This page looks best with JavaScript enabled

How to set up a firewall using Firewalld

 ·  ☕ 2 min read

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
You can read more about Firewalld at firewalld.org.
Source code available at GitHub.

Common options

  • --permanent - make changes permanent. If you don’t use this option, all changes will be dropped upon reboot.
  • --quiet - do not print status message.

Maintenance

  • Check Firewalld status:

    sudo firewall-cmd --state
    
  • Run checks on the permanent configuration (includes XML validity and semantics):

    sudo firewall-cmd --check-config
    
  • Reload Firewalld:

    sudo firewall-cmd --reload
    
  • Enable panic mode (block everything):

    sudo firewall-cmd --panic-on
    
  • Check panic mode status:

    firewall-cmd --query-panic 
    
  • Disable panic mode:

    sudo firewall-cmd --panic-off
    

Configure zones

  • Get default zone:

    sudo firewall-cmd --get-default-zone
    
  • Get active zone:

    sudo firewall-cmd --get-active-zone
    
  • View rules for default zone:

    sudo firewall-cmd --list-all
    
  • View existing zones:

    sudo firewall-cmd --get-zones
    
  • View rules for specific zone:

    sudo firewall-cmd --zone=public --list-all
    
  • Change zone for network interface:

    sudo firewall-cmd --zone=public --change-interface=eth0
    
  • Change default zone:

    sudo firewall-cmd --set-default-zone=home
    
  • Create new zone:

    sudo firewall-cmd --permanent --new-zone=devel
    

Configure services

  • View available services:

    sudo firewall-cmd --get-services
    
  • View information about specific service:

    sudo firewall-cmd --info-service=ssh
    
  • View description of specific service:

    sudo firewall-cmd --permanent --service=ssh --get-description
    
  • View permanently enabled services:

    sudo firewall-cmd --zone=public --permanent --list-services
    
  • Enable service:

    sudo firewall-cmd --zone=public --add-service=ssh
    
  • Disable service:

    sudo firewall-cmd --zone=public --remove-service=ssh
    
  • Create new service (reload required):

    sudo firewall-cmd --permanent --new-service=devel
    

Configure ports

  • Open a TCP port:

    sudo firewall-cmd --zone=public --add-port=8080/tcp
    
  • Close a TCP port:

    sudo firewall-cmd --zone=public --remove-port=8080/tcp
    
  • Open a range of UDP ports:

    sudo firewall-cmd --zone=public --add-port=12000-12500/udp
    
  • View open ports on specific zone:

    sudo firewall-cmd --zone=public --list-ports
    

Configure ICMP

  • Get a list of available ICMP types:

    sudo firewall-cmd --get-icmptypes
    
  • Block ping:

    sudo firewall-cmd --zone=public --add-icmp-block=echo-request
    
  • Allow ping:

    sudo firewall-cmd --zone=public --remove-icmp-block=echo-request
    

Read more

Check out the manual page to read more about firewall-cmd:

man firewall-cmd
What's on this Page