How to set up a firewall using firewalld

This note was created on 1/16/2021
This note was last edited on 1/31/2023

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
"firewall-cmd" is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
Source code available at GitHub: https://github.com/firewalld/firewalld
Read more: https://firewalld.org

=== Common options ===
- "--permanent" - make changes permanent. If you don't use this option, all changes will be dropped upon reboot.
- "--quiet" - do not print status message.

=== Maintenance ===
- Check Firewalld status:
  > sudo firewall-cmd --state

- Run checks on the permanent configuration (includes XML validity and semantics):
  > sudo firewall-cmd --check-config

- Reload Firewalld:
  > sudo firewall-cmd --reload

- Enable panic mode (block everything):
  > sudo firewall-cmd --panic-on

- Check panic mode status:
  > sudo firewall-cmd --query-panic 

- Disable panic mode:
  > sudo firewall-cmd --panic-off

=== Configure zones ===
- Get default zone:
  > sudo firewall-cmd --get-default-zone

- Get active zone:
  > sudo firewall-cmd --get-active-zone

- View rules for default zone:
  > sudo firewall-cmd --list-all

- View existing zones:
  > sudo firewall-cmd --get-zones

- View rules for specific zone:
  > sudo firewall-cmd --zone=public --list-all

- Change zone for network interface:
  > sudo firewall-cmd --zone=public --change-interface=eth0

- Change default zone:
  > sudo firewall-cmd --set-default-zone=home

- Create new zone:
  > sudo firewall-cmd --permanent --new-zone=devel

=== Configure services ===
- View available services:
  > sudo firewall-cmd --get-services

- View information about specific service:
  > sudo firewall-cmd --info-service=ssh

- View description of specific service:
  > sudo firewall-cmd --permanent --service=ssh --get-description

- View permanently enabled services:
  > sudo firewall-cmd --zone=public --permanent --list-services

- Enable service:
  > sudo firewall-cmd --zone=public --add-service=ssh

- Disable service:
  > sudo firewall-cmd --zone=public --remove-service=ssh

- Create new service (reload required):
  > sudo firewall-cmd --permanent --new-service=devel

=== Configure ports ===
- Open a TCP port:
  > sudo firewall-cmd --zone=public --add-port=8080/tcp

- Close a TCP port:
  > sudo firewall-cmd --zone=public --remove-port=8080/tcp

- Open a range of UDP ports:
  > sudo firewall-cmd --zone=public --add-port=12000-12500/udp

- View open ports on specific zone:
  > sudo firewall-cmd --zone=public --list-ports

=== Configure ICMP ===
- Get a list of available ICMP types:
  > sudo firewall-cmd --get-icmptypes

- Block ping:
  > sudo firewall-cmd --zone=public --add-icmp-block=echo-request

- Allow ping:
  > sudo firewall-cmd --zone=public --remove-icmp-block=echo-request