A firewall is a network security system that monitors and controls incoming/outgoing network traffic based on predetermined security rules. Typically, firewalls establish a barrier between a trusted and an untrusted network (e.g., the Internet).
Note: If you are not familiar with the GNU/Linux command line interface, review the Conventions page before proceeding.
Basic Principles
The first principle of networking security is in presenting the smallest area to be attacked. Make sure that your host does not provide any services on the Internet that are active and that you are unaware of.
This is most easily checked using a command like ss
:
$ ss -lptu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:hostmon 0.0.0.0:*
udp UNCONN 0 0 192.168.122.1:domain 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0%virbr0:bootps 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:51567 0.0.0.0:*
udp UNCONN 0 0 [::]:33924 [::]:*
udp UNCONN 0 0 [::]:mdns [::]:*
udp UNCONN 0 0 [::]:hostmon [::]:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 32 192.168.122.1:domain 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:ipp 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:hostmon 0.0.0.0:*
tcp LISTEN 0 128 [::1]:ipp [::]:*
tcp LISTEN 0 4096 [::]:hostmon [::]:*
The above command presents you with a list of all open ports, i.e., the services that your computer provides, together with the IP addresses that it provides them on and the processes responsible for them. If you have access to a suitably equipped host outside of your local network, you can also use nmap to check how your computer presents itself to the Internet.
You should be able to justify every line that the ss
and nmap
programs output. If anything appears that means nothing to you, find out what it is and if it is required. Deactivate all services that you do not need by removing the corresponding programs from the list of daemons to be started when the system is booted.
If you are using xinetd, add the following line to the configuration sections of any services that you do not want to run:
disable = yes
Services that are not obviously superfluous can often be limited to the local host or the local network. Make use of the option to provide a service only on the loopback interface (localhost
, 127.0.0.1
) whenever possible.
For example, it makes sense to allow local programs to submit email messages via the SMTP service of your host, but it is not necessary to allow the entire local area network (LAN), or even the entire Internet, to do so. All common Mail Transfer Agents (MTAs) can be configured such that they only accept connections on IP address 127.0.0.1
, port 25
.
Firewall Types
Firewalls can be implemented in a variety of ways. One of the most common types is a packet-filtering firewall, where all traffic moving between the private and public networks must go through the firewall. As it does, the firewall captures all incoming/outgoing packets and compares them against the rules that you have configured.
The firewall can filter traffic based on the:
- Origin address
- Destination address
- Origin port
- Destination port
- Protocol used
- Type of packet
If a packet abides by the rules, it is forwarded to the next network. If it does not, it is dropped.
Packet-filtering firewalls do not necessarily have to be implemented between your network and the Internet. They can also be implemented between a network segment and a backbone segment to increase your internal network security.
Packet-filtering firewalls are widely used. They cost less than other types of firewalls and require relatively little processing. Data quickly moves through them, making them much faster than other firewalls.
Also, stateful firewalls and application-level gateways can be implemented, which both operate higher up in the OSI model.
netfilter
The Linux kernel itself completes packet-filtering tasks on GNU/Linux. The netfilter infrastructure is what accomplishes this and is included, by default, with most GNU/Linux distributions.

Specifically, netfilter is a framework provided by the Linux kernel that allows various network-related operations to be implemented in the form of customized handlers. It offers various functions, including:
- Packet filtering
- Network address translation (NAT)
- Port translation

netfilter represents a series of hooks inside the Linux kernel that allow certain kernel modules to register callback functions with the kernel's networking stack. Those functions are called for every packet that traverses the respective hook inside of the network stack.
nftables
netfilter works in conjunction with a user-space utility. In the past, this was iptables. Now, it is nftables.
nftables serves as the packet-filtering portion of netfilter. nftables' nft
command is the new userspace utility that replaces iptables commands like iptables
, arptables
, and ebtables
.
To determine if your system has the nf_tables
kernel module, run the following command:
$ modinfo nf_tables | head
filename: /lib/modules/5.13.4-100.fc33.x86_64/kernel/net/netfilter/nf_tables.ko.xz
alias: nfnetlink-subsys-10
author: Patrick McHardy <kaber@trash.net>
license: GPL
depends: nfnetlink
retpoline: Y
intree: Y
name: nf_tables
vermagic: 5.13.4-100.fc33.x86_64 SMP mod_unload
sig_id: PKCS#7
To see if the nftables.service
unit is running on your system, enter systemctl status nftables.service
. For GNU/Linux distributions like Debian and Fedora, nf_tables is likely already loaded, but disabled (Fedora uses firewalld for firewall management):
$ systemctl status nftables.service
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)
If you are using a distribution that does not use firewalld for firewall management (e.g., Debian 11), enable/start the nftables service by running the following command:
# systemctl enable --now nftables.service
Confirm that both the nf_tables
kernel module and nftables.service
unit are active:
$ lsmod | grep 'nf_tables'
nf_tables 143360 0
nfnetlink 16384 1 nf_tables
$ systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2021-08-02 07:30:21 PDT; 6s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 2064 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 2064 (code=exited, status=0/SUCCESS)
Configuration
nftables has a specific syntax:
- The sharp (
#
) is used for comments. - Several commands are combined with the semicolon (
;
). - An instruction can be split into several lines using the backslash (
\
) at the end of the line.
Variables
nftables supports variables. These can be helpful when you need to repeatedly refer to an interface(s):
define external_interface = eth0
define internal_interface = eth1
define all_interfaces = { $external_interface, $internal_interface }
Tables
In a nftables configuration, a table is at the apex of a ruleset and it consists of chains, which are containers for rules (i.e., Tables > Chains > Rules). You can create (add
), delete (delete
), and empty (flush
) a table.
Namespaces and Address Families
All objects in nftables have a namespace that includes the address family. The address family specifies what kinds of hooks will be applied for further analysis of the information stream.
For example, the ip
address family is for IPv4 traffic. arp traffic is filtered using arptables, which belong to the arp
address family.
The bridge
address family is used to configure a bridged interface and the netdav
address family is used for early incoming traffic filtering (netdav
filtering is done before OSI layer 3 filters are reached).
The available address families are:
arp
bridge
inet
(ip
+ip6
)ip
ip6
netdev
Chains
After a table is created, chains can be added to it. Chains hold firewall rules and are of one of two defined types:
- base A base type chain has a related hook in the kernel through which it can see the traffic.
- non-base A non-base chain does not have a related hook in the kernel and cannot see the traffic.
Type refers to the kind of chain that can be created. Possible types are:
filter
Supported byarp
,bridge
,ip
,ip6
, andinet
families.route
Mark packets. Supported byip
andip6
.nat
In order to perform NAT. Supported byip
andip6
.
Hook refers to a specific stage of the packet while it is being processed through the kernel.
- Hooks for
ip
,ip6
, andinet
families areprerouting
,input
,output
, andpostrouting
. - Hooks for
arp
areinput
andoutput
. - The
bridge
family handles Ethernet packets traversing bridge devices. - The hook for
netdev
isingress
.
Priority refers to a number used to order the chains or to set them between some netfilter operations. Possible values include:
NF_IP_PRI_CONNTRACK_DEFRAG (-400)
NF_IP_PRI_RAW (-300)
NF_IP_PRI_SELINUX_FIRST (-225)
Policy is the default verdict statement to control the flow in the chain. Possible values are:
accept
drop
queue
continue
return
Rules
The building blocks of a nftables rule are:
- expression(s)
- operator
- action
Expressions are evaluated from left to right. When the first expression matches, it continues with the other parts (i.e., the operator and action). If the expression does not match, the next rule is evaluated.
A handle is an internal number that identifies a certain rule (i.e., a rule index). A position is an internal number that is used to insert a rule before a certain handle (i.e., a number used to specify an insertion point for a rule in a chain).
Matches are clues used to access certain packet information and to create filters according to them.
A statement is the action performed when the packet matches a rule. The statement can be terminal and non-terminal. In a specific rule, we can consider several non-terminal statements, but only a single terminal statement.
More information on matches and statements, as well as numerous rule examples, can be found in the nftables wiki.
nft
The nft
utility parses the firewall rulesets and compiles them into a language that the kernel understands, ensuring that the kernel receives an optimized set of instructions. Using nft
, you can manipulate the rules, instead of having to flush the configuration every time there is a change.
nft Commands
Useful nft
commands include:
# nft list tables
- List tables.
# nft list table ex_address_family ex_table
- List all chains and rules in the specified table (e.g.,
# nft list table inet filter
). - Add the
-a
(--handle
) option to show the object handles in the output and-n
(--numeric
) to show fully numeric output. # nft list chains
- List chains.
# nft list chain ex_address_family ex_table ex_chain
- List all rules of the specified chain from the specified table.
- Add the
-a
(--handle
) option to show the object handles in the output and-n
(--numeric
) to show fully numeric output. # nft add table ex_address_family ex_table
- Add a table.
# nft add chain ex_address_family ex_table ex_chain
- Add a new chain in the specified table.
- When a hook and priority value are specified, the chain is created as a base chain and hooked up to the networking stack.
# nft add rule ex_address_family ex_table ex_chain ex_rule
- Add a rule to a chain (e.g.,
# nft add rule ip ex_table EX_CHAIN tcp dport 22 reject
). # nft flush table ex_address_family ex_table
- Flush all rules from all chains of a table.
# nft flush chain ex_address_family ex_table ex_chain
- Flush all rules from the specified chain.
# nft delete table ex_address_family ex_table
- Delete a table.
# nft delete chain ex_address_family ex_table ex_chain
- Delete the specified chain.
- The chain must not contain any rules or be used as a jump target.
# nft delete rule ex_address_family ex_table ex_chain handle ex_handle
- Delete a rule from a chain.
# nft rename chain ex_address_family ex_table ex_old_name ex_new_name
- Rename the specified chain.
# nft -j list ruleset > ex_ruleset.json
,# nft --json list ruleset > ex_ruleset.json
- Export nftables rules in
json
format. The export operation outputs all tables of all families.
Documentation
Run man 8 nft
for more information on nft
. Also, additional information can be found at the nftables wiki.
firewalld
Some GNU/Linux distributions (e.g., Fedora) are configured to use a firewall management tool called firewalld. firewalld acts as a front-end for the netfilter framework via the nftables user space utility.
Essentially, firewalld offers a higher-level, more approachable alternative to the nft
command via its firewall-cmd
command. If you prefer administering your firewalls via a graphical user interface (GUI), the firewall-config
application is also available in many GNU/Linux distributions' repositories.
Concepts
firewalld uses the concepts of zones and services to control what traffic is allowed or blocked to and from a system.
Zones are predefined sets of rules that specify a level of trust for a network your system is connected to. Network interfaces and sources can be assigned to a zone.
The following are the zones that firewalld provides, ordered from lowest to highest trust level:
drop
- All incoming connects are dropped without notification. Only outgoing connections are allowed.
block
- All incoming connections are rejected with an
icmp-host-prohibited
message for IPv4 andicmp6-adm-prohibited
message for IPv6. Only outgoing connections are allowed. public
- For use in untrusted public areas. Other computers on the network are not trusted, but selected incoming connections are allowed.
external
- For use on external networks with NAT masquerading (i.e., source NAT) enabled where your system acts as a gateway or router. Only selected incoming connections are allowed.
internal
- For use on internal networks when your system acts as a gateway or router. Other network systems are generally not trusted. Only selected incoming connections are allowed.
dmz
- Used for computers located in your demilitarized zone (DMZ) that have limited access to the rest of your network. Only selected incoming connections are allowed.
work
- Used for work machines. Other network computers are generally trusted. Only selected incoming connections are allowed.
home
- Used for home machines. Other network computers are generally trusted. Only selected incoming connections are allowed.
trusted
- All network connections are accepted. All network computers are trusted.
Services are predefined rules that apply within a zone and define the required settings to allow incoming traffic for a specific service. Services allow you to easily perform several tasks in a single step.
Configuration Sets
firewalld uses two separate configuration sets:
- Runtime
- Permanent
The runtime configuration is the actual running configuration and does not persist after a system reboot. When the firewalld daemon starts, it loads the permanent configuration, which becomes the runtime configuration.
By default, when you make changes with the firewall-cmd
command, changes are immediately applied to the runtime configuration. To make your changes permanent, add the --permanent
option to firewall-cmd
and reload firewalld (# firewall-cmd --reload
) to make the changes immediately effective.
Also, at any time, you can make the runtime configuration permanent by running the # firewall-cmd --runtime-to-permanent
command.
Enabling firewalld
On a GNU/Linux distribution like Fedora, your system is already configured to use firewalld. Other distributions may require manual configuration.
For example, to install, enable, and activate firewalld on Debian 11, run the following commands:
# apt install firewalld && systemctl disable --now nftables.service &&
systemctl enable --now firewalld.service
Confirm the status of the firewall by running # firewall-cmd --state
. If the firewall is running, the output should be running
:
# firewall-cmd --state
running
Zones
The default firewalld zone is public
and all network interfaces not explicitly assigned to a different zone are assigned to this zone. The default zone can be confirmed by running firewall-cmd --get-default-zone
:
$ firewall-cmd --get-default-zone
public
A list of available zones can be output by running firewall-cmd --get-zones
:
$ firewall-cmd --get-zones
block dmz drop external home internal public trusted work
To display the active zones and network interfaces assigned to them, run firewall-cmd --get-active-zones
:
$ firewall-cmd --get-active-zones
public
interfaces: enp1s0
Above, we can see that the enp1s0
interface is assigned to the public
zone.
A zone's configuration settings can be viewed like so:
# firewall-cmd --zone=ex_zone --list-all
For example, this is the configuration for the public
zone:
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
From the output above, we can confirm that the enp1s0
interface is using the public
zone. The zone uses the default target, which is similar to REJECT
. Also, we can see that the zone allows DHCP and SSH traffic.
The configuration settings of all available zone types can be viewed by running # firewall-cmd --list-all-zones
.
The zone target determines the default behavior for unspecified incoming traffic. It can be set to one of the following options:
default
ACCEPT
REJECT
DROP
A zone's target can be specified using the --permanent
, --zone
, and --set-target
options. For example, the following command drops all unspecified incoming traffic for the public
zone:
# firewall-cmd --permanent --zone=public --set-target=DROP &&
firewall-cmd --reload
success
success
# firewall-cmd --permanent --zone=public --list-all
public
target: DROP
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
An interface can be assigned to a different zone with the --zone
and --change-interface
options. This example moves the enp1s0
interface to the work
zone:
# firewall-cmd --zone=work --change-interface=enp1s0
success
# firewall-cmd --zone=work --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The default zone can be set with the --set-default-zone
option. The following sets the default zone to home
:
# firewall-cmd --set-default-zone=home
success
$ firewall-cmd --get-default-zone
home
A new zone can be created using the --new-zone
and --permanent
options. This example creates a new zone called lab
:
# firewall-cmd --permanent --new-zone=lab &&
firewall-cmd --reload
success
success
# firewall-cmd --permanent --zone=lab --list-all
lab
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Services
Services are predefined firewalld rules that allow traffic for specific ports and/or sources. A list of all default available service types can be displayed by running firewall-cmd --get-services
:
$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
More information about each service can be found by viewing the associated .xml
file for a service in the /usr/lib/firewalld/services/
directory.
For example, to allow SMTP traffic (port 25
) for interfaces in the lab
zone for only the current session (i.e., the runtime configuration) type, you can do:
# firewall-cmd --zone=lab --add-service=smtp
success
To verify that the service was successfully added, use the --list-services
option:
# firewall-cmd --zone=lab --list-services
smtp
To make this change permanent, run one of the following commands:
# firewall-cmd --permanent --zone=lab --add-service=smtp
# firewall-cmd --runtime-to-permanent
Verify that the service was successfully added to the permanent configuration:
# firewall-cmd --permanent --zone=lab --list-services
smtp
To remove the service, swap the --add-service
option with the --remove-service
option:
# firewall-cmd --permanent --zone=lab --remove-service=smtp
success
# firewall-cmd --permanent --zone=lab --list-services
#
Creating a New firewalld Service
The simplest way to create a new service is to copy the existing service file stored in the /usr/lib/firewalld/services/
directory into the /etc/firewalld/services/
directory. Afterwards, open the copied service file, update the <short>
and <description>
tags, and set the port
tag, which defines the port number and protocol you want open.
After you are done, save the file and reload the firewalld service:
# firewall-cmd --reload
Opening Source IP Addresses and Ports
firewalld allows you to enable all traffic from a trusted IP address or on a specific port without creating a service definition. To allow all incoming traffic from a specific IP address or range, specify the zone with the --zone
option and the source IP address with the --add-source
option.
For example, the following allows all incoming traffic from 192.168.1.15
in the work
zone for the current session:
# firewall-cmd --zone=work --add-source=192.168.1.15
success
To verify that the new source is bound to the zone, use the --list-sources
option:
# firewall-cmd --zone=work --list-sources
192.168.1.15
To remove the source, replace the --add-source
option with the --remove-source
option:
# firewall-cmd --zone=work --remove-source=192.168.1.15
success
# firewall-cmd --zone=work --list-sources
#
To allow all incoming traffic on a given port, specify the zone with the --zone
option and the port/protocol with the --add-port
option. This example opens port 22
in the lab
zone for the current session:
# firewall-cmd --zone=lab --add-port=22/tcp
success
Supported protocols include:
tcp
udp
sctp
dccp
To verify that the port was added to the zone, use the --list-ports
option:
# firewall-cmd --zone=lab --list-ports
22/tcp
To remove a port, swap the --add-port
option with the --remove-port
option:
# firewall-cmd --zone=lab --remove-port=22/tcp
success
# firewall-cmd --zone=lab --list-ports
#
To forward traffic from one port to another, enable masquerading for the desired zone using the --add-masquerade
option:
# firewall-cmd --zone=ex_zone --add-masquerade
The following are port forwarding examples:
# firewall-cmd \ --zone=external \ --add-forward-port=port=80:proto=tcp:toport=8080
-
Forward traffic from port
80
to port8080
on the same system for theexternal
zone. # firewall-cmd \ --zone=external \ --add-forward-port=port=80:proto=tcp:toaddr=10.10.10.5
-
Forward traffic from port
80
to another system with an IP address of10.10.10.5
for theexternal
zone. # firewall-cmd \ --zone=external \ --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.10.10.5
-
Forward traffic from port
80
to port8080
on another system with an IP address of10.10.10.5
for theexternal
zone.
firewalld Commands
Unless otherwise specified, querying commands display the firewalld runtime configuration. Add the --permanent
option to display information for firewalld's permanent configuration.
# firewall-cmd --reload
- Reload firewall rules and keep state information.
- The current permanent configuration will become the new runtime configuration (i.e., all runtime only changes done until the reload are lost if they have not been added to the permanent configuration).
# firewall-cmd --runtime-to-permanent
- Save active runtime configuration and overwrite permanent configuration with it.
# firewall-cmd --state
- Check whether firewalld is active (i.e., running).
- Returns an exit code
0
if it is active,RUNNING BUT FAILED
if failure occurred on startup, andNOT RUNNING
otherwise. firewall-cmd --get-default-zone
- Print the default zone for connections and interfaces.
firewall-cmd --get-zones
,# firewall-cmd --permanent --get-zones
- Print predefined zones as a space separated list.
firewall-cmd --get-active-zones
- Print currently active zones, together with interfaces and sources used in these zones.
- Active zones are zones that have a binding to an interface or source. If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.
# firewall-cmd --list-all
- List everything added or enabled for the default zone.
- A specific zone can be specified using the
--zone
option (e.g.,# firewall-cmd --zone=ex_zone --list-all
). # firewall-cmd --list-all-zones
- List everything added for or enabled in all zones.
# firewall-cmd --permanent --set-target=ex_target
- Set the target of the default zone.
ex_target
can be: -
default
(similar toREJECT
)
-
ACCEPT
-
DROP
-
REJECT
-
Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --permanent --zone=ex_zone --set-target=ex_target
). # firewall-cmd --change-interface=ex_interface
- Change the zone
ex_interface
is bound to. By default,ex_interface
is re-bound to the default zone. - Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --change-interface=ex_interface
). # firewall-cmd --set-default-zone=ex_zone
- Set the default zone for connections and interfaces where no zone has been selected. Setting the default zone changes the zone for the connections or interfaces that are using the default zone.
- This is a runtime and permanent change.
# firewall-cmd --permanent --new-zone=ex_zone
- Add a new permanent and empty zone. Zone names must be alphanumeric and may include the
_
and-
characters. - After rules are added to the zone, reload the firewalld service by running
# firewall-cmd --reload
. firewall-cmd --get-services
,# firewall-cmd --permanent --get-services
- Print predefined services as a space separated list.
# firewall-cmd --add-service=ex_service
- Add a service for the default zone.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --add-service=ex_service
). # firewall-cmd --list-services
- List services added for the default zone as a space separated list.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --list-services
). # firewall-cmd --remove-service=ex_service
- Remove a service from the default zone.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --remove-service=ex_service
). # firewall-cmd --add-source=ex_source
- Bind the source to the default zone. Allows all incoming traffic from the source IP address/range.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --add-source=ex_source
). # firewall-cmd --list-sources
- List sources that are bound to the default zone as a space separated list.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --list-sources
). # firewall-cmd --remove-source=ex_source
- Remove binding of source from the zone that it was added to.
# firewall-cmd --add-port=ex_port/ex_protocol
- Add the port for the default zone.
ex_port
can be a single port number or a port range.ex_protocol
can be:-
tcp
-
udp
-
sctp
-
dccp
-
Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --add-port=ex_port/ex_protocol
). # firewall-cmd --list-ports
- List ports added for the default zone as a space separated list.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --list-ports
). # firewall-cmd --remove-port=ex_port/ex_protocol
- Remove the port from the default zone. This option can be specified multiple times.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --remove-port=ex_port/ex_protocol
). # firewall-cmd --add-masquerade
- Enable IPv4 masquerade to the default zone. IP forwarding will be implicitly enabled.
- Add the
--zone
option to specify a specific zone (e.g.,# firewall-cmd --zone=ex_zone --add-masquerade
). # firewall-cmd \ --add-forward-port=port=ex_port:proto=ex_protocol:toport=ex_to_port
-
Add an IPv4 forward port for the default zone. Forwards traffic from one port to another port on the same system.
-
Add the
--zone
option to specify a specific zone. # firewall-cmd \ --add-forward-port=port=ex_port:proto=ex_protocol:toaddr=ex_ip_address
-
Add an IPv4 forward port for the default zone. Forwards traffic from one port to another system with a specific IP address.
-
Add the
--zone
option to specify a specific zone. # firewall-cmd \ --add-forward-port=port=ex_port:proto=ex_protocol:toport=ex_to_port:toaddr=ex_ip_address
-
Add an IPv4 forward port for the default zone. Forwards traffic from one port to another port on another system with a specific IP address.
-
Add the
--zone
option to specify a specific zone.
Documentation
Run the following commands for more information on firewalld:
man 1 firewalld
man 1 firewall-config
man 5 firewalld.conf
man 5 firewalld.service
man 5 firewalld.zone
man 5 firewalld.zones
man 1 firewall-cmd
man 1 firewall-config
Also, firewalld.org is a good resource for additional firewalld documentation.