User Tools

Site Tools


linux:firewalld_documentation

Linux Firewalld Documentation

Documentation
Name: Linux Firewalld Documentation
Description:HOWTO manage firewalld on Linux machines
Modification date :11/04/2018
Owner:dodger
Notify changes to:dodger or networking
Tags: firewalld
Scalate to: dodger or networking

PRE-Requirements

Some knowledge of iptables/firewalld.

Daemon Management

Status firewalld

systemctl status firewalld

Start firewalld

systemctl start firewalld

Enable firewalld

So it will start on boot:

systemctl enable firewalld

Stop firewalld

The server will be fully accessible (iptables with no rules and ACCEPT everything)

systemctl stop firewalld
echo "## check"
iptables -vnL

Disable firewalld

It won't start at boot:

systemctl disable firewalld

Check status after that.

Rules Management

TO make the changes permanent, you must add –permanent to firewall-cmd executions!!!

–permanent does not apply rules on LIVE system!!!


To switch between permanent or live:

export PERMANENT="--permanent"

Reload rules

For example after using –permanent without applying live rules:

firewall-cmd --reload

View information

All zones

firewall-cmd --list-all

list zones

firewall-cmd --get-zones

Selected zone

firewall-cmd --zone=internal --list-all
firewall-cmd --zone=public --list-all

Sample:

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

Remove service

Change THEZONE and THESERVICE from this command.

  • non-permanent:
firewall-cmd ${PERMANENT} --zone=THEZONE --remove-service=THESERVICE

Sample:

ciberterminal.net /etc/sysconfig # firewall-cmd --zone=public --remove-service=dhcpv6-client
success
ciberterminal.net /etc/sysconfig # firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
Warning: NOT_ENABLED: dhcpv6-client
success

Basic Rules

Remove ipv6:

firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client

Add snmp:

firewall-cmd ${PERMANENT} --zone=public --add-service=snmp

Rich Rules

Open port for source range

firewall-cmd ${PERMANENT} --zone=public --add-rich-rule='rule family=ipv4 source address=10.40.0.0/16 port port=8181 protocol=tcp accept'

Openvpn/Wireguard setup

As a client:

firewall-cmd ${PERMANENT} --zone=internal --add-interface=tun+
firewall-cmd ${PERMANENT} --zone=internal --add-interface=wg+
firewall-cmd ${PERMANENT} --zone=internal --add-interface=ppp+
 
firewall-cmd ${PERMANENT} --list-all --zone=internal
linux/firewalld_documentation.txt · Last modified: 2023/08/28 10:34 by dodger