15 basic useful firewall-cmd commands in Linux

In computing, a good Firewall system can prevent any unauthorized access to the network security systems. Businesses and organizations invest a good amount of money in their cybersecurity infrastructure, depending on how crucial their business is.

In this article, we will see the fundamentals of a new firewall service introduced in CentOS 7 named FirewallD. It comes with an extremely powerful filtering system called Netfilter, which is built right into the kernel module to check every packet that travels across to the system. This means it can inspect, modify, reject or drop on any of the network packets like incoming, outgoing or forwarded programmatically before reaching the destination. In Centos-7 onwards firewalld became a default tool to manage the host-based firewall service. The daemon of the firewalld is installed from the firewalld package and it will be available on all the base installations of the OS but not on the minimal installation.

Advantages of using FirewallD over "iptables:

i. Any configuration changes made at runtime are not required to re-load or restart the firewalld service.

ii. It simplifies firewall management by arranging the entire network traffic into zones.

iii. More than one firewall configuration can be set per system to change the network environment. It will be very useful for mobile devices like laptop users.

iv. It uses the D-Bus messaging system to interact/maintain firewall settings.

In CentOS 7 or higher versions, we can still use the classic iptables . In order to use iptables we need to stop and disable the firewalld service. Using both (firewalld and iptables) together will mess up the system, as they are incompatible with each other. It is always recommended to use firewalld to manage your firewall service unless we have some specific reasons to continue using the classic iptables.

As we know, Firewalld has been designed with a powerful filtering system and is also more flexible to handle firewall management. To take advantage of this design, the firewalld categorizes the incoming traffic into zones on interfaces defined by the source address. Each zone is designed to manage traffic according to specified criteria. The default zone will be set to public and the associated network interfaces will be attached to the public if there is no modification done.  All the pre-defined zone rules are stored in two locations: The system specified zone rules are under '/usr/lib/firewalld/zones/' and user-specified zone rules are under /etc/firewalld/zones/. If there is any modification done in the system zone configuration file it will be copied automatically to the /etc/firewalld/zones/.

This guide will help you to strengthen your basic knowledge of firewalld service on how to use firewall-cmd command in RHEL/CentOS 7.

Prerequisites :

Operating System : CentOS  7 or higher version's
package                   :  firewalld
User account          :  root user or user account with sudo privileges
Recommended to run all the administrative commands as with sudo privilege instead of root

Difficulties in setting up sudo users? Click here to find the steps.

You can configure your firewall settings using three ways:

a. Direct editing in the '/etc/firewalld' configuration files

b. Graphical interface 'firewall-config' tool

c. Command-line 'firewall-cmd' in Terminal

Note:

In this demo, we will be focusing only on the 'firewall-cmd' command. All the below examples are tested on RHEL/CentOS 7.6:
Step1: Install and enable firewallD Service

First, let's update the latest current version of the package.

$ sudo yum update -y

Note:

Firewalld will be available on all the base installations of CentOS 7 but not on minimal installation, in that case, we can use the following command to install:
$ sudo yum install firewalld -y
Use the following commands to start and enable the service

$ sudo systemctl start firewalld.service

 

$ sudo systemctl enable firewalld.service

You can verify the status of the firewall service by using the following commands:

$ sudo firewall-cmd --state

Output:

 

running

$ sudo systemctl status firewalld

Detailed output:

 

firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 22:39:56 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.

Step2: Zones

Firewalld introduced several predefined zones and services for different purposes. One of the main purposes is to handle firewalld management easier. Based on these zones & services we can block any form of incoming traffic to the system unless it explicitly permits using some special rules into the zone.

1. How to check all the available zones in firewalld?

$ sudo firewall-cmd --get-zones

predefined zones in firewalld

Note:

These are the default pre-defined zones in firewalld .  All these rules can be used for various purposes.

Please see the following pre-defined zones sorted based on the trust level:

zones in firewalld

Note:

We have listed all the available zone rules and their intended uses. For more information concerning firewalld.zone(5), check the manual page.

2. How to find out which is the default zone?

$ firewall-cmd --get-default-zone

Output:

 

public

Note:

Based on the output above, you can see that the public zone is marked as a default zone. We can change it based on our requirements. We will discuss that further in the coming examples.

3. How to find a list of active zones and associated network interfaces?

$ firewall-cmd --get-active-zones

Output:

 

public
interfaces: enp1s0

Note:

In the above output, you can see the public zone is active and associated with the "enp1s0" network interface. If none of the interfaces are not specified to a particular zone, it will automatically be attached to the default zone.

4. How to find out if there are any rules listed in the active public zone?

$ sudo firewall-cmd --list-all --zone="public"
active public zone in firewalld

Note:

The above output shows that the public zone is active and set as default, the network interface "enp1so" is associated with the active zone. In this zone dhcpv6-client and ssh are permitted through the firewall service.

5. How to check the list of all available zones?

$ sudo firewall-cmd --list-all-zones

Note:

Similar to the previous example, here it will also list a detailed configuration page of each available zone separately. Please check for yourself as the output list will be pretty lengthy.

6. How to change the default zone to specific ones?

Before changing to the new zone, let's check the existing available zone.

$ sudo firewall-cmd --get-default-zone

Output:

 

public

Note:

In the output you can see the public zone is set as a default one and now let's try to change the zone from public to work.
$ sudo firewall-cmd --set-default-zone=work

Output:

 

success

Note:

As you can see, the output of the above command was a success. Let us verify the same.
$ sudo firewall-cmd --get-default-zone

Output:

 

work                         <==

7. How to change the network interface from one zone to another?

Note:

If your system has two network interfaces, let's say "enp1s0 and enp1s1". By default, all the interfaces will be assigned to the default zone, by using the following command you can change the interface into another zone.
$ sudo firewall-cmd --zone=internal --change-interface=enp1s1

Note:

You can verify the same using the following command:
$ sudo firewall-cmd --get-active-zones
8. How to build a customized firewalld zone?

Note:

As we know, all the system specified configuration files are located at "/usr/lib/firewalld/zones" and the user-specified files are at "/etc/firewalld/zones".Use the following command to create a customized zone file to permit both ssh and apache services using the port numbers 80 and 22. Make sure the new file should be saved as an .xml format under a user-defined location. Currently, the length of the name-zone file will be limited to 17 characters only.
$ sudo vi /etc/firewalld/zones/linuxtecksecure.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>For use in Corporate areas.</description>
<service name="apache"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
save and exit.

Note:

Reload the firewall service :

$ sudo firewall-cmd --reload

Output:

 

success

Now, re-check the available zones in firewalld

$ sudo firewall-cmd --get-zones

Output:

block dmz drop external home internal "linuxtecksecure" public trusted work

Note:

Using the above command we can create a new (linuxtecksecure) zone to enable the apache and ssh service only by default. After creating the file, we need to "reload" the firewalld service, in-order to activate the zone into the firewalld (Remember: Always re-load your firewalld service after you make any changes/updates in your existing zone files in-order to activate otherwise the changes won't be affected in the firewalld).
Step3: Services

Similarly, a firewalld have another component called "Services". These services can be used in the zone file to manage the traffic rules in the firewall settings. From the following list, each pre-defined "Services" that are used in the default configuration of zone files.

avilable services in firewalld

9. How to list all the available services in firewalld?

$ sudo firewall-cmd --get-services

Output:

 

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Note:

Firewalld ships with a number of services for various purposes. In the above output, you can see the complete list of all the available services.

10. How to list all the available services in a particular zone?

$ sudo firewall-cmd --zone=work --list-services

Output:

 

dhcpv6-client ssh

Note:

The output shows only two services are enabled in the "work" zone.

11. How to add an existing service to the default zone?

$ sudo firewall-cmd --add-service=samba

Output:

 

success

Note:

In this example, I have added an existing service named samba to the default zone. You can verify the same by using the following command:
$ sudo firewall-cmd --zone=public --list-services

Output:

 

dhcpv6-client samba ssh

Note:

Similarly, we can add a service to a different zone other than the default one. Use the following command:
$ sudo firewall-cmd --zone=internal --add-service=ftp
Step 4: Firewalld Runtime and Permanent:

By default, firewalld supports two separate modes, permanent and runtime (immediate). When we start the firewall, it loads all the permanent configuration files into the runtime. Any chance you make either an add or update will be applied to the runtime configuration and will not be enabled automatically to the permanent configuration.

To make it a permanent rule, we need to use the '--permanent' parameter. In order to enable those changes in the firewalld, we need to reload or restart the firewall service.

12. How to add a service permanently?

$ sudo firewall-cmd --permanent --add-service=ftp

Output:

 

success

$ sudo firewall-cmd --reload

Output:

 

success

Note:

Remember, whenever you use a '--permanent' flag, don't forget to reload the firewall service.
You can check some of the following real-time examples of how firewall rules are added permanently.

(a) Allow http and https service in firewalld click_here

(b) Allow DNS port in firewalld  click_here

13. How do I migrate my runtime settings to permanent?

$ sudo firewall-cmd --runtime-to-permanent

Output:

 

success

Note:

Usually, we test all the rules in the runtime environment, once the rules are working successfully, then we use the '--permanent' option to make them permanent. Here, we can use the above command to migrate all the runtime settings into a permanent mode in one shot. If the firewall setup isn't effective, then just reload/restart the firewall service to make those rules work in the permanent configuration.
Step 5: Port

The firewalld permits us to handle the network port directly. The beauty is, without even installing a specific service into the system, we can open and close the related port in the firewall.

14. How to open a port for samba service in the public zone?

$ sudo firewall-cmd --zone=public --add-port=137/udp

$ sudo firewall-cmd --zone=public --add-port=138/udp

$ sudo firewall-cmd --zone=public --add-port=139/tcp

$ sudo firewall-cmd --zone=public --add-port=445/tcp

Output:

 

success

Note:

Using the above command, we have successfully opened the port for samba services. To verify the same.

$ sudo firewall-cmd --list-ports

Output:

 

137/udp 138/udp 139/tcp 445/tcp

Note:

After successfully testing, if you wish to proceed with these rules as permanent to the firewall, then use the '--permanent' flag along with the above command or use runtime as a permanent command and don't forget to reload the service.
Step 6: Timeout

Firewalld has another interesting feature called Timeout. This function will help many system administrators to add a quick rule in their run time setup. For example, if a user wants to download a file from the server via FTP service. Since this is just a one time action, permanent rules are not required. Downloading a file may take hardly  2-5 minutes (it may vary depending on the file size). In our case, we can allow the FTP service for 5 minutes and it automatically disconnects after the given time.

15. $ sudo firewall-cmd --zone=public --add-service=ftp --timeout=5m

Note:

We can specify the timeout in seconds (s), minutes (m) or hours (h).

That's it! In the next session, we will see how to configure the firewalld service step by step using advanced features with examples.

Thank you for taking your valuable time to read! I hope this article will help you to understand the basic usage of the 'firewall-cmd' command with examples. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.

A few firewalld references are collected from this site

Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

L