15 basic useful firewall-cmd commands in Linux

firewalld in linux

In computing, a good Firewall system can prevent any unauthorized access to the network security systems. Businesses and organizations invest a good amount of money in their cybersecurity infrastructure, depending on how crucial their business is.

In this article, we will see the fundamentals of a new firewall service introduced in CentOS 7 named FirewallD. It comes with an extremely powerful filtering system called Netfilter, which is built right into the kernel module to check every packet travel across to the system. This means it can inspect, modify, reject or drop on any of the network packets like incoming, outgoing or forwarded programmatically before reaching the destination. In Centos-7 onwards firewalld became a default tool to manage the host-based firewall service. The daemon of the firewalld is installed from the firewalld package and it will available on all the base installation of the OS but not on the minimal installation.

Advantages of using FirewallD than "iptables:

i. Any configuration changes made at runtime not required to re-load or restart the firewalld service.

ii. It simplifies firewall management by arranging the entire network traffic into zones.

iii. More than one firewall configuration can set the per system to change the network environment. It will be very useful for mobile devices like laptop users.

iv. It uses the D-Bus messaging system to interact/maintain firewall settings.

In CentOS 7 or higher versions, still we can use the classic iptables . For using the iptables we need to stop and disable the firewalld service. Using both (firewalld and iptables) together will mess up the system, as they are incompatible with each other. It is always recommended to use firewalld to manage your firewall service unless we have some specific reasons to continue using the classic iptables.

As we know the Firewalld has designed with a powerful filtering system and also more flexible to handle the firewall management. To take advantage of this design, the firewalld categorizes the incoming traffic into zones on interfaces defined by the source address. Each zone has designed to manage the traffic in specified criteria. The default zone will be set to the public and the associated network interfaces are attached to the public if there is no modification done.  All the pre-defined zone rules are stored in two locations: The system specified zone rules are under '/usr/lib/firewalld/zones/' and user-specified zone rules are under /etc/firewalld/zones/. If there is any modification done at the system zone configuration file will be copied automatically to the /etc/firewalld/zones/.

This guide will help you to strengthen your basic knowledge of firewalld service on how to use firewall-cmd command in RHEL/CentOS 7.

Prerequisites :

Operating System : CentOS  7 or higher version's
package                   :  firewalld
User account          :  root user or user account with sudo privileges
Recommended to run all the administrative command as with sudo privilege instead of root

We can configure the firewall settings using three ways:

a. Direct editing in the '/etc/firewalld' configuration files

b. Graphical interface 'firewall-config' tool

c. Command-line 'firewall-cmd' in Terminal

Note:

In this demo, we will be focusing only 'firewall-cmd' command. All the below examples are tested on RHEL/CentOS 7.6:
Step1: Install and enable firewallD Service

First, let's update the latest current version of the package.

$ sudo yum update -y

Note:

Firewalld will be available on all the base installation of CentOS 7 but not on minimal installation, in that case, we can use the following command to install:
$ sudo yum install firewalld -y
Use the following commands to start and enable the service

$ sudo systemctl start firewalld.service

 

$ sudo systemctl enable firewalld.service

You can verify the status of the firewall service by using the following commands:

$ sudo firewall-cmd --state

Output:

 

running

$ sudo systemctl status firewalld

Detailed output:

 

firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 22:39:56 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.

Step2: Zones

Firewalld introduced several predefined zones and services for different purposes. One of the main purposes is used to handle the firewalld management easier. Based on these zones & services we can block any form of incoming traffic to the system unless it explicitly permits using some special rules into the zone.

1. How to check all the available zones in firewalld?

$ sudo firewall-cmd --get-zones

predefined zones in firewalld

Note:

These are the default pre-defined zones in firewalld .  All these rules can be used for various purposes.

Let's see the following pre-defined zones sorted based on the trust level:

zones in firewalld

Note:

We have listed all the available zone rules and their intended uses. For more information concerning the firewalld.zone(5), check the manual page.

2. How to find out which is the default zone?

$ firewall-cmd --get-default-zone

Output:

 

public

Note:

From the above output, you can see the public zone is marked as a default zone. We can change it based on our requirements. We will discuss that further in the coming examples.

3. How to find the list of active zones and the associated network interfaces?

$ firewall-cmd --get-active-zones

Output:

 

public
interfaces: enp1s0

Note:

In the above output, you can see the public zone is active and associated with the "enp1s0" network interface. If any of the interfaces is not specified to a particular zone, automatically it will be attached to the default zone.

4. How to find out if there are any rules listed in the active public zone?

$ sudo firewall-cmd --list-all --zone="public"
active public zone in firewalld

Note:

In the above output shows the public zone is active and set as default, the network interface "enp1so" is associated with the active zone. In this zone dhcpv6-client and ssh are permitted through the firewall service.

5. How to check the list of all the available zones?

$ sudo firewall-cmd --list-all-zones

Note:

Similar to the previous example, here also it will list a detailed configuration page of each available zone separately. Please check yourself as the output list will be pretty lengthy.

6. How to change the default zone to the specific ones?

Before changing to the new zone, let's check the existing available zone.

$ sudo firewall-cmd --get-default-zone

Output:

 

public

Note:

In the output you can see the public zone is set as a default one and now let's try to change the zone from public to work.
$ sudo firewall-cmd --set-default-zone=work

Output:

 

success

Note:

The out of the above command was a success. Let's verify the same.
$ sudo firewall-cmd --get-default-zone

Output:

 

work                         <==

7. How to change the network interface from zone to another?

Note:

If your system has two network interfaces, let's say "enp1s0 and enp1s1". By default, all the interfaces will be assigned to the default zone, by using the following command you can change the interface into another zone.
$ sudo firewall-cmd --zone=internal --change-interface=enp1s1

Note:

You can verify the same using the following command.
$ sudo firewall-cmd --get-active-zones
8. How to build a customized firewalld zone?

Note:

As we know that all the system specified configuration files are located at "/usr/lib/firewalld/zones" and the user-specified files are at "/etc/firewalld/zones".Use the following command to create a customized zone file to permit both ssh and apache service using the port number of 80 and 22. Make sure the new file should be saved as an .xml format under a user-defined location. Currently, the length of the name-zone file will be limited to 17 characters only.
$ sudo vi /etc/firewalld/zones/linuxtecksecure.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>For use in Corporate areas.</description>
<service name="apache"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
save and exit.

Note:

Reload the firewall service :

$ sudo firewall-cmd --reload

Output:

 

success

Now, re-check the available zones in firewalld

$ sudo firewall-cmd --get-zones

Output:

block dmz drop external home internal "linuxtecksecure" public trusted work

Note:

Using the above command we can create a new (linuxtecksecure) zone to enable the apache and ssh service only by default. After creating the file, we need to "reload" the firewalld service, in-order to activate the zone into the firewalld (Remember: Always re-load your firewalld service after you make any changes/update in your existing zone files in-order to active otherwise the changes won't be affected in the firewalld).
Step3: Services

Similarly, a firewalld has another component named "Services". These services can be used in the zone file to manage the traffic rules in the firewall settings. From the following list, each pre-defined "Services" that are used in the default configuration of zone files.

avilable services in firewalld

9. How to list all the available services in firewalld?

$ sudo firewall-cmd --get-services

Output:

 

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Note:

Firewalld ships with the number of services for various purposes. In the above output, you can see the complete list of all the available services.

10. How to list all the available services in a particular zone?

$ sudo firewall-cmd --zone=work --list-services

Output:

 

dhcpv6-client ssh

Note:

The output shows only two services are enabled in the "work" zone.

11. How to add an existing service to the default zone?

$ sudo firewall-cmd --add-service=samba

Output:

 

success

Note:

In this example, I have added an existing service named samba to the default zone. You can verify the same by using the following command .
$ sudo firewall-cmd --zone=public --list-services

Output:

 

dhcpv6-client samba ssh

Note:

Similarly, we can add a service to a different zone other than the default one. Use the following command:
$ sudo firewall-cmd --zone=internal --add-service=ftp
Step 4: Firewalld Runtime and Permanent:

By default, firewalld supports two separate modes, permanent and runtime (immediate). When we start the firewall, it loads all the permanent configuration files into the runtime. If any chances you make either add or update will be applied to the runtime configuration and will not enable automatically to the permanent configuration.

To make as a permanent rule, we need to use the '--permanent' parameter. In order to enable those changes in the firewalld, we need to reload or restart the firewall service.

12. How to add a service permanently?

$ sudo firewall-cmd --permanent --add-service=ftp

Output:

 

success

$ sudo firewall-cmd --reload

Output:

 

success

Note:

Remember, whenever you use a '--permanent' flag don't forget to reload the firewall service.
You can check some of the following real-time examples of how the firewall rules are added permanently.

(a) Allow http and https service in firewalld click_here

(b) Allow DNS port in firewalld  click_here

13. How to migrate runtime settings to permanent?

$ sudo firewall-cmd --runtime-to-permanent

Output:

 

success

Note:

Usually, we test all the rules in the runtime environment, once the rules are working successfully, then we use '--permanent' option to make them as permanent. Here, we can use the above command to migrate all the runtime settings into a permanent mode in one shot. If it doesn't effective to the firewall setup, then just reload/restart the firewall service to make those rules working in the permanent configuration.
Step 5: Port

The firewalld permits us to handle the network port directly. The beauty is, without even installing a specific service into the system, we can open and close the related port in the firewall.

14. How to open a port for samba service in the public zone?

$ sudo firewall-cmd --zone=public --add-port=137/udp

$ sudo firewall-cmd --zone=public --add-port=138/udp

$ sudo firewall-cmd --zone=public --add-port=139/tcp

$ sudo firewall-cmd --zone=public --add-port=445/tcp

Output:

 

success

Note:

Using the above command, we have successfully opened the port for samba services. To verify the same.

$ sudo firewall-cmd --list-ports

Output:

 

137/udp 138/udp 139/tcp 445/tcp

Note:

After successfully tested, if you wish to proceed with these rules as permanent to the firewall, then use '--permanent' flag along with the above command or use runtime to permanent command and don't forget to reload the service.
Step 6: Timeout

The firewalld has another interesting feature named Timeout. This function will help many system administrators to add a quick rule in their run time setup. For example, if a user wants to download a file from the server via FTP service. This is just a one time action, so the permanent rule is not required. Downloading a file may take hardly  2-5 minutes (it may vary depends on the file size). In our case, we can permit the FTP service for 5 minutes and it automatically disconnects after the given time.

15. $ sudo firewall-cmd --zone=public --add-service=ftp --timeout=5m

Note:

We can specify the timeout in seconds (s), minutes (m) or hours (h).

That's it! In the next session, we will see how to configure the firewalld service step by step using advanced features with examples.

Thank you for taking your valuable time to read! I hope this article will help you to understand the basic usage of 'firewall-cmd' command with examples. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.

Few firewalld references are collected from this site

Thank you!

Please share it, if you like this article and help us to grow! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *