Skip to main content

firewalld

(2016-12-06)

God help me, this is firewalld

After you make a change, reload the firewall to make it active:

# firewall-cmd --reload

To make the current running state of the firewall permanent (ie to be used at the next boot:

# firewall-cmd --runtime-to-permanent

Status:

# systemctl status firewalld

Active zones:

# firewall-cmd --get-active-zones

Defined services:

# firewall-cmd --list-services

Add a new service by service name (beware the active zone):

# firewall-cmd --zone=FedoraWorkstation --add-service=smtp --permanent

Add a port number:

# firewall-cmd --zone=FedoraWorkstation --add-port=80/tcp --permanent

Add a range of port numbers:

# firewall-cmd --zone=FedoraWorkstation --add-port=6000-6050/udp --permanent

List open services:

# # firewall-cmd --zone=FedoraWorkstation --list-services

List open ports that are not defined as services:

# firewall-cmd --zone=FedoraWorkstation --list-ports

Add Masquarading:

# firewall-cmd --zone=external --add-masquerade --permanent

Port forwarding:

# firewall-cmd --zone=external --add-forward-port=port=2022:proto=tcp:toport=22:toaddr=192.168.0.2
  • The options --toport and --toaddr are implied as being the same as the original destination if not specified

Change interface zone membership:

# firewall-cmd --permanent --zone=home --change-interface=p2p1
# firewall-cmd --permanent --zone=public --change-interface=p1p1
# firewall-cmd --reload

...although that hasn't actually helped for me. I had to edit /etc/sysconfig/network-scripts/ifcfg-$INTERFACE and add a

ZONE=$zone

Intra-zone traffic:

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens256 -o ens192 -j ACCEPT

Blocking subnets:

# firewall-cmd --add-rich-rule="rule family='ipv4' source address='185.222.209.0/24' drop" --permanent
# firewall-cmd --add-rich-rule="rule family='ipv4' source address='185.222.209.0/24' drop"

You can change the subnet for a specific IP (the /32 is not required in that case) to block a particular host.