How can we help?

e.g. ssh keys, set up mysql, ubuntu 22 mysql php nginx, account settings

Firewalld Cheat Sheet

Overview #

In some ways, firewalld is easier to manage and configure than iptables. There are, for the most part, no long series of chains, jumps, accepts and denies that you need to memorize to get firewalld up and running in a basic configuration. The rules are simple and straightforward, but there is no reason you cannot still have all the power that iptables gives you.

Firewalld uses the command line utility firewall-cmd to configure and manipulate rules.

Enable firewalld #

systemctl enable firewalld

Start firewalld #

systemctl start firewalld

Stop firewalld #

systemctl stop firewalld

Restart firewalld #

systemctl restart firewalld

Firewalld status #

systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-01-22 22:50:32 EST; 1h 0min ago
Main PID: 808 (firewalld)
CGroup: /system.slice/firewalld.service
└─808 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Add a Port for TCP or UDP #

firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP

Remove a Port for TCP or UDP #

firewall-cmd --permanent --remove-port=444/tcp

Add a Service #

firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http

Remove a Service #

firewall-cmd --permanent --remove-service=mysql

Whitelist an IP Address or IP range #

firewall-cmd --permanent --add-source=192.168.1.100
firewall-cmd --permanent --add-source=192.168.1.0/24

Remove a Whitelisted IP Address #

firewall-cmd --permanent --remove-source=192.168.1.100

Block an IP Address or IP range #

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Whitelist an IP Address for a Specific Port (More Rich Rules) #

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Removing a Rich Rule #

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Saving Firewall Rules #

firewall-cmd --reload

Viewing Firewall Rules #

firewall-cmd --list-all
public (default, active)
interfaces: enp1s0
sources: 192.168.1.0/24
services: dhcpv6-client dns http https mysql nfs samba smtp ssh
ports: 443/tcp 80/tcp 5900-5902/tcp 83/tcp 444/tcp 3260/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" forward-port port="5423" protocol="tcp" to-port="80"

Further reading #

Here is more information about firewalld from Fedora and from the firewalld.org website.

Powered by BetterDocs