🛡️ Access Shield Pro v1.2 released - Now with Spamhaus & Emerging Threats feeds
🤖 AI Support Assistant 2.1 - GPT-5 & Claude Opus 4.1 support, auto-signatures, improved error handling.
🧮 Recalculate Prices v1.2 - Fixed addon pricing, enhanced safety checks, full billing cycle support.
🔧 PowerDNS Manager v1.11 - Enhanced logging security with better data sanitization, improved debug output handling, bug fixes.

  Categories

DirectAdmin Hosting
31
Domain
22
Hosted Email
6
VPS
17
WHMCS Modules
4

  Categories

  Support

My Support Tickets
Knowledgebase
Open Ticket

Firewalling with Firewalld Print

  • 5

Firewalld

Firewalld is a higher-level implementation of Netfilter, offering a more user-friendly interface than iptables or nftables. Administrators can manage Firewalld rules, while applications can interact with it via the DBus messaging system. This allows rules to be added or removed without direct administrator action, enabling applications to manage the firewall from user space.

By default, Firewalld applies rules only to incoming packets; outgoing packets are not filtered.

Firewalld Zones

Firewalld simplifies management through the use of zones. A zone is a set of rules applied to incoming packets based on their source address or the network interface they arrive on.

Zones are particularly useful on servers with multiple network interfaces, allowing different rules for each interface. On a single-interface machine, you typically work with the default zone.

Firewalld analyzes each incoming packet's source address to determine if it matches a specific zone. If not, the zone for the incoming interface is used. If no specific zone is found, the default zone rules apply.

Zone Name Description
block Incoming connections are rejected with an "ICMP-host-prohibited" message. Outgoing connections are allowed.
dmz For use in a demilitarized zone. Selected incoming connections are accepted, with limited internal network access.
drop All incoming packets are dropped without a reply.
external For external networks with masquerading (NAT) enabled, typically used on routers. Selected incoming connections are accepted.
home Most networked computers are trusted; only selected incoming connections are accepted.
internal Most networked computers are trusted; only selected incoming connections are accepted.
public Other networked computers are not trusted; limited connections are accepted. This is the default zone for new interfaces.
trusted All network connections are accepted.
work Most networked computers are trusted; only selected incoming connections are accepted.

Working with Firewalld

Firewalld offers a command-line interface tool, firewall-cmd, which manages both runtime and permanent (on-disk) configurations. Use the --permanent flag to ensure changes persist after a reboot. Always reload to apply changes to the runtime environment.

[root@localhost ~]# firewall-cmd --get-default-zone
public

[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal libvirt public trusted work

[root@localhost ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client ftp http https ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet
...

[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ftp http https ssh

[root@localhost ~]# firewall-cmd --add-service=vnc-server --permanent
success

[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ftp http https ssh

[root@localhost ~]# firewall-cmd --reload
success

[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ftp http https ssh vnc-server

[root@localhost ~]# firewall-cmd --add-port=2022/tcp --permanent
success

[root@localhost ~]# firewall-cmd --reload
success

[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client ftp http https ssh vnc-server
  ports: 2022/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Essential Commands

firewall-cmd --list-all
firewall-cmd --list-all --zone=public

firewall-cmd --get-default-zone
firewall-cmd --get-zones

firewall-cmd --get-services
firewall-cmd --list-services

firewall-cmd --add-service ftp
firewall-cmd --add-service ftp --permanent
firewall-cmd --reload

firewall-cmd --add-port=2022/tcp --permanent
firewall-cmd --reload

Was this answer helpful?

Related Articles

Setting Up SSH Keys on Debian/Ubuntu SSH keys provide a secure way to log in to your Linux server without using a password. Generate... PowerDNS Master-Slave Configuration with DNSSEC Support Introduction This guide provides a detailed walk-through for setting up a PowerDNS... PowerDNS Master-Slave Configuration with DNSSEC Support Introduction This guide provides a detailed walk-through for setting up a PowerDNS... SSH Access Hardening This guide covers essential SSH hardening. Two changes eliminate most attack vectors. Required... WireGuard Setup WireGuard is a VPN protocol. It's fast, simple, and uses modern cryptography. Requirements...
« Back

  Support

My Support Tickets
Knowledgebase
Open Ticket

WHOIS Information

×
Loading WHOIS information...