Advanced Cheat Sheet
Before we go to firewalld cheat list I’d like to discuss quickly firewalld in general.
The Case for Firewalld: A Modern Approach to Firewall Management
Consequently, in the ever-changing domain of Linux system administration and security, a pivotal decision point frequently comes into play. On one hand, iptables stands as a dependable tool, one that has faithfully served many professionals for years. Conversely, firewalld presents itself as a contemporary, dynamic option, promising to streamline your workflow. If hesitation grips you at the thought of making the switch, be comforted in knowing that you are, indeed, in esteemed company. Seasoned professionals frequently find solace in the familiar, even when faced with newer, more efficient alternatives.
Firstly, let’s delve into why firewalld deserves your attention. Unlike iptables, where complex commands are the norm, firewalld offers a more user-friendly interface. Consequently, envision a scenario where managing your firewall rules becomes an effortless task, thanks to firewalld’s intuitive services and zones. The appeal of such convenience is hard to ignore, isn’t it?
The Dynamic Nature and Flexibility of Firewalld
Secondly, ponder the dynamic capabilities of firewalld. Reflect on those moments when a simple rule change in iptables required a complete service restart. Conversely, firewalld enables instantaneous adjustments, thereby negating the necessity for incessant service restarts. Such a feature not only saves you precious time but also minimizes system downtime.
Moreover, the zone-based configuration in firewalld offers another layer of simplicity. Rather than dealing with a cumbersome list of rules, you can categorize them into zones based on the level of trust you have for different networks. This approach results in a more organized, easily manageable rule set.
Additionally, if you’ve been juggling separate rule sets for IPv4 and IPv6, firewalld comes to the rescue by allowing unified management of both. Furthermore, the rich rules feature in firewalld simplifies complex tasks like port forwarding and rate limiting, which might have been challenging in iptables.
In summary, if you’ve been clinging to iptables due to familiarity, then initially, it might be time to broaden your horizons. Subsequently, firewalld offers a harmonious mix of efficiency and user-friendliness, making it worth considering for your firewall management. Consequently, why not start with “Some Basic Firewalld Cheat List” to give firewalld a test run? You may find that, after progressing to the “Advanced Firewalld Cheat List,” it’s not just a modern alternative but a more effective solution for your firewall management needs. Finally, to cement your expertise, you can explore the chapter on “How to Generate Firewalld Cheat List” and refer to the “Firewalld Cheat List for Quick Command References” for quick, on-the-go solutions.
Some basic firewalld cheat list
List Allowed Ports
To list all allowed ports, you can use:
firewall-cmd --list-ports
Outcome:
8080/tcp 22/tcp 443/tcp
List Allowed Services
To get a comprehensive list of all the services that are allowed through your firewall, use:
firewall-cmd --list-services
Outcome:
dhcpv6-client http https ssh
Add Port to Allow
To add a port to the allowed list:
firewall-cmd --add-port=8081/tcp --permanent
Outcome:
success
Add Service to Allow
To allow a service through your firewall, use:
firewall-cmd --add-service=http --permanent
Outcome:
success
List Set Port Redirection
To list all port redirections, use:
firewall-cmd --list-forward-ports
Outcome:
port=80:proto=tcp:toport=8080:toaddr=192.168.0.2
How to Allow Traffic on an Incoming Port
To allow traffic on an incoming port, use:
firewall-cmd --zone=public --add-port=8082/tcp --permanent
Outcome:
success
Understanding Firewalld Zones
Firewalld zones are essentially partitions that define the trust level of network connections and interfaces. They are crucial for segmenting your network into different security levels.
To list all zones, use:
firewall-cmd --get-zones
Outcome:
block dmz drop external home internal public trusted work
Each zone has its own set of rules and policies. For example, the public
zone is generally less trusted than the home
or internal
zones. You can switch between zones dynamically based on your security needs.
Understanding Firewalld Services
Firewalld services are predefined sets of rules that specify the kind of traffic that is allowed or disallowed. This is particularly useful for quickly configuring common services without having to manually specify each port and protocol.
To list all predefined services, use:
firewall-cmd --get-services
Outcome:
dhcp dhcpv6 dhcpv6-client dns ftp http https imap imaps pop3 pop3s smtp ssh telnet tftp
Enabling the http
service would automatically open port 80/TCP, while enabling the https
service would open port 443/TCP. This saves you the hassle of having to remember specific port numbers for common services.
Basic firewall-cmd
Command Examples
Reload firewalld
When you’ve made multiple changes and want to apply them without disrupting the current connections, you can reload the configuration.
Command:
firewall-cmd --reload
Outcome:
success
List All Rules
If you’re troubleshooting or just want to review your current firewall settings, this command lists all the rules in the active zone.
Command:
firewall-cmd --list-all
Outcome:
public (active) target: default icmp-block-inversion: no interfaces: eth0 services: dhcpv6-client http https ssh
Set Default Zone
When setting up a new network interface, you might want to set a default zone for it. This command allows you to do that.
Command:
firewall-cmd --set-default-zone=home
Outcome:
success
Reload Firewalld Configuration
When you’ve made multiple changes and want to apply them without disrupting the current connections, you can reload the configuration.
Command:
firewall-cmd --reload
Outcome:
success
List All Rules
If you’re troubleshooting or just want to review your current firewall settings, this command lists all the rules in the active zone.
Command:
firewall-cmd --list-all
Outcome:
public (active) target: default icmp-block-inversion: no interfaces: eth0 services: dhcpv6-client http https ssh
Set Default Zone
When setting up a new network interface, you might want to set a default zone for it. This command allows you to do that.