firewalld

Table of Contents

1. Description

firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. [2]​

Firewalld is enabled and running by default on Fedora Workstation.

1.1. Zones

Zones are predefined sets of rules, network interfaces and sources can be assigned to a zone. [2]​

1.2. Services

It is similar to ufw application profiles.

Services use one or more ports or addresses for network communications, for example to add the SSH service for 15 minutes [2]​: 

firewall-cmd --add-service=ssh --timeout 15m

List which port(s) is used by a service 

firewall-cmd --info-service=ssh

1.3. Runtime and Permanent Configuration

firewalld maintains separate runtime and permanent configurations, this allows runtime-only changes. Any changes made while firewalld is running will be lost when firewalld is restarted. [1]​ [2]​

  • --permanent to make changes permanent (can be optionally added to other options).
  • --runtime-to-permanent to save active runtime configuration and make it permanent.

Changes are applied only after service restart/reload or with --reload.

2. Check status

systemctl status firewalld

We can also use firewall-cmd(1) to check the status of the firewalld daemon 

firewall-cmd --state

3. List allowed ports

Omit --zone= to list default zone allowed ports 

firewall-cmd [--permanent] --list-ports [--zone=zone]

This command only list allowed ports that have been opened as ports, it will not list ports added as a service, use --list-all instead)

4. Print default zone

When a new interface is connected the default zone will be applied 

firewall-cmd --get-default-zone

5. Allow connections from port 443/tcp in default zone

firewall-cmd [--permanent] --add-port=443/tcp

6. Deny connections from port 443/tcp in default zone

firewall-cmd [--permanent] --remove-port=443/tcp

7. Print predefined zones

firewall-cmd [--permanent] --get-zones

8. Print currently active zones

firewall-cmd --get-active-zones

9. List everything added or enabled in all zones

firewall-cmd [--permanent] --list-all

10. Check if port 80/tcp is open in default zone

firewall-cmd [--permanent] --query-port=80/tcp

11. Containers

Use rootless podman instead of docker to avoid issues with docker and the system firewall

12. References

  1. https://firewalld.org/documentation/concepts.html
  2. https://docs.fedoraproject.org/en-US/quick-docs/firewalld/
  3. https://fedoramagazine.org/control-the-firewall-at-the-command-line/
  4. https://www.redhat.com/sysadmin/how-to-configure-firewalld