Firewalld
Firewalld is a higher-level implementation of Netfilter, offering a more user-friendly interface than iptables or nftables. Administrators can manage Firewalld rules, while applications can interact with it via the DBus messaging system. This allows rules to be added or removed without direct administrator action, enabling applications to manage the firewall from user space.
By default, Firewalld applies rules only to incoming packets; outgoing packets are not filtered.
Firewalld Zones
Firewalld simplifies management through the use of zones. A zone is a set of rules applied to incoming packets based on their source address or the network interface they arrive on.
Zones are particularly useful on servers with multiple network interfaces, allowing different rules for each interface. On a single-interface machine, you typically work with the default zone.
Firewalld analyzes each incoming packet's source address to determine if it matches a specific zone. If not, the zone for the incoming interface is used. If no specific zone is found, the default zone rules apply.
| Zone Name | Description |
|---|---|
| block | Incoming connections are rejected with an "ICMP-host-prohibited" message. Outgoing connections are allowed. |
| dmz | For use in a demilitarized zone. Selected incoming connections are accepted, with limited internal network access. |
| drop | All incoming packets are dropped without a reply. |
| external | For external networks with masquerading (NAT) enabled, typically used on routers. Selected incoming connections are accepted. |
| home | Most networked computers are trusted; only selected incoming connections are accepted. |
| internal | Most networked computers are trusted; only selected incoming connections are accepted. |
| public | Other networked computers are not trusted; limited connections are accepted. This is the default zone for new interfaces. |
| trusted | All network connections are accepted. |
| work | Most networked computers are trusted; only selected incoming connections are accepted. |
Working with Firewalld
Firewalld offers a command-line interface tool, firewall-cmd, which manages both runtime and permanent (on-disk) configurations. Use the --permanent flag to ensure changes persist after a reboot. Always reload to apply changes to the runtime environment.
[root@localhost ~]# firewall-cmd --get-default-zone
public
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal libvirt public trusted work
[root@localhost ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client ftp http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet
...
[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ftp http https ssh
[root@localhost ~]# firewall-cmd --add-service=vnc-server --permanent
success
[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ftp http https ssh
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ftp http https ssh vnc-server
[root@localhost ~]# firewall-cmd --add-port=2022/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client ftp http https ssh vnc-server
ports: 2022/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: Essential Commands
firewall-cmd --list-all
firewall-cmd --list-all --zone=public
firewall-cmd --get-default-zone
firewall-cmd --get-zones
firewall-cmd --get-services
firewall-cmd --list-services
firewall-cmd --add-service ftp
firewall-cmd --add-service ftp --permanent
firewall-cmd --reload
firewall-cmd --add-port=2022/tcp --permanent
firewall-cmd --reload