How to set up a firewall using firewalld

This note was created on 2021-01-16
This note was last edited on 2023-01-31

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
"firewall-cmd" is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
Source code available at GitHub: https://github.com/firewalld/firewalld
Read more: https://firewalld.org

=== Common options ===
- "--permanent" - make changes permanent. If you don't use this option, all changes will be dropped upon reboot.
- "--quiet" - do not print status message.

=== Maintenance ===
Check Firewalld status:
# firewall-cmd --state

Run checks on the permanent configuration (includes XML validity and semantics):
# firewall-cmd --check-config

Reload Firewalld:
# firewall-cmd --reload

Enable panic mode (block everything):
# firewall-cmd --panic-on

Check panic mode status:
# firewall-cmd --query-panic 

Disable panic mode:
# firewall-cmd --panic-off

=== Configure zones ===
Get default zone:
# firewall-cmd --get-default-zone

Get active zone:
# firewall-cmd --get-active-zone

View rules for default zone:
# firewall-cmd --list-all

View existing zones:
# firewall-cmd --get-zones

View rules for specific zone:
# firewall-cmd --zone=public --list-all

Change zone for network interface:
# firewall-cmd --zone=public --change-interface=eth0

Change default zone:
# firewall-cmd --set-default-zone=home

Create new zone:
# firewall-cmd --permanent --new-zone=devel

=== Configure services ===
View available services:
# firewall-cmd --get-services

View information about specific service:
# firewall-cmd --info-service=ssh

View description of specific service:
# firewall-cmd --permanent --service=ssh --get-description

View permanently enabled services:
# firewall-cmd --zone=public --permanent --list-services

Enable service:
# firewall-cmd --zone=public --add-service=ssh

Disable service:
# firewall-cmd --zone=public --remove-service=ssh

Create new service (reload required):
# firewall-cmd --permanent --new-service=devel

=== Configure ports ===
Open a TCP port:
# firewall-cmd --zone=public --add-port=8080/tcp

Close a TCP port:
# firewall-cmd --zone=public --remove-port=8080/tcp

Open a range of UDP ports:
# firewall-cmd --zone=public --add-port=12000-12500/udp

View open ports on specific zone:
# firewall-cmd --zone=public --list-ports

=== Configure ICMP ===
Get a list of available ICMP types:
# firewall-cmd --get-icmptypes

Block ping:
# firewall-cmd --zone=public --add-icmp-block=echo-request

Allow ping:
# firewall-cmd --zone=public --remove-icmp-block=echo-request