Basics of firewall-cmd

Basics of firewall-cmd

Firewall-cmd is a front-end tool for managing the firewalld daemon, which interfaces with the Linux kernel’s netfilter framework.

To Enable and start the firewalld

sudo systemctl enable --now firewalld

and check the state or status of firewalld by one of the following command

sudo firewall-cmd --state 
# or
sudo sytemctl status firewalld

Zones in a firewall

Firewall-cmd uses zones as templates, by default it comes with some zone already defined. Doing this saves you from having to build a firewall from scratch, and also if your device supports multiple interfaces, you can apply different zone to a different interfaces

To List all Zones

sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To See what's unblocked in a specific zone

sudo firewall-cmd --zone {zone_name} --list-all

It will show the following output:

zone_name
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Create New Zone

You can create a new zone according to your need which can have your desired service and port enabled or disabled. All firewall-cmd actions persist only until the firewall or the computer running it restarts. To make it persist against reboot use the--permanent flag.

sudo firewall-cmd --new-zone {zone_name} --permanent
# sudo firewall-cmd --new-zone k8s --permanent

and reload the firewall rule after that

sudo firewall-cmd --reload

To make a zone default zone

By making test_zone the default zone, all future commands are applied to test_zone unless the --zone option specifies a different zone.

sudo firewall-cmd --set-default {zone_name}
# sudo firewall-cmd --set-default k8s

Add and remove a service

firewall-cmd has predefined services to quickly permit the traffic against some port which you can list by the following command

sudo firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client 
amanda-k5-client amqpamqps apcupsd audit bacula 
bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet
bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine
cockpit collected condor-collector ctdb dhcp dhcpv6 
dhcpv6-client distcc dns dns-over-tls docker-registry
docker-swarm dropbox-lansync elasticsearch etcd-client
etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap
freeipa-ldaps freeipa-replication freeipa-trust ftp galera
ganglia-client ganglia-master git grafana gre high-availability
http http3 https imap imaps ipp ipp-client ipsec irc
ircs iscsi-target isns jellyfin jenkins kadmin kdeconnect
kerberos kibana klogin kpasswd kprop kshell kube-api
kube-apiserver kube-control-plane kube-controller-manager 
kube-scheduler kubelet-worker ldap ldaps libvirt libvirt-tls 
lightning-network llmnr llmnr-tcp llmnr-udp managesieve
matrix mdns memcache minidlna mongodb mosh mountd
mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns nfs
nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio 
ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy
pmwebapi pmwebapis pop3 pop3s postgresql privoxy
prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel
radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd
rtsp salt-master samba samba-client samba-dc sane sip
sips slp smtp smtp-submission smtps snmp snmptrap
spideroak-lansync spotify-sync squid ssdp ssh steam-streaming
svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet
tentacle tftp tile38 tinc tor-socks transmission-client upnp-client
vdsm vnc-server wbem-http wbem-https wireguard ws-discovery
ws-discovery-client ws-discovery-tcp ws-discovery-udp
wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local
xmpp-server zabbix-agent zabbix-server zerotier

To know more info about the service

sudo firewall-cmd --info-service={service_name}
# sudo firewall-cmd --info-service=kube-apiserver

To add a service

sudo firewall-cmd --add-service {service_name} --permanent

To Remove a service

sudo firewall-cmd --remove-service {service_name} --permanent

and after adding / removing service reload the rules added to firewall zone.

Add and remove port

Adding and removing port is similar to adding a serivce just it need to provide flag --add-port or --remove-port and providing `port_number/protocol

Add a port

sudo firewall-cmd --add-port {port_number}/{port_protocol} --permanent
# sudo firewall-cmd --add-port 1234/tcp --permanent

Remove a port

sudo firewall-cmd --remove-port {port_number}/{port_protocol} --permanent
# sudo firewall-cmd --add-port 1234/tcp --permanent

Don't forget to reload the rules after doing add or remove options

Attach a zone to an interface

To make a zone active and default zone for a network interface you want to protect you need to use the --change-interface option:

sudo firewall-cmd --change-interface {interface_name} --zone {zone_name} --permanent
# sudo firewall-cmd --change-interface enp0s3 --zone k8s --permanent