firewall-cmd

Manage the system firewall (firewalld)

TLDR

View all available firewall zones and rules in their runtime configuration state

$ firewall-cmd --list-all-zones

Permanently move the interface into the block zone, effectively blocking all communication

$ firewall-cmd --permanent --zone=[block] --change-interface=[enp1s0]

Permanently open the port for a service in the specified zone (like port 443 when in the public zone)

$ firewall-cmd --permanent --zone=[public] --add-service=[https]

Permanently close the port for a service in the specified zone (like port 80 when in the public zone)

$ firewall-cmd --permanent --zone=[public] --remove-service=[http]

Permanently forward a port for incoming packets in the specified zone (like port 443 to 8443 when entering the public zone)

$ firewall-cmd --permanent --zone=[public] --add-rich-rule='rule family="[ipv4|ipv6]" forward-port port="[443]" protocol="[udp|tcp]" to-port="[8443]"'

Reload firewalld to lose any runtime changes and force the permanent configuration to take effect immediately

$ firewall-cmd --reload

Save the runtime configuration state to the permanent configuration

$ firewall-cmd --runtime-to-permanent

Enable panic mode in case of Emergency. All traffic is dropped, any active connection will be terminated

$ firewall-cmd --panic-on

--state
    Check if firewalld is running.

--reload
    Reload firewalld configuration. This removes all runtime configuration options.

--complete-reload
    Complete reload of firewalld. This also removes and recreates all firewall objects.

--runtime-to-permanent
    Make runtime configuration permanent.

--get-default-zone
    Get the default zone.

--set-default-zone=
    Set the default zone.

--get-active-zones
    List active zones.

--get-zones
    List all available zones.

--get-services
    List all available services.

--get-ports
    List all ports currently open.

--list-all
    List all settings for default zone.

--list-all-zones
    List all settings for all zones.

--zone= --list-all
    List all settings for the given zone.

--zone= --add-service=
    Add a service to a zone.

--zone= --remove-service=
    Remove a service from a zone.

--zone= --add-port=[-]/
    Add a port to a zone. protocol is either tcp or udp.

--zone= --remove-port=[-]/
    Remove a port from a zone. protocol is either tcp or udp.

--panic-on
    Enable panic mode (blocks all traffic).

--panic-off
    Disable panic mode.

--query-panic
    Check if panic mode is enabled.

--permanent
    Make changes persistent (applied on reboot). Without this option, changes are runtime only.

--direct --add-rule ipv4|ipv6

Add a direct iptables rule.

--direct --remove-rule ipv4|ipv6

    Remove a direct iptables rule.

--get-log-denied
    Get the log denied option. This option defines if log denied rules are added.

--set-log-denied={all|unicast|broadcast|multicast|off}
    Set the log denied option.

--add-forward-port port=[-]:proto=:toaddr=

[:toport=[-]]
Forward a port.

DESCRIPTION

firewall-cmd is a command-line client interface to firewalld, the dynamic firewall manager. It's used to configure and manage the firewall rules. It allows you to add, remove, and modify rules, services, ports, and other firewall settings without requiring a restart of the firewall service. This makes it ideal for dynamic environments where the firewall configuration needs to adapt quickly to changing network conditions. firewall-cmd interacts with firewalld through the D-Bus interface.

The primary goal of firewalld is to provide a dynamic firewall solution that separates the configuration of the firewall from the actual firewall rules. This makes it easier to manage and maintain the firewall configuration. Key features include support for network zones (e.g., public, private, home), services, ports, and rich language rules. The command can be used to manage permanent configurations (which are applied on reboot) and runtime configurations (which are lost on reboot).

Using firewall-cmd simplifies complex iptables rules by providing a higher-level abstraction.

CAVEATS

Changes made without the --permanent flag are temporary and will be lost upon reboot. Direct rules require a good understanding of iptables.

ZONES

Zones are predefined sets of rules that determine what traffic is allowed or denied. Common zones include 'public', 'private', 'home', 'trusted', 'drop', and 'block'. You can assign network interfaces to zones to apply specific firewall rules to those interfaces.

SERVICES

Services are predefined sets of ports and protocols that are commonly used by applications. Using services simplifies firewall configuration by allowing you to enable or disable access to a service by name rather than specifying individual ports and protocols.

RICH LANGUAGE

firewalld supports a rich language that allows you to create more complex firewall rules based on source/destination addresses, ports, services, and other criteria. This provides a flexible way to create customized firewall configurations to meet specific security requirements.

EXIT CODES

firewall-cmd usually returns 0 for success and non-zero for failure. However, parsing the standard output is the best way to confirm correct execution.

HISTORY

firewall-cmd was developed as part of the firewalld project to provide a user-friendly interface for managing the Linux firewall. Prior to firewalld, system administrators often relied directly on iptables or nftables, which could be complex to configure and manage. firewalld and firewall-cmd abstract away much of this complexity, offering a more intuitive and dynamic way to manage firewall rules. The development focused on creating a dynamic firewall solution that could adapt to changing network conditions without requiring a full restart of the firewall service.