This tutorial explains how to configure Firewalld service in Linux with firewall-cmd command step by step. Learn how to manage (create, list, add, remove, change and delete) zones, services and ports in detail with practical example including how to add and remove interface and IP address in zone for data filter.
For this tutorial I assume that :-
- You are familiar with basic concepts of firewalld service such as Zone, Services, Ports and Rich Language
- iptables service is disabled and masked
- firewalld service is enabled and running. You can verify the running status of firewalld service with following commands
#firewall-cmd --state #systemctl status firewalld
This tutorial is the second part of our article "How to configure Firewall in Linux Step by Step". You can read other parts of this tutorial here.
Firewalld Basic concepts Explained with Examples
This is the first part of article. This part explains basic concepts of firewalld service such as zones, services, ports and rich language including how to disable iptables service in detail with examples.
Firewalld Rich Rules Explained with Examples
This is the last part of article. This part explains Firewalld Rich Rules in detail with examples including how rich rules are used to configure the firewall in Linux.
Managing Firewalld Service with firewall-cmd command
We have three options to manage the firewalld service :-
- Direct editing in configuration files
- Using graphical tool firewall-config
- Using command line tool firewall-cmd
Unless we have expert level of knowledge, first option is not recommended. Administrators rarely use this option for management purpose.
Second option will be available only if graphic environment (X-Window) is installed. This option is easy to use and if available, you should always use it. On downside it depends on graphic environment which is very rare on Linux servers in production environment. Due to security reason administrators rarely enable the graphic environment.
Third option will be available on all platforms unless RHEL is installed with minimum installation. Virtually we can perform all management tasks with this option. In this tutorial we will also use this option.
Running configuration Vs Startup configuration
Firewalld service uses two types of configuration; running configuration and startup configuration. Startup configuration is stored in configuration files. Running configuration is stored in memory. When firewalld service starts, it reads startup configuration from configuration files and load it in memory where it is known as running configuration. Unless you make any change in running configuration it is same as the startup configuration.
Any change made in running configuration will not be available at next time when the service is reloaded. Any change made in startup configuration will not be available in current configuration, it will be available at next time when the service is reloaded. By default firewalld service works with running configuration.
Let’s understand it with a simple example. Firewalld service starts and reads the startup configuration which blocks SSH service for network 192.168.1.0/24. Firewalld service loads this configuration in memory as running configuration. At this point no host from network 192.168.1.0/24 is allowed to access the SSH service. Now suppose we want to allow single host 192.168.1.10 from this network. Based on requirement we can allow temporary or permanently.
To allow temporary we will update only running configuration with allow permission. Since we did not change the startup configuration, this temporary access will be automatically removed at next reload.
To allow permanently we will update only startup configuration with allow permission. Since we did not change the running configuration, host will not be able to access the SSH service until next reload.
To allow both temporary and permanently we have to update both configurations. Running configuration will allow the access until service is reloaded. Startup configuration will allow access after the service is reloaded and so on.
To reload the configuration and restart the service following commands are used receptively
#firewall-cmd --reload #systemctl restart firewalld
First command will reload the permanent rules without interrupting existing persistent connections. Second command will restart the service.
Zone management with firewall-cmd command
Zone is the first key element in firewalld service. The firewall-cmd command provides several options to manage the zone. Following table lists some important options
| Option | Description |
| --get-zones | Display all available zones |
| --get-default-zone | Display the zone which is currently set as default zone |
| --get-active-zones | Display all active zones |
| -- list-all | Display all configuration from default zone |
| -- list-all-zones | Display configuration from all zones |
| --set-default-zone=<ZONE> | Set specified zone as default zone |
| --new-zone | Add a new zone [zone name need to be specified] |
| --delete-zone | Delete a zone [Zone name need to be specified] |
| --zone | Used to work with other zone. [Zone name need to be specified] |
| -- add-source=<CIDR> [ -- zone=<ZONE> ] | Specified zone [Zone] will filter all incoming traffic from the specified network [CIDR]. |
| -- remove-source=<CIDR> [ -- zone=<ZONE> ] | Remove specified zone [Zone] from filtering all incoming traffic from specified network [CIDR]. |
| -- add-interface=<INTERFACE> [ -- zone=<ZONE> ] | Specified zone [Zone] will filter all incoming traffic from the specified interface [NIC]. |
| -- change- interface=<INTERFACE> [--zone=<ZONE> ] | Specified zone [Zone] will filter all incoming traffic from the specified (updated) interface [NIC]. |
| --permanent | To save change in startup configuration. By default change will save in running configuration. |
Let’s take some practical examples of how zones are managed with firewall-cmd command. Login from root account and access the shell prompt.
To view the current available zones we can use --get-zones option. To figure out which zone is set to default we can use --get-default-zone option.
As output indicates current default zone is set to public which is also system default zone.
To view the current configuration from all zones we can use --list-all-zone option. To view the configuration only from default zone we can use --list-all option.
To create a new zone we can use --new-zone option. For example following command will create a new zone (named rhcelab).
firewall-cmd --new-zone rhcelab --permanent
Since we used --permanent option, new zone will be available only after the reload. To test it, access the rhcelab zone without reloading the firewall. You will get INVALID_ZONE error.
Reload the firewall with following command
firewall-cmd --reload
Now set the new zone (rhcelab) as default zone with following command
firewall-cmd --set-default-zone rhcelab
To verify the change we can list default zone again with following command
firewall-cmd --get-default-zone
Following figure illustrates above process step by step
Let’s add an interface in this zone. In order to do this we need the name of interface. We can view the name of all detected interfaces with ip addr show command.
As following output indicates the name of interface is eno16777736. If system has multiple interfaces, they will be listed subsequently.
If system has only one interface (as above output indicates), firewalld will associate that with default zone automatically. We can verify it with --list-all option. Since (single) interface is already associated with default zone, we will get warning message if try to do the same again. Firewalld associates default interface with default zone at startup. If we multiple interfaces, only the default interface will be associated with default zone. To associate an interface with zone following command is used.
firewall-cmd --add-interface [InterfaceName] --zone [ZoneName] --permanent
As we know default interface is selected and associated with default zone only at startup for running configuration. If we have single interface then same interface will be selected as default interface. But if we have multiple interfaces, other interface may get selected as default interface. So it’s always a better idea to fix the interface with zone instead of relying on default selection process.
To fix an interface with zone we have to use the --permanent option. With permanent option, interface will get associated with defined zone permanently. Following command will associate interface eno16777736 with rhcelab zone.
firewall-cmd --add-interface eno16777736 --zone rhcelab --permanent
Following figure illustrates above process step by step
Just like interface we can also associate network address with zone. Following command will add network 192.168.1.0/24 with zone rhcelab in running configuration.
firewall-cmd --add-source 192.168.1.0/24 --zone rhcelab
To add permanently use --permanent option.
(Remember --permanent option require a configuration reload).
At this point we have successfully created a new zone (named-rhcelab) and set it as default zone. We have also added our default interface and lab network in this zone. We will use this zone to practice the remaining topics of this tutorial.
Service management with firewall-cmd command
Services are the secondary key element in firewalld. The firewall-cmd command supports several options to manage the services. Following table lists some important options.
| Option | Description |
| --get-services | Display all available services |
| --list-services | Display all services from default zone |
| --list-services --zone [ZoneName] | Display all services from specified zone [ZoneName] |
| --new-service [NewServiceName] --permanent | Create a new service with specified name. |
| --delete-service [ServiceName] --permanent | Delete the specified [existing] service |
| --add-service [ServiceName] | Add service in default zone. To add service in particular zone specify its name as argument with --zone option. To add service permanently use --permanent option. |
| --query-service [ServiceName] | Figure out whether the specified service is added in zone or not. If zone is not specified with --zone option, default zone will be used for query. |
| --remove-service [ServiceName] | Remove service from default zone. To remove service from particular zone, provide its name as argument with --zone option. To remove service permanently use --permanent option. |
Let’s understand above options in detail with some examples.
To list all pre-defined services we can use --get-services option. To list all services form particular zone we can use --list-services option. If we don’t specify the name of zone with --list-services option, it will list all services from default zone. Following figure explains both options.
Sometime pre-defined services are not sufficient. For example we may have custom applications which run their own services. To limit these applications we have to add their associated services in firewalld. To add new service we can use --new-service option. For example following command will add a new service named testservice.
firewall-cmd --new-service --permanent
Once service is added we can associate it with any existing zone temporary or permanently. To add service only in running configuration (temporary) we can use following command
firewall-cmd --add-service [ServiceName] --zone [ZoneName]
Here ServiceName is name of the service which we want to add and ZoneName is the name of the zone in which we want add the specified service.
To add the service permanently we will use following command
firewall-cmd --add-service [ServiceName] --zone [ZoneName] --permanent
We may skip zone name, if adding service in default zone. For example following command will add testservice in default zone
firewall-cmd --add-service testservice
Since above command will add service only in running configuration, it will not preserve after the reload. To add service permanently we have to use --permanent option
firewall-cmd --add-service testservice --permanent
As we know any update made with --permanent needs configuration reload.
firewall-cmd --reload
After reload service will be added in default zone.
To add service in other zone we need to specify the zone name with --zone option. For example following command will add testservice in public zone.
firewall-cmd --add-service testservice --zone public
Following figure illustrates above process step by step
To remove a service from zone we can use --remove-service option. Just like add operation we can remove service temporary or permanently. For example following command will remove testservice from default zone temporary
firewall-cmd --remove-service testservice
To remove service permanently we have to add --permanent option with above command
firewall-cmd --remove-service testservice --permanent
Following command is used to delete a service from firewalld
firewall-cmd --delete-service [ServerName] --permanent
For example to delete testservice we will use following command
firewall-cmd --delete-service testservice --permanent
Following figure illustrates above process step by step
Port management with firewall-cmd command
As we saw in previous section firewalld allows us to create and manage custom services. Custom services need custom ports. Like services we can also add or remove ports from firewall. The firewall-cmd command includes several options to manage the ports. Following table lists some important options.
| Option | Description |
| --list-ports | Display all ports from default zone. To view ports from other zone, specify its name as argument with --zone option. |
| --add-port [PortNumer/ProtocolType] | Add specified port in default zone. To add port in other zone, provide its name as argument with --zone option. To add port permanently use --permanent option. |
| --query-port [PortNumer/ProtocolType] | Find out whether the specified port is added or not. To query in particular zone, use its name as argument with --zone option. |
| --remove-port [PortNumer/ProtocolType] | Remove specified port from default zone. To remove port from other zone, provide its name as argument with --zone option. To remove port permanently use --permanent option. |
Let’s understand above options in details with some examples:-
To list all available ports from default zone we will use following command
firewall-cmd --list-ports
We can also list ports from particular zone with --zone option. For example to list all available ports from dmz zone we will use following command
firewall-cmd --list-ports --zone dmz
To add port in default zone following command is used
firewall-cmd --add-port [PortNumber]/[Protocol]
Here PortNumber is the number of port which we want to add and Protocol is the protocol [TCP or UDP] of the port.
To add the port in other zone besides default zone, specify the zone name with --zone option as following command shows
firewall-cmd --add-port [PortNumber]/[Protocol] --zone [ZoneName]
Here ZoneName is the name of the zone in which we want to add the port.
To find out whether the port is successfully added in zone or not we can use --query-port option. For example following command will query in default zone for TCP port 23
firewall-cmd --query-port 23/tcp
To remove a port from zone use following command
firewall-cmd --remove-port [PortNumber]/[Protocol] --zone [ZoneName]
Just like other operation, remove operation also work with default zone unless we specify a zone name with --zone option.
Following figure illustrates above operations step by step
To add or remove port in other zone we need to specify the zone name with --zone option. If require we can also make the change permanent with --permanent option. Following figure illustrates above operation with other zone and permanent option
In this tutorial we have worked with Zones, Services and Ports. These convenient options are limited in nature. Administrators need more control over firewall configuration. Firewalld supports rich rules which allow administrator to define custom rules. In next part of this tutorial we will understand rich rules in details with examples.