitcoin.xml              irc.xml                plex.xml                  steam-streaming.xml
bittorrent-lsd.xml       iscsi-target.xml       pmcd.xml                  svdrp.xml
ceph-mon.xml             isns.xml               pmproxy.xml               svn.xml
ceph.xml                 jenkins.xml            pmwebapis.xml             syncthing-gui.xml
cfengine.xml             kadmin.xml             pmwebapi.xml              syncthing.xml
cockpit.xml              kdeconnect.xml         pop3s.xml                 synergy.xml
collectd.xml             kerberos.xml           pop3.xml                  syslog-tls.xml
condor-collector.xml     kibana.xml             postgresql.xml            syslog.xml
ctdb.xml                 klogin.xml             privoxy.xml               telnet.xml
dhcpv6-client.xml        kpasswd.xml            prometheus.xml            tentacle.xml
dhcpv6.xml               kprop.xml              proxy-dhcp.xml            tftp-client.xml
dhcp.xml                 kshell.xml             ptp.xml                   tftp.xml
distcc.xml               kube-apiserver.xml     pulseaudio.xml            tile38.xml
dns-over-tls.xml         ldaps.xml              puppetmaster.xml          tinc.xml
dns.xml                  ldap.xml               quassel.xml               tor-socks.xml
docker-registry.xml      libvirt-tls.xml        radius.xml                transmission-client.xml
docker-swarm.xml         libvirt.xml            rdp.xml                   upnp-client.xml
dropbox-lansync.xml      lightning-network.xml  redis-sentinel.xml        vdsm.xml
elasticsearch.xml        llmnr.xml              redis.xml                 vnc-server.xml
etcd-client.xml          managesieve.xml        RH-Satellite-6.xml        wbem-https.xml
etcd-server.xml          matrix.xml             rpc-bind.xml              wbem-http.xml
finger.xml               mdns.xml               rquotad.xml               wsmans.xml
freeipa-4.xml            memcache.xml           rsh.xml                   wsman.xml
freeipa-ldaps.xml        minidlna.xml           rsyncd.xml                xdmcp.xml
freeipa-ldap.xml         mongodb.xml            rtsp.xml                  xmpp-bosh.xml
freeipa-replication.xml  mosh.xml               salt-master.xml           xmpp-client.xml
freeipa-trust.xml        mountd.xml             samba-client.xml          xmpp-local.xml
ftp.xml                  mqtt-tls.xml           samba-dc.xml              xmpp-server.xml
galera.xml               mqtt.xml               samba.xml                 zabbix-agent.xml
ganglia-client.xml       mssql.xml              sane.xml                  zabbix-server.xml

You should never attempt to edit the above files manually.

To list system or user created services, issue the following command as the root user:

ls /etc/firewalld/services/

Services can be added and removed using the graphical "firewall-config" tool or by manually editing the XML files in /etc/firewalld/services/.

If a Service has not been added or modified by an administrator, then corresponding XML files will be found in the path /etc/firewalld/services/.

Is firewalld already installed?

To check to see if firewalld is already installed on your system (RHEL based distributions), simply issue the following command:


# dnf info firewalld firewall-config

Last metadata expiration check: 0:15:00 ago on Sun 06 Jun 2021 12:37:38 BST.
Installed Packages
Name         : firewall-config
Version      : 0.8.2
Release      : 6.el8
Architecture : noarch
Size         : 1.1 M
Source       : firewalld-0.8.2-6.el8.src.rpm
Repository   : @System
From repo    : appstream
Summary      : Firewall configuration application
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : The firewall configuration application provides an configuration interface for
             : firewalld.

Name         : firewalld
Version      : 0.8.2
Release      : 6.el8
Architecture : noarch
Size         : 1.9 M
Source       : firewalld-0.8.2-6.el8.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : A firewall daemon with D-Bus interface providing a dynamic firewall
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : firewalld is a firewall service daemon that provides a dynamic customizable
             : firewall with a D-Bus interface.

From the above we can see that both packages are installed on my CentOS 8 desktop

If the above were not present, then you could issue the following command to install:

dnf install firewalld firewall-config (Note: firewall-config is for a desktop system, omit if not using a desktop)

Checking the status of firewalld

You can use the following command to check the status of firewalld: systemctl status firewalld.service


# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-06-06 12:10:40 BST; 46min ago
     Docs: man:firewalld(1)
 Main PID: 937 (firewalld)
    Tasks: 2 (limit: 24768)
   Memory: 31.8M
   CGroup: /system.slice/firewalld.service
           └─937 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Jun 06 12:10:39 desktop01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 06 12:10:40 desktop01 systemd[1]: Started firewalld - dynamic firewall daemon.

You can also check that "firewalld" is "running" by issuing the "firewall-cmd"" command as follows: firewall-cmd --state


# firewall-cmd --state
running

Enabling firewalld to automatically start at reboot

If you have manually installed firewalld using the above "dnf" command, then you will probably need to configure firewalld to start automatically at system boot. This can be achieved by issuing the following command: systemctl enable firewalld.service


# systemctl enable firewalld.service
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

# systemctl is-enabled firewalld
enabled

The command "systemctl is-enabled firewalld" was used to verify the service is now "enabled".

Disabling and stopping firewalld

If you need to disable/stop firewalld, then this can be achieved by issuing the following commands as the root user:


# systemctl stop firewalld.service

# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

# systemctl enable firewalld.service
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

# systemctl start firewalld.service