Tools

Firewalld Cheat Sheet

Max

ByMaximilian B.

30 August 2023
Illustrative firewalld cheat sheet showcasing various commands and configurations

Command:

firewall-cmd --set-default-zone=home

Outcome:

success

Query Service

Before adding or removing a service, it’s good to check if it’s already allowed or not. This command helps you do just that.

Command:

firewall-cmd --query-service=http

Outcome:

yes

Remove Service

If you’ve stopped running a service like a web server, you can remove its access through the firewall using this command.

Command:

firewall-cmd --remove-service=http

Outcome:

success

Block an IP Address

If you notice suspicious activity from a specific IP, you can block it using this command.

Command:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.10" reject'

Outcome:

success

List Rich Rules

To review or troubleshoot the custom rules you’ve added, you can list all rich rules in the active zone.

Command:

firewall-cmd --list-rich-rules

Outcome:

rule family="ipv4" source address="192.168.1.10" reject

Get Active Zones

If you’re managing multiple network interfaces, this command helps you see which zones are currently active.

Command:

firewall-cmd --get-active-zones

Outcome:

public interfaces: eth0

Add Interface to Zone

When you add a new network interface to your system, you can assign it to a specific zone using this command.

Command:

firewall-cmd --zone=public --add-interface=eth1

Outcome:

success

List All Open Ports in a Specific Zone

If you’re setting up a new service and want to check which ports are already open in a specific zone, this command is useful.

Command:

firewall-cmd --zone=public --list-ports

Outcome:

8080/tcp 22/tcp 443/tcp

Advanced firewalld usage – Advanced firewalld cheat list

Direct Interface Traffic to a Specific Zone

For directing all incoming traffic on a specific interface to a particular zone..

Command:

firewall-cmd --permanent --zone=trusted --change-interface=eth2

Outcome:

success

Add a Rich Rule for Port Forwarding

To forward traffic from one port to another locally.

Command:

firewall-cmd --add-rich-rule='rule family="ipv4" forward-port port=80 protocol=tcp to-port=8080'

Outcome:

success

Limit Rate for a Specific Service

To limit the rate for a specific service.

Command:

firewall-cmd --add-rich-rule='rule service name="http" limit value="1/m" accept'

Outcome:

success

Lockdown Firewalld

To prevent any further changes to the firewalld configuration.

Command:

firewall-cmd --lockdown-on

Outcome:

success

Redirect Incoming Traffic to Port 4423 to Remote Server’s Port 22

If you want to use server and a middle man, to forward incoming traffic and redirect connection to some other servers specific port, for instance you can redirect incoming traffic from port 4423 to port 22 of some other server.

Command:

firewall-cmd --add-rich-rule='rule family="ipv4" forward-port port=4423 protocol=tcp to-port=22 to-addr=REMOTE_SERVER_IP'

Outcome:

success

Create a Custom Service

Subsequently, if an application you’re using requires listening on a custom port, such as 8080, and you wish to permit incoming TCP connections to that specific port, a custom firewalld service can be crafted for streamlined management.

First, create a custom service XML file, for example, /etc/firewalld/services/custom-8080.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Custom 8080</short>
  <description>This service allows incoming TCP connections on port 8080.</description>
  <port protocol="tcp" port="8080"/>
</service>

Then, reload firewalld to recognize the new service:

Command:

firewall-cmd --reload

Finally, add the custom service we created to firewalld to allow incoming TCP connections on port 8080:

firewall-cmd --permanent --add-service=custom-8080

Don’t forget to reload firewalld one more time to apply the changes:

firewall-cmd --reload

By doing this, you encapsulate the port 8080 rule within a custom service, making it easier to manage.

Generate Firewalld cheat list

To list all configuration options, you can delve into the man pages:

man firewall-cmd

Handy Tips for Using Firewalld

  • Listing Services: To see all the services that firewalld knows about in an easy-to-read format, run this command: firewall-cmd --get-services | tr " " "\n".
  • Finding Service Files: You can find the default firewalld service XML files in the /usr/lib/firewalld/services directory.
  • Zone Options: When using commands that have the --zone= option, the default zone will be used if you don’t specify one.
  • Making Changes Stick: To ensure your changes are saved, add the --permanent option to your commands.
  • Applying Changes: Don’t forget to reload firewalld with firewall-cmd --reload after making any changes.

Firewalld cheat list for Quick Command References

  • Show Default Zone: firewall-cmd --get-default-zone
  • Set Default Zone: firewall-cmd --set-default-zone=zone
  • List Zones: firewall-cmd --get-zones
  • List Active Zones: firewall-cmd --get-active-zones
  • List Known Services: firewall-cmd --get-services
  • Add Source to Zone: firewall-cmd --add-source=CIDR [--zone=zone]
  • Remove Source from Zone: firewall-cmd --remove-source=CIDR [--zone=zone]
  • Add Interface to Zone: firewall-cmd --add-interface=interface [--zone=zone]
  • Change Interface Zone: firewall-cmd --change-interface=interface [--zone=zone]
  • List All Settings for a Zone: firewall-cmd --list-all [--zone=zone]
  • List All Settings for All Zones: firewall-cmd --list-all-zones
  • Allow a Service: firewall-cmd --add-service=service [--zone=zone]
  • Allow a Port: firewall-cmd --add-port=port/protocol [--zone=zone]
  • Remove a Service: firewall-cmd --remove-service=service [--zone=zone]
  • Remove a Port: firewall-cmd --remove-port=port/protocol [--zone=zone]
  • Reload Configuration: firewall-cmd --reload

Embracing Modernity with Firewalld

Firstly, the transition to firewalld from traditional iptables offers a plethora of benefits that cannot be ignored. Among these advantages, notably, is the dynamic nature of firewalld, which consequently allows for real-time changes.. Additionally, the zone-based configuration model serves to simplify rule management significantly. Consequently, these features not only save valuable time but also enhance operational efficiency.

Overcoming Reluctance to Change

Secondly, the hesitation to adopt firewalld often arises from a comfort zone deeply rooted in familiarity with iptables. However, it’s imperative to understand that technological advancements, such as firewalld, are designed to simplify tasks and improve efficiency. Therefore, embracing these modern tools is essential for staying competitive in today’s fast-paced tech environment.

Firewalld: More Than Just a Frontend

Lastly, the misconception that firewalld is merely a frontend for iptables needs to be dispelled. In reality, while firewalld does operate on top of iptables, the added layer of abstraction provides significant value in terms of ease of use and functionality. Hence, the question isn’t about which tool is superior, but rather which tool better meets the demands of modern network management.

In conclusion, the shift to firewalld is not merely advisable but essential for anyone looking to modernize their approach to firewall management.

More reading

  1. Home | firewalld
    • Acting as the official hub for firewalld, this website initially provides a comprehensive look at the dynamically managed firewall system. Subsequently, it delves into various features and functionalities. Initially, it covers the firewall’s compatibility with IPv4 and IPv6 protocols. Following that, it delves into its support for ethernet bridges and IP sets. The site also explains the benefits of using firewalld, such as immediate changes in the runtime environment without needing to restart the service.
  2. A beginner’s guide to firewalld in Linux | Enable Sysadmin
    • Offered by Red Hat’s Enable Sysadmin, this guide serves as an introductory resource on firewalld, specifically emphasizing its zone-based firewall architecture. Initially, the guide elucidates the varying security levels that firewalld assigns to distinct connection zones. Subsequently, it furnishes practical examples of commands for interacting with the firewalld system. The article also discusses how to add and remove services from zones.
  3. Firewalld explained
    • Article that delves into the topic of firewalld as a management interface for iptables. The article covers various aspects of firewalld, including its history, advantages over iptables, and its functionality and commands. It provides a comprehensive guide that could be invaluable for both beginners and seasoned professionals in the Linux system administration and security fields.

© Linuxprofessional.ie

1 2

Related Post

Tools

grep for Linux Systems Administrators

26 August 2023 Maximilian B.
Tools

Firewalld as a management interface for iptables

19 August 2023 Maximilian B.
Tools

Linux Commands Essential Network Tools for Administrators

19 August 2023 Maximilian B.

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

Control Panels

PLESK Server, Mastering Supernal Secrets & Best Practices.

19 September 2023 Maximilian B.
DNS

DNS Explained, Embrace the Magic of Domain System Terminology

17 September 2023 Maximilian B.
Tutorials

Docker Architecture, A Guide to its Powerful Architecture.

12 September 2023 Maximilian B.
Linux Tutorials Tutorials

cd Seamless Directory Navigation Mastery

11 September 2023 Maximilian B.