The purpose of Firewalld is to replace the need for iptables and improve security management by enabling configuration changes without stopping the current connections. Firewalld runs as a daemon that allows for rules to be added and changed instantly and it uses network zones to define a level of trust for any and all associated network connections. For the troubleshooter, this does provide a range of flexible options but, more importantly, it is necessary to understand that, while a connection can only be a part of a single zone, a zone can be used across many network connections.
The command-line tool firewall-cmd is part of the firewalld application, which is installed by default on most distributions. It can be used to make permanent and non-permanent runtime changes.
If you encounter the below error while running the firewall-cmd command:
firewall-cmd: command not found
you may try installing the firewalld package as per your choice of distribution:
| Distribution | Command |
|---|---|
| Debian | apt-get install firewalld |
| Ubuntu | apt-get install firewalld |
| Arch Linux | pacman -S firewalld |
| Kali Linux | apt-get install firewalld |
| CentOS | yum install firewalld |
| Fedora | dnf install firewalld |
| Raspbian | apt-get install firewalld |
firewall-cmd Command Examples
1. Discover what the default zone is:
# firewall-cmd --get-default-zone
2. The value of this can be updated with the following syntax:
# firewall-cmd --set-default-zone=[new-zone-name]
3. Taking this one step further, we can extend this command to provide not only a list of zones, but also network interface information like this:
# firewall-cmd --get-active-zones
4. In this situation, network interfaces can be managed with the following syntax:
# firewall-cmd --zone=[zone-name] --add-interface=[device-name] # firewall-cmd --zone=[zone-name] --change-interface=[device-name] # firewall-cmd --zone=[zone-name] --remove-interface=[device-name]
5. List all the allowed services using the following command:
# firewall-cmd –list-services
6. Show the tcp/udp ports that are allowed by your firewall using the following command:
# firewall-cmd --list-ports
7. Perform the following steps to allow NFSv4 traffic on your system:
First, allow nfs traffic via this command:
# firewall-cmd --add-service nfs –-permanent success
Then, reload the configuration as follows:
# firewall-cmd --reload success
Now, check the newly applied rule by executing the following command line:
# firewall-cmd –-list-services nfs
8. Perform the following steps to allow incoming traffic on port 1234 over both tcp and udp:
First, allow traffic on port 1234 over tcp and udp by running the following:
# firewall-cmd --add-port 1234/tcp --permanent success # firewall-cmd --add-port 1234/udp --permanent success
Reload the configuration by executing the following command:
# firewall-cmd –-reload success
Check the newly applied rule via the following:
# firewall-cmd –-list-ports 1234/tcp 1234/udp