Linux servers require robust security configurations, and a firewall is a crucial component of network security. One of the most powerful tools available for managing firewall rules in Linux is firewall-cmd commands, a command-line interface for firewalld. firewalld is a dynamic firewall that allows real-time rule modifications without disrupting existing connections.
This article explores 10 useful firewall-cmd commands in Linux to help you configure and manage firewall settings efficiently. These commands will assist system administrators in effectively handling zones, services, ports, and other security rules.
Let’s dive deeper to learn more.
Prerequisites
Before working with firewall-cmd, ensure you have the following:
- A Linux system with
firewalldinstalled (e.g., CentOS, Fedora, RHEL, Ubuntu, Debian) - Root or sudo privileges to execute firewall-related commands
- Basic knowledge of command-line interface (CLI) operations
- Internet connectivity for installing necessary packages (if not already installed)
What is Firewalld?
firewalld is a dynamic firewall management tool for Linux distributions. Unlike traditional firewall utilities like iptables, firewalld allows real-time rule updates without disconnecting current network connections. It uses zones to define trust levels for network interfaces, making security configurations more flexible and easier to manage.
Note: firewalld operates as a front-end for iptables and nftables, providing a more user-friendly way to manage firewall rules.
Steps to Installing and Enabling firewalld
Before using firewall-cmd, ensure that firewalld is installed and running on your system.
Installation
For RHEL-based systems (CentOS, Fedora, Rocky Linux):
sudo yum install firewalld -y
For Debian-based systems (Ubuntu, Debian):
sudo apt install firewalld -y
Note: If the command sudo apt install firewalld -y gives you an error, try running sudo apt-get update first to update your package lists and then attempt the installation again.
Enable and Start firewalld
To enable and start the firewall service:
sudo systemctl enable --now firewalld
Check if firewalld is running:
sudo firewall-cmd --state
If the output shows running, the firewall is active and ready for configuration.
Note: Always reload the firewall after making changes to apply new rules.
10 Useful firewall-cmd Commands in Linux
Mastering firewall-cmd commands are essential for effectively managing Linux firewall rules. These commands allow administrators to configure zones, open or block ports, and secure network connections dynamically. By understanding these essential Linux commands, you can enhance your system’s security while maintaining seamless connectivity.
Let’s explore these critical commands in detail.
1. Checking Active Zones
Zones in firewalld define different levels of trust for network connections. Each network interface is assigned to a zone, determining its firewall rules. By running the following command, you can check which zones are currently active and which interfaces are assigned to them:
sudo firewall-cmd --get-active-zones
This command displays the zones assigned to network interfaces, such as public, home, or work.
2. Listing Services and Rules
Understanding which services and rules are currently active in your firewall is crucial for security management. The following command provides a detailed list of services, open ports, and other active rules:
sudo firewall-cmd --list-all
This command provides a comprehensive overview of the current firewall rules.
3. Adding and Removing Services
Firewall rules often need modification to allow or block specific services. You can permit a service like HTTP using:
sudo firewall-cmd --add-service=http --permanent
To remove a service:
sudo firewall-cmd --remove-service=http --permanent
After making changes, reload the firewall to apply them:
sudo firewall-cmd --reload
4. Allowing Specific Ports
When a service is not predefined in firewalld, you can manually allow traffic on a specific port. For example, to open port 8080 for TCP traffic, run:
sudo firewall-cmd --add-port=8080/tcp --permanent
5. Blocking or Allowing Specific IPs
Restricting or allowing access from specific IPs enhances network security. Allowing trusted IPs while blocking untrusted ones minimizes security risks from unauthorized connections.
sudo firewall-cmd --add-source=192.168.1.100/24 --permanent sudo firewall-cmd --remove-source=192.168.1.100/24 --permanent
You can explicitly allow or deny access from a specific IP address. To allow an IP range:
sudo firewall-cmd --add-source=192.168.1.100/24 --permanent
To block an IP:
sudo firewall-cmd --remove-source=192.168.1.100/24 --permanent
sudo firewall-cmd --add-source=192.168.1.100/24 --permanent
To block an IP address:
sudo firewall-cmd --remove-source=192.168.1.100/24 --permanent
6. Allowing Port Ranges
Certain applications require multiple ports for communication. Instead of opening ports individually, defining a port range streamlines the process and ensures seamless connectivity.
sudo firewall-cmd --add-port=3000-4000/tcp --permanent
Sometimes, multiple ports need to be opened for an application. To allow a range of ports from 3000 to 4000, use:
sudo firewall-cmd --add-port=3000-4000/tcp --permanent
This is especially useful for applications requiring multiple ports. Sometimes, you may need to allow multiple ports in a range. To open ports 3000 to 4000:
7. Setting Default Zone
The default zone applies to all network interfaces unless explicitly assigned to another zone. Configuring a stricter default zone enhances security by limiting network exposure.
sudo firewall-cmd --set-default-zone=home sudo firewall-cmd --get-default-zone
The default zone applies to all network interfaces unless explicitly assigned to another zone. To set the default zone to home, run:
sudo firewall-cmd --set-default-zone=home
You can verify the change with:
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --set-default-zone=home
Verify the new default zone:
sudo firewall-cmd --get-default-zone
8. Enabling Logging for Dropped Packets
Logging denied packets helps troubleshoot firewall configurations and detect security threats. Enabling logging allows administrators to monitor dropped connections and adjust rules as needed.
sudo firewall-cmd --set-log-denied=all
Monitoring denied packets is crucial for troubleshooting and security analysis. To enable logging:
sudo firewall-cmd --set-log-denied=all
This command ensures that all blocked packets are logged, helping administrators detect unauthorized access attempts.
sudo firewall-cmd --set-log-denied=all
This setting logs all dropped packets, providing insights into blocked connections.
9. Creating Custom Services
If a required service is not predefined in firewalld, a custom service can be created. This allows administrators to define rules tailored to specific applications.
sudo firewall-cmd --permanent --new-service=myapp
If a required service does not exist in the predefined firewall rules, you can create a custom service. To define a new service called myapp:
sudo firewall-cmd --permanent --new-service=myapp
Then, add specific ports and configurations as needed. If a service is not predefined, create a custom rule. To define a new service called myapp:
sudo firewall-cmd --permanent --new-service=myapp
Then, add specific ports to the service.
10. Reloading and Restarting Firewall
Reloading applies configuration changes without disrupting active connections while restarting resets the firewall service. Reloading is preferred in most cases for seamless updates.
sudo firewall-cmd --reload sudo systemctl restart firewalld
To apply firewall changes without disrupting network connections, use:
sudo firewall-cmd --reload
If needed, restart the entire firewall service:
sudo systemctl restart firewalld
sudo firewall-cmd --reload
If needed, restart the firewall service completely:
sudo systemctl restart firewalld
Note: Reloading is preferred over restarting as it applies changes instantly without affecting active connections.
Closing Comment
Configuring a firewall is a fundamental aspect of Linux server security. Using firewall-cmd commands, system administrators can efficiently manage firewall rules, ensuring security without disrupting operations. The ten commands covered in this article help monitor active zones, allow or block services and ports, and create custom rules for better security management.
By understanding and utilizing these commands, Linux users can enhance their system security and maintain a well-configured firewall. Always test new rules carefully and regularly audit firewall settings to keep your system secure. For detailed information, follow the official documentation at firewalld documentation.
