Table of Contents
- Overview
- Enable firewalld
- Start firewalld
- Stop firewalld
- Restart firewalld
- Firewalld status
- Add a Port for TCP or UDP
- Remove a Port for TCP or UDP
- Add a Service
- Remove a Service
- Whitelist an IP Address or IP range
- Remove a Whitelisted IP Address
- Block an IP Address or IP range
- Whitelist an IP Address for a Specific Port (More Rich Rules)
- Removing a Rich Rule
- Saving Firewall Rules
- Viewing Firewall Rules
- Further reading
Overview #
In some ways, firewalld is easier to manage and configure than iptables. There are, for the most part, no long series of chains, jumps, accepts and denies that you need to memorize to get firewalld up and running in a basic configuration. The rules are simple and straightforward, but there is no reason you cannot still have all the power that iptables gives you.
Firewalld uses the command line utility firewall-cmd to configure and manipulate rules.
Enable firewalld #
systemctl enable firewalldStart firewalld #
systemctl start firewalldStop firewalld #
systemctl stop firewalldRestart firewalld #
systemctl restart firewalldFirewalld status #
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-01-22 22:50:32 EST; 1h 0min ago
Main PID: 808 (firewalld)
CGroup: /system.slice/firewalld.service
└─808 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopidAdd a Port for TCP or UDP #
firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP
Remove a Port for TCP or UDP #
firewall-cmd --permanent --remove-port=444/tcpAdd a Service #
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
Remove a Service #
firewall-cmd --permanent --remove-service=mysqlWhitelist an IP Address or IP range #
firewall-cmd --permanent --add-source=192.168.1.100
firewall-cmd --permanent --add-source=192.168.1.0/24
Remove a Whitelisted IP Address #
firewall-cmd --permanent --remove-source=192.168.1.100Block an IP Address or IP range #
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
Whitelist an IP Address for a Specific Port (More Rich Rules) #
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'Removing a Rich Rule #
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'Saving Firewall Rules #
firewall-cmd --reloadViewing Firewall Rules #
firewall-cmd --list-all
public (default, active)
interfaces: enp1s0
sources: 192.168.1.0/24
services: dhcpv6-client dns http https mysql nfs samba smtp ssh
ports: 443/tcp 80/tcp 5900-5902/tcp 83/tcp 444/tcp 3260/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" forward-port port="5423" protocol="tcp" to-port="80"Further reading #
Here is more information about firewalld from Fedora and from the firewalld.org website.
