Silicon Soul

A firewall is a network security system that monitors and controls incoming/outgoing network traffic based on predetermined security rules. Typically, firewalls establish a barrier between a trusted and an untrusted network (e.g., the Internet).

Note: If you are not familiar with the GNU/Linux command line interface, review the Conventions page before proceeding.

Basic Principles

The first principle of networking security is in presenting the smallest area to be attacked. Make sure that your host does not provide any services on the Internet that are active and that you are unaware of.

This is most easily checked using a command like ss:

$ ss -lptu
Netid      State       Recv-Q       Send-Q              Local Address:Port                Peer Address:Port      Process      
udp        UNCONN      0            0                         0.0.0.0:mdns                     0.0.0.0:*                      
udp        UNCONN      0            0                         0.0.0.0:hostmon                  0.0.0.0:*                      
udp        UNCONN      0            0                   192.168.122.1:domain                   0.0.0.0:*                      
udp        UNCONN      0            0                   127.0.0.53%lo:domain                   0.0.0.0:*                      
udp        UNCONN      0            0                  0.0.0.0%virbr0:bootps                   0.0.0.0:*                      
udp        UNCONN      0            0                       127.0.0.1:323                      0.0.0.0:*                      
udp        UNCONN      0            0                         0.0.0.0:51567                    0.0.0.0:*                      
udp        UNCONN      0            0                            [::]:33924                       [::]:*                      
udp        UNCONN      0            0                            [::]:mdns                        [::]:*                      
udp        UNCONN      0            0                            [::]:hostmon                     [::]:*                      
udp        UNCONN      0            0                           [::1]:323                         [::]:*                      
tcp        LISTEN      0            32                  192.168.122.1:domain                   0.0.0.0:*                      
tcp        LISTEN      0            4096                127.0.0.53%lo:domain                   0.0.0.0:*                      
tcp        LISTEN      0            128                     127.0.0.1:ipp                      0.0.0.0:*                      
tcp        LISTEN      0            4096                      0.0.0.0:hostmon                  0.0.0.0:*                      
tcp        LISTEN      0            128                         [::1]:ipp                         [::]:*                      
tcp        LISTEN      0            4096                         [::]:hostmon                     [::]:*

The above command presents you with a list of all open ports, i.e., the services that your computer provides, together with the IP addresses that it provides them on and the processes responsible for them. If you have access to a suitably equipped host outside of your local network, you can also use nmap to check how your computer presents itself to the Internet.

You should be able to justify every line that the ss and nmap programs output. If anything appears that means nothing to you, find out what it is and if it is required. Deactivate all services that you do not need by removing the corresponding programs from the list of daemons to be started when the system is booted.

If you are using xinetd, add the following line to the configuration sections of any services that you do not want to run:

disable = yes

Services that are not obviously superfluous can often be limited to the local host or the local network. Make use of the option to provide a service only on the loopback interface (localhost, 127.0.0.1) whenever possible.

For example, it makes sense to allow local programs to submit email messages via the SMTP service of your host, but it is not necessary to allow the entire local area network (LAN), or even the entire Internet, to do so. All common Mail Transfer Agents (MTAs) can be configured such that they only accept connections on IP address 127.0.0.1, port 25.

Firewall Types

Firewalls can be implemented in a variety of ways. One of the most common types is a packet-filtering firewall, where all traffic moving between the private and public networks must go through the firewall. As it does, the firewall captures all incoming/outgoing packets and compares them against the rules that you have configured.

The firewall can filter traffic based on the:

• Origin address
• Destination address
• Origin port
• Destination port
• Protocol used
• Type of packet

If a packet abides by the rules, it is forwarded to the next network. If it does not, it is dropped.

Packet-filtering firewalls do not necessarily have to be implemented between your network and the Internet. They can also be implemented between a network segment and a backbone segment to increase your internal network security.

Packet-filtering firewalls are widely used. They cost less than other types of firewalls and require relatively little processing. Data quickly moves through them, making them much faster than other firewalls.

Also, stateful firewalls and application-level gateways can be implemented, which both operate higher up in the OSI model.

netfilter

The Linux kernel itself completes packet-filtering tasks on GNU/Linux. The netfilter infrastructure is what accomplishes this and is included, by default, with most GNU/Linux distributions.

Specifically, netfilter is a framework provided by the Linux kernel that allows various network-related operations to be implemented in the form of customized handlers. It offers various functions, including:

• Packet filtering
• Network address translation (NAT)
• Port translation

netfilter represents a series of hooks inside the Linux kernel that allow certain kernel modules to register callback functions with the kernel's networking stack. Those functions are called for every packet that traverses the respective hook inside of the network stack.

nftables

netfilter works in conjunction with a user-space utility. In the past, this was iptables. Now, it is nftables.

nftables serves as the packet-filtering portion of netfilter. nftables' nft command is the new userspace utility that replaces iptables commands like iptables, arptables, and ebtables.

To determine if your system has the nf_tables kernel module, run the following command:

# modinfo nf_tables | head
filename:       /lib/modules/5.13.4-100.fc33.x86_64/kernel/net/netfilter/nf_tables.ko.xz
alias:          nfnetlink-subsys-10
author:         Patrick McHardy <kaber@trash.net>
license:        GPL
depends:        nfnetlink
retpoline:      Y
intree:         Y
name:           nf_tables
vermagic:       5.13.4-100.fc33.x86_64 SMP mod_unload
sig_id:         PKCS#7

To see if the nftables.service unit is running on your system, enter systemctl status nftables.service. For GNU/Linux distributions like Debian and Fedora, nf_tables is likely already loaded, but disabled (Fedora uses firewalld for firewall management):

$ systemctl status nftables.service
● nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:nft(8)

If you are using a distribution that does not use firewalld for firewall management (e.g., Debian 11), enable/start the nftables service by running the following command:

# systemctl enable --now nftables.service

Confirm that both the nf_tables kernel module and nftables.service unit are active:

$ lsmod | grep 'nf_tables'
nf_tables             143360  0
nfnetlink              16384  1 nf_tables
$ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2021-08-02 07:30:21 PDT; 6s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 2064 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 2064 (code=exited, status=0/SUCCESS)

Configuration

nftables has a specific syntax:

• The sharp (#) is used for comments.
• Several commands are combined with the semicolon (;).
• An instruction can be split into several lines using the backslash (\) at the end of the line.

Variables

nftables supports variables. These can be helpful when you need to repeatedly refer to an interface(s):

define external_interface = eth0
define internal_interface = eth1
define all_interfaces = { $external_interface, $internal_interface }

Tables

In a nftables configuration, a table is at the apex of a ruleset and it consists of chains, which are containers for rules (i.e., Tables > Chains > Rules). You can create (add), delete (delete), and empty (flush) a table.

Namespaces and Address Families

All objects in nftables have a namespace that includes the address family. The address family specifies what kinds of hooks will be applied for further analysis of the information stream.

For example, the ip address family is for IPv4 traffic. arp traffic is filtered using arptables, which belong to the arp address family.

The bridge address family is used to configure a bridged interface and the netdav address family is used for early incoming traffic filtering (netdav filtering is done before OSI layer 3 filters are reached).

The available address families are:

• arp
• bridge
• inet (ip + ip6)
• ip
• ip6
• netdev

Chains

After a table is created, chains can be added to it. Chains hold firewall rules and are of one of two defined types:

1. base A base type chain has a related hook in the kernel through which it can see the traffic.
2. non-base A non-base chain does not have a related hook in the kernel and cannot see the traffic.

Type refers to the kind of chain that can be created. Possible types are:

• filter Supported by arp, bridge, ip, ip6, and inet families.
• route Mark packets. Supported by ip and ip6.
• nat In order to perform NAT. Supported by ip and ip6.

Hook refers to a specific stage of the packet while it is being processed through the kernel.

• Hooks for ip, ip6, and inet families are prerouting, input, output, and postrouting.
• Hooks for arp are input and output.
• The bridge family handles Ethernet packets traversing bridge devices.
• The hook for netdev is ingress.

Priority refers to a number used to order the chains or to set them between some netfilter operations. Possible values include:

• NF_IP_PRI_CONNTRACK_DEFRAG (-400)
• NF_IP_PRI_RAW (-300)
• NF_IP_PRI_SELINUX_FIRST (-225)

Policy is the default verdict statement to control the flow in the chain. Possible values are:

• accept
• drop
• queue
• continue
• return

Rules

The building blocks of a nftables rule are:

• expression(s)
• operator
• action

Expressions are evaluated from left to right. When the first expression matches, it continues with the other parts (i.e., the operator and action). If the expression does not match, the next rule is evaluated.

A handle is an internal number that identifies a certain rule (i.e., a rule index). A position is an internal number that is used to insert a rule before a certain handle (i.e., a number used to specify an insertion point for a rule in a chain).

Matches are clues used to access certain packet information and to create filters according to them.

A statement is the action performed when the packet matches a rule. The statement can be terminal and non-terminal. In a specific rule, we can consider several non-terminal statements, but only a single terminal statement.

More information on matches and statements, as well as numerous rule examples, can be found in the nftables wiki.

nft

The nft utility parses the firewall rulesets and compiles them into a language that the kernel understands, ensuring that the kernel receives an optimized set of instructions. Using nft, you can manipulate the rules, instead of having to flush the configuration every time there is a change.

nft Commands

Useful nft commands include:

# nft list tables

List tables.

# nft list table ex_address_family ex_table

List all chains and rules in the specified table (e.g., # nft list table inet filter).

Add the -a (--handle) option to show the object handles in the output and -n (--numeric) to show fully numeric output.

# nft list chains

List chains.

# nft list chain ex_address_family ex_table ex_chain

List all rules of the specified chain from the specified table.

Add the -a (--handle) option to show the object handles in the output and -n (--numeric) to show fully numeric output.

# nft add table ex_address_family ex_table

Add a table.

# nft add chain ex_address_family ex_table ex_chain

Add a new chain in the specified table.

When a hook and priority value are specified, the chain is created as a base chain and hooked up to the networking stack.

# nft add rule ex_address_family ex_table ex_chain ex_rule

Add a rule to a chain (e.g., # nft add rule ip ex_table EX_CHAIN tcp dport 22 reject).

# nft flush table ex_address_family ex_table

Flush all rules from all chains of a table.

# nft flush chain ex_address_family ex_table ex_chain

Flush all rules from the specified chain.

# nft delete table ex_address_family ex_table

Delete a table.

# nft delete chain ex_address_family ex_table ex_chain

Delete the specified chain.

The chain must not contain any rules or be used as a jump target.

# nft delete rule ex_address_family ex_table ex_chain handle ex_handle

Delete a rule from a chain.

# nft rename chain ex_address_family ex_table ex_old_name ex_new_name

Rename the specified chain.

# nft -j list ruleset > ex_ruleset.json, # nft --json list ruleset > ex_ruleset.json

Export nftables rules in json format. The export operation outputs all tables of all families.

Documentation

Run man 8 nft for more information on nft. Also, additional information can be found at the nftables wiki.

firewalld

Some GNU/Linux distributions (e.g., Fedora) are configured to use a firewall management tool called firewalld. firewalld acts as a front-end for the netfilter framework via the nftables user space utility.

Essentially, firewalld offers a higher-level, more approachable alternative to the nft command via its firewall-cmd command. If you prefer administering your firewalls via a graphical user interface (GUI), the firewall-config application is also available in many GNU/Linux distributions' repositories.

Concepts

firewalld uses the concepts of zones and services to control what traffic is allowed or blocked to and from a system.

Zones are predefined sets of rules that specify a level of trust for a network your system is connected to. Network interfaces and sources can be assigned to a zone.

The following are the zones that firewalld provides, ordered from lowest to highest trust level:

drop

All incoming connects are dropped without notification. Only outgoing connections are allowed.

block

All incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited message for IPv6. Only outgoing connections are allowed.

public

For use in untrusted public areas. Other computers on the network are not trusted, but selected incoming connections are allowed.

external

For use on external networks with NAT masquerading (i.e., source NAT) enabled where your system acts as a gateway or router. Only selected incoming connections are allowed.

internal

For use on internal networks when your system acts as a gateway or router. Other network systems are generally not trusted. Only selected incoming connections are allowed.

dmz

Used for computers located in your demilitarized zone (DMZ) that have limited access to the rest of your network. Only selected incoming connections are allowed.

work

Used for work machines. Other network computers are generally trusted. Only selected incoming connections are allowed.

home

Used for home machines. Other network computers are generally trusted. Only selected incoming connections are allowed.

trusted

All network connections are accepted. All network computers are trusted.

Services are predefined rules that apply within a zone and define the required settings to allow incoming traffic for a specific service. Services allow you to easily perform several tasks in a single step.

Configuration Sets

firewalld uses two separate configuration sets:

1. Runtime
2. Permanent

The runtime configuration is the actual running configuration and does not persist after a system reboot. When the firewalld daemon starts, it loads the permanent configuration, which becomes the runtime configuration.

By default, when you make changes with the firewall-cmd command, changes are immediately applied to the runtime configuration. To make your changes permanent, add the --permanent option to firewall-cmd and reload firewalld (# firewall-cmd --reload) to make the changes immediately effective.

Also, at any time, you can make the runtime configuration permanent by running the # firewall-cmd --runtime-to-permanent command.

Enabling firewalld

On a GNU/Linux distribution like Fedora, your system is already configured to use firewalld. Other distributions may require manual configuration.

For example, to install, enable, and activate firewalld on Debian 11, run the following commands:

# apt install firewalld && systemctl disable --now nftables.service &&
    systemctl enable --now firewalld.service

Confirm the status of the firewall by running # firewall-cmd --state. If the firewall is running, the output should be running:

# firewall-cmd --state
running

Zones

The default firewalld zone is public and all network interfaces not explicitly assigned to a different zone are assigned to this zone. The default zone can be confirmed by running firewall-cmd --get-default-zone:

$ firewall-cmd --get-default-zone
public

A list of available zones can be output by running firewall-cmd --get-zones:

$ firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To display the active zones and network interfaces assigned to them, run firewall-cmd --get-active-zones:

$ firewall-cmd --get-active-zones
public
  interfaces: enp1s0

Above, we can see that the enp1s0 interface is assigned to the public zone.

A zone's configuration settings can be viewed like so:

# firewall-cmd --zone=ex_zone --list-all

For example, this is the configuration for the public zone:

# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

From the output above, we can confirm that the enp1s0 interface is using the public zone. The zone uses the default target, which is similar to REJECT. Also, we can see that the zone allows DHCP and SSH traffic.

The configuration settings of all available zone types can be viewed by running # firewall-cmd --list-all-zones.

The zone target determines the default behavior for unspecified incoming traffic. It can be set to one of the following options:

• default
• ACCEPT
• REJECT
• DROP

A zone's target can be specified using the --permanent, --zone, and --set-target options. For example, the following command drops all unspecified incoming traffic for the public zone:

# firewall-cmd --permanent --zone=public --set-target=DROP &&
    firewall-cmd --reload
success
success
# firewall-cmd --permanent --zone=public --list-all
public
  target: DROP
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

An interface can be assigned to a different zone with the --zone and --change-interface options. This example moves the enp1s0 interface to the work zone:

# firewall-cmd --zone=work --change-interface=enp1s0
success
# firewall-cmd --zone=work --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

The default zone can be set with the --set-default-zone option. The following sets the default zone to home:

# firewall-cmd --set-default-zone=home
success
$ firewall-cmd --get-default-zone
home

A new zone can be created using the --new-zone and --permanent options. This example creates a new zone called lab:

# firewall-cmd --permanent --new-zone=lab &&
    firewall-cmd --reload
success
success
# firewall-cmd --permanent --zone=lab --list-all
lab
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Services

Services are predefined firewalld rules that allow traffic for specific ports and/or sources. A list of all default available service types can be displayed by running firewall-cmd --get-services:

$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

More information about each service can be found by viewing the associated .xml file for a service in the /usr/lib/firewalld/services/ directory.

For example, to allow SMTP traffic (port 25) for interfaces in the lab zone for only the current session (i.e., the runtime configuration) type, you can do:

# firewall-cmd --zone=lab --add-service=smtp
success

To verify that the service was successfully added, use the --list-services option:

# firewall-cmd --zone=lab --list-services
smtp

To make this change permanent, run one of the following commands:

# firewall-cmd --permanent --zone=lab --add-service=smtp

# firewall-cmd --runtime-to-permanent

Verify that the service was successfully added to the permanent configuration:

# firewall-cmd --permanent --zone=lab --list-services
smtp

To remove the service, swap the --add-service option with the --remove-service option:

# firewall-cmd --permanent --zone=lab --remove-service=smtp
success
# firewall-cmd --permanent --zone=lab --list-services

#

Creating a New firewalld Service

The simplest way to create a new service is to copy the existing service file stored in the /usr/lib/firewalld/services/ directory into the /etc/firewalld/services/ directory. Afterwards, open the copied service file, update the <short> and <description> tags, and set the port tag, which defines the port number and protocol you want open.

After you are done, save the file and reload the firewalld service:

# firewall-cmd --reload

Opening Source IP Addresses and Ports

firewalld allows you to enable all traffic from a trusted IP address or on a specific port without creating a service definition. To allow all incoming traffic from a specific IP address or range, specify the zone with the --zone option and the source IP address with the --add-source option.

For example, the following allows all incoming traffic from 192.168.1.15 in the work zone for the current session:

# firewall-cmd --zone=work --add-source=192.168.1.15
success

To verify that the new source is bound to the zone, use the --list-sources option:

# firewall-cmd --zone=work --list-sources
192.168.1.15

To remove the source, replace the --add-source option with the --remove-source option:

# firewall-cmd --zone=work --remove-source=192.168.1.15
success
# firewall-cmd --zone=work --list-sources

#

To allow all incoming traffic on a given port, specify the zone with the --zone option and the port/protocol with the --add-port option. This example opens port 22 in the lab zone for the current session:

# firewall-cmd --zone=lab --add-port=22/tcp
success

Supported protocols include:

• tcp
• udp
• sctp
• dccp

To verify that the port was added to the zone, use the --list-ports option:

# firewall-cmd --zone=lab --list-ports
22/tcp

To remove a port, swap the --add-port option with the --remove-port option:

# firewall-cmd --zone=lab --remove-port=22/tcp
success
# firewall-cmd --zone=lab --list-ports

#

To forward traffic from one port to another, enable masquerading for the desired zone using the --add-masquerade option:

# firewall-cmd --zone=ex_zone --add-masquerade

The following are port forwarding examples:

# firewall-cmd \
    --zone=external \
    --add-forward-port=port=80:proto=tcp:toport=8080

Forward traffic from port 80 to port 8080 on the same system for the external zone.

# firewall-cmd \
    --zone=external \
    --add-forward-port=port=80:proto=tcp:toaddr=10.10.10.5

Forward traffic from port 80 to another system with an IP address of 10.10.10.5 for the external zone.

# firewall-cmd \
    --zone=external \
    --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.10.10.5

Forward traffic from port 80 to port 8080 on another system with an IP address of 10.10.10.5 for the external zone.

firewalld Commands

Unless otherwise specified, querying commands display the firewalld runtime configuration. Add the --permanent option to display information for firewalld's permanent configuration.

# firewall-cmd --reload

Reload firewall rules and keep state information.

The current permanent configuration will become the new runtime configuration (i.e., all runtime only changes done until the reload are lost if they have not been added to the permanent configuration).

# firewall-cmd --runtime-to-permanent

Save active runtime configuration and overwrite permanent configuration with it.

# firewall-cmd --state

Check whether firewalld is active (i.e., running).

Returns an exit code 0 if it is active, RUNNING BUT FAILED if failure occurred on startup, and NOT RUNNING otherwise.

firewall-cmd --get-default-zone

Print the default zone for connections and interfaces.

firewall-cmd --get-zones, # firewall-cmd --permanent --get-zones

Print predefined zones as a space separated list.

firewall-cmd --get-active-zones

Print currently active zones, together with interfaces and sources used in these zones.

Active zones are zones that have a binding to an interface or source. If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.

# firewall-cmd --list-all

List everything added or enabled for the default zone.

A specific zone can be specified using the --zone option (e.g., # firewall-cmd --zone=ex_zone --list-all).

# firewall-cmd --list-all-zones

List everything added for or enabled in all zones.

# firewall-cmd --permanent --set-target=ex_target

Set the target of the default zone. ex_target can be:

• default (similar to REJECT)

• ACCEPT

• DROP

• REJECT

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --permanent --zone=ex_zone --set-target=ex_target).

# firewall-cmd --change-interface=ex_interface

Change the zone ex_interface is bound to. By default, ex_interface is re-bound to the default zone.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --change-interface=ex_interface).

# firewall-cmd --set-default-zone=ex_zone

Set the default zone for connections and interfaces where no zone has been selected. Setting the default zone changes the zone for the connections or interfaces that are using the default zone.

This is a runtime and permanent change.

# firewall-cmd --permanent --new-zone=ex_zone

Add a new permanent and empty zone. Zone names must be alphanumeric and may include the _ and - characters.

After rules are added to the zone, reload the firewalld service by running # firewall-cmd --reload.

firewall-cmd --get-services, # firewall-cmd --permanent --get-services

Print predefined services as a space separated list.

# firewall-cmd --add-service=ex_service

Add a service for the default zone.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --add-service=ex_service).

# firewall-cmd --list-services

List services added for the default zone as a space separated list.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --list-services).

# firewall-cmd --remove-service=ex_service

Remove a service from the default zone.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --remove-service=ex_service).

# firewall-cmd --add-source=ex_source

Bind the source to the default zone. Allows all incoming traffic from the source IP address/range.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --add-source=ex_source).

# firewall-cmd --list-sources

List sources that are bound to the default zone as a space separated list.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --list-sources).

# firewall-cmd --remove-source=ex_source

Remove binding of source from the zone that it was added to.

# firewall-cmd --add-port=ex_port/ex_protocol

Add the port for the default zone.

ex_port can be a single port number or a port range. ex_protocol can be:

• tcp

• udp

• sctp

• dccp

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --add-port=ex_port/ex_protocol).

# firewall-cmd --list-ports

List ports added for the default zone as a space separated list.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --list-ports).

# firewall-cmd --remove-port=ex_port/ex_protocol

Remove the port from the default zone. This option can be specified multiple times.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --remove-port=ex_port/ex_protocol).

# firewall-cmd --add-masquerade

Enable IPv4 masquerade to the default zone. IP forwarding will be implicitly enabled.

Add the --zone option to specify a specific zone (e.g., # firewall-cmd --zone=ex_zone --add-masquerade).

# firewall-cmd \
    --add-forward-port=port=ex_port:proto=ex_protocol:toport=ex_to_port

Add an IPv4 forward port for the default zone. Forwards traffic from one port to another port on the same system.

Add the --zone option to specify a specific zone.

# firewall-cmd \
    --add-forward-port=port=ex_port:proto=ex_protocol:toaddr=ex_ip_address

Add an IPv4 forward port for the default zone. Forwards traffic from one port to another system with a specific IP address.

Add the --zone option to specify a specific zone.

# firewall-cmd \
    --add-forward-port=port=ex_port:proto=ex_protocol:toport=ex_to_port:toaddr=ex_ip_address

Add an IPv4 forward port for the default zone. Forwards traffic from one port to another port on another system with a specific IP address.

Add the --zone option to specify a specific zone.

Documentation

Run the following commands for more information on firewalld:

• man 1 firewalld
• man 1 firewall-config
• man 5 firewalld.conf
• man 5 firewalld.service
• man 5 firewalld.zone
• man 5 firewalld.zones
• man 1 firewall-cmd
• man 1 firewall-config

Also, firewalld.org is a good resource for additional firewalld documentation.