How to set up a firewall using firewalld This note was created on 1/16/2021 This note was last edited on 1/31/2023 Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. "firewall-cmd" is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration. Source code available at GitHub: https://github.com/firewalld/firewalld Read more: https://firewalld.org === Common options === - "--permanent" - make changes permanent. If you don't use this option, all changes will be dropped upon reboot. - "--quiet" - do not print status message. === Maintenance === - Check Firewalld status: > sudo firewall-cmd --state - Run checks on the permanent configuration (includes XML validity and semantics): > sudo firewall-cmd --check-config - Reload Firewalld: > sudo firewall-cmd --reload - Enable panic mode (block everything): > sudo firewall-cmd --panic-on - Check panic mode status: > sudo firewall-cmd --query-panic - Disable panic mode: > sudo firewall-cmd --panic-off === Configure zones === - Get default zone: > sudo firewall-cmd --get-default-zone - Get active zone: > sudo firewall-cmd --get-active-zone - View rules for default zone: > sudo firewall-cmd --list-all - View existing zones: > sudo firewall-cmd --get-zones - View rules for specific zone: > sudo firewall-cmd --zone=public --list-all - Change zone for network interface: > sudo firewall-cmd --zone=public --change-interface=eth0 - Change default zone: > sudo firewall-cmd --set-default-zone=home - Create new zone: > sudo firewall-cmd --permanent --new-zone=devel === Configure services === - View available services: > sudo firewall-cmd --get-services - View information about specific service: > sudo firewall-cmd --info-service=ssh - View description of specific service: > sudo firewall-cmd --permanent --service=ssh --get-description - View permanently enabled services: > sudo firewall-cmd --zone=public --permanent --list-services - Enable service: > sudo firewall-cmd --zone=public --add-service=ssh - Disable service: > sudo firewall-cmd --zone=public --remove-service=ssh - Create new service (reload required): > sudo firewall-cmd --permanent --new-service=devel === Configure ports === - Open a TCP port: > sudo firewall-cmd --zone=public --add-port=8080/tcp - Close a TCP port: > sudo firewall-cmd --zone=public --remove-port=8080/tcp - Open a range of UDP ports: > sudo firewall-cmd --zone=public --add-port=12000-12500/udp - View open ports on specific zone: > sudo firewall-cmd --zone=public --list-ports === Configure ICMP === - Get a list of available ICMP types: > sudo firewall-cmd --get-icmptypes - Block ping: > sudo firewall-cmd --zone=public --add-icmp-block=echo-request - Allow ping: > sudo firewall-cmd --zone=public --remove-icmp-block=echo-request