firewalld

1. Description
2. Check status
3. List allowed ports
4. Print default zone
5. Allow connections from port 443/tcp in default zone
6. Deny connections from port 443/tcp in default zone
7. Print predefined zones
8. Print currently active zones
9. List everything added or enabled in all zones
10. Check if port 80/tcp is open in default zone
11. Containers
12. References

1. Description

firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. [2]

Firewalld is enabled and running by default on Fedora Workstation.

1.1. Zones

Zones are predefined sets of rules, network interfaces and sources can be assigned to a zone. [2]

1.2. Services

It is similar to ufw application profiles.

Services use one or more ports or addresses for network communications, for example to add the SSH service for 15 minutes [2]:

firewall-cmd --add-service=ssh --timeout 15m

List which port(s) is used by a service

firewall-cmd --info-service=ssh

1.3. Runtime and Permanent Configuration

firewalld maintains separate runtime and permanent configurations, this allows runtime-only changes. Any changes made while firewalld is running will be lost when firewalld is restarted. [1] [2]

--permanent to make changes permanent (can be optionally added to other options).
--runtime-to-permanent to save active runtime configuration and make it permanent.

Changes are applied only after service restart/reload or with --reload.

2. Check status

systemctl status firewalld

We can also use firewall-cmd(1) to check the status of the firewalld daemon

firewall-cmd --state

3. List allowed ports

Omit --zone= to list default zone allowed ports

firewall-cmd [--permanent] --list-ports [--zone=zone]

This command only list allowed ports that have been opened as ports, it will not list ports added as a service, use --list-all instead)

4. Print default zone

When a new interface is connected the default zone will be applied

firewall-cmd --get-default-zone

5. Allow connections from port `443/tcp` in default zone

firewall-cmd [--permanent] --add-port=443/tcp

6. Deny connections from port `443/tcp` in default zone

firewall-cmd [--permanent] --remove-port=443/tcp

7. Print predefined zones

firewall-cmd [--permanent] --get-zones

8. Print currently active zones

firewall-cmd --get-active-zones

9. List everything added or enabled in all zones

firewall-cmd [--permanent] --list-all

10. Check if port `80/tcp` is open in default zone

firewall-cmd [--permanent] --query-port=80/tcp

11. Containers

Use rootless podman instead of docker to avoid issues with docker and the system firewall