firewalld

firewalld [OPTIONS]

--debug[=level]
    Sets the debug level for the daemon. The default level is 1. Higher levels provide more verbose output for troubleshooting.

--nofork
    Disables forking the daemon into the background. This is useful when running firewalld in the foreground for debugging purposes or as part of a non-systemd service.

--debug-gc
    Enables garbage collection debugging for internal Python objects. This option is primarily intended for developers and advanced troubleshooting of firewalld's internal workings.

--version
    Displays the version information of the firewalld daemon and then exits immediately.

--help
    Shows a help message summarizing the available command-line options for the firewalld daemon and then exits immediately.

firewalld is a firewall service that provides a dynamically managed firewall with support for network zones to define the trust level for network connections or interfaces. It offers a user-friendly way to manage netfilter rules without directly interacting with iptables or nftables.

The service runs as a daemon, allowing firewall rules to be updated without dropping existing network connections. This dynamic nature is particularly useful in environments where network configurations change frequently, such as laptops connecting to various Wi-Fi networks or virtual machines in cloud environments.

Key features include pre-defined zones (e.g., public, home, trusted) to easily assign trust levels, support for services, ports, port forwarding, masquerading, ICMP blocking, and flexible 'rich rules' for advanced configurations. It abstracts the complexities of the underlying netfilter system, providing a high-level, D-Bus driven interface.

Using firewalld directly with low-level tools like iptables or nftables can lead to conflicts and unexpected firewall behavior, as firewalld manages the underlying netfilter rules itself.

Configuration changes made without explicitly specifying a 'permanent' option (typically via firewall-cmd) are only applied to the runtime configuration and will be lost upon a service reload or system reboot.

Understanding the concept of zones is crucial for effective management; misassigning an interface to an incorrect zone can expose services or inadvertently block legitimate traffic.

The syntax for 'rich rules,' while powerful for advanced configurations, can be complex and requires careful crafting and testing to avoid security loopholes or connectivity issues.

While firewalld is the daemon service, its primary configuration tool for end-users and administrators is the command-line client firewall-cmd. This utility offers extensive options to interact with the running firewalld instance, allowing users to add/remove services, ports, rich rules, activate/deactivate zones, and manage permanent configurations. Most practical firewall management tasks are performed using firewall-cmd, not the firewalld command directly for configuration.

firewalld organizes firewall rules into 'zones,' which are essentially predefined sets of rules for different trust levels. Examples include public (untrusted networks), home (trusted home network), trusted (all network connections accepted), internal, external, dmz, block, and drop. Each network interface or connection can be assigned to a zone, automatically applying the associated rules, thereby simplifying policy management significantly. Services and ports are then enabled or disabled within these zones.

firewalld distinguishes between runtime and permanent configurations. Runtime changes are applied immediately to the active firewall but are ephemeral, meaning they are lost upon a service reload or system reboot. Permanent changes, in contrast, are written to configuration files and are applied after a service reload or system reboot, ensuring they persist across system sessions. To apply permanent changes immediately without a reboot, a firewall-cmd --reload operation is often required after making permanent modifications.

firewalld was initially introduced with Fedora 18 (around 2012-2013) as a modern, dynamic alternative to the traditional iptables service scripts. Developed primarily by Red Hat, its inception aimed to address the limitations of static firewall configurations in increasingly dynamic network environments, such as those found in cloud computing, containerization, and mobile devices.

It brought the concept of network zones to simplify firewall policy management, allowing administrators to define trust levels for network interfaces and connections rather than managing individual low-level rules. Over time, it has become the default firewall solution in Red Hat Enterprise Linux (RHEL) and its derivatives, as well as many other Linux distributions, leveraging netfilter as its backend while providing a higher-level abstraction.

firewall-cmd(1), firewall-config(1), iptables(8), nft(8), systemctl(1)