firewalld
firewalld is a dynamic firewall management tool for Linux systems. It provides a user-friendly way to configure and manage network traffic rules, enhancing system security by controlling incoming and outgoing connections.
firewall-cmd is a command-line utility for interacting with firewalld. It allows you to query, modify, and manage firewall rules and settings in real time without restarting the firewall service.
Basic Management
Check firewalld state
sudo firewall-cmd --stateShows whether the firewalld is active or inactive.
Get default zone
sudo firewall-cmd --get-default-zoneDisplays the default zone used by firewalld for network connections that do not match any other zone. Zones define sets of rules for network interfaces and sources.
List open ports
sudo firewall-cmd --list-portsShows which ports are currently open in firewalld for the default zone.
List all allowed services and ports
sudo firewall-cmd --list-allDisplays all allowed services, ports, and other settings for the default zone.
Open a port (e.g., TCP 443)
sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload Opens TCP port 443 permanently. Replace 443 with your desired port number. The --permanent flag makes the change persistent; --reload applies changes.
Close a port (e.g., TCP 443)
sudo firewall-cmd --remove-port=443/tcp --permanent
sudo firewall-cmd --reload Closes TCP port 443 permanently. Replace 443 with your desired port number. The --permanent flag makes the change persistent; --reload applies changes.
Zone management
A zone in firewalld is a set of rules that define the trust level for network connections. Zones group network interfaces and/or IP address ranges (sources), allowing you to apply different firewall rules based on network location (e.g., public, home, internal).
Only the rules for the zone(s) assigned to a specific interface or IP range are applied to that traffic. Firewalld does not apply all rules from all zones everywhere—zones are used to separate and control access for different parts of your network.
Example:
• The public zone is for untrusted networks (such as the internet, e.g., 0.0.0.0/0). You might assign your external-facing interface (like eth0) to this zone if it connects to the public network.
• The home zone is for trusted networks (such as your local WiFi, e.g., 192.168.x.x). You might assign your wireless interface (like wlan0 or wlp2s0) to this zone if it connects to your home network.
You assign IP ranges to zones or network interfaces (which gather IP ranges), then configure allowed ports and services per zone.
List all zones
sudo firewall-cmd --get-zonesShows all available zones in firewalld.
Get default zone
sudo firewall-cmd --get-default-zoneDisplays the default zone used by firewalld for network connections that do not match any other zone. Zones define sets of rules for network interfaces and sources.
List all rules for a zone
sudo firewall-cmd --zone=public --list-allDisplays all rules, services, and ports configured for the public zone.
Show active zones
sudo firewall-cmd --get-active-zonesDisplays zones that are currently active and the interfaces assigned to them.
List services allowed in current zone
sudo firewall-cmd --list-servicesLists all services currently allowed in the default zone.
Add a service (e.g., http)
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload Adds the HTTP service to the default zone permanently. Use --permanent to make the change persistent and --reload to apply changes.
Remove a service
sudo firewall-cmd --remove-service=http --permanent
sudo firewall-cmd --reload Removes the HTTP service from the default zone permanently. Use --permanent to make the change persistent and --reload to apply changes.
Check firewall state
sudo firewall-cmd --stateShows whether firewalld is active or inactive.
Get default zone
sudo firewall-cmd --get-default-zoneDisplays the default zone used by firewalld for network connections that do not match any other zone.