Complete Guide to firewalld Commands

Detailed guide to configuring firewalld, the standard firewall management tool for CentOS/RHEL 7 and later.

Key Points

• Zone-Based Management

  ---

  Classify network interfaces by zones for flexible control

• Dynamic Configuration Changes

  ---

  Real-time configuration changes without service interruption

• Service Definitions

  ---

  Easy port management with predefined services

• Rich Rules

  ---

  Fine-grained control with advanced conditional specifications

Basic Concepts of firewalld

How Network Communication Works

graph TB
    subgraph "External Network"
        A[Client<br/>192.168.1.100]
    end

    subgraph "Server (192.168.1.10)"
        B[firewalld<br/>Firewall]
        C[Apache<br/>Port 80]
        D[SSH<br/>Port 22]
        E[MySQL<br/>Port 3306]
    end

    A -->|Inbound<br/>Connection Request| B
    B -->|Allowed Traffic| C
    B -->|Allowed Traffic| D
    B -.->|Denied| E

    C -->|Outbound<br/>Response| B
    D -->|Outbound<br/>Response| B
    B -->|Send Response| A

    style B fill:#ff6b6b
    style C fill:#4ecdc4
    style D fill:#4ecdc4
    style E fill:#ffeaa7

Inbound vs Outbound

Direction	Description	Example	Control Method
Inbound	Connections from external to server	SSH connection, Web access	--add-service, --add-port
Outbound	Connections from server to external	Package updates, External API calls	--add-rich-rule (specify source)

Zone Concept

Zone Hierarchy and Roles

graph TD
    A[Network Interface] --> B[Zone Assignment]
    B --> C{Zone Type}

    C --> D[trusted<br/>Allow All]
    C --> E[public<br/>Basic Services Only]
    C --> F[internal<br/>For Internal Network]
    C --> G[dmz<br/>For DMZ]
    C --> H[work<br/>For Work Environment]
    C --> I[home<br/>For Home Environment]
    C --> J[external<br/>For External Connection]
    C --> K[drop<br/>Deny All]
    C --> L[block<br/>Deny and Respond]

    style D fill:#4ecdc4
    style E fill:#ffeaa7
    style K fill:#ff6b6b
    style L fill:#ff6b6b

Default Zone Characteristics

Zone	Trust Level	Purpose	Default Services
trusted	Highest	Fully trusted networks	All allowed
public	Low	Public networks (default)	ssh, dhcpv6-client
internal	High	Internal networks	ssh, mdns, samba-client, dhcpv6-client
dmz	Medium	DMZ (demilitarized zone)	ssh
drop	None	Drop all	None

Basic Operation Commands

Service Status Check

# Check firewalld service status
systemctl status firewalld

# Start firewalld
sudo systemctl start firewalld

# Enable auto-start
sudo systemctl enable firewalld

# Display current configuration summary
sudo firewall-cmd --list-all

# Display all zone configurations
sudo firewall-cmd --list-all-zones

Zone Management

# Check default zone
sudo firewall-cmd --get-default-zone

# List available zones
sudo firewall-cmd --get-zones

# Check active zones
sudo firewall-cmd --get-active-zones

# Change default zone
sudo firewall-cmd --set-default-zone=internal

# Check zone of interface
sudo firewall-cmd --get-zone-of-interface=eth0

# Assign interface to zone
sudo firewall-cmd --zone=internal --change-interface=eth0 --permanent

Service Configuration

Predefined Service Management

# List available services
sudo firewall-cmd --get-services

# Check service details
sudo firewall-cmd --info-service=ssh

# Add service (temporary)
sudo firewall-cmd --add-service=http

# Add service (permanent)
sudo firewall-cmd --add-service=http --permanent

# Add multiple services simultaneously
sudo firewall-cmd --add-service={http,https,ssh} --permanent

# Remove service
sudo firewall-cmd --remove-service=http --permanent

# Check currently active services
sudo firewall-cmd --list-services

Commonly Used Service Examples

Service Name	Port	Purpose
ssh	22/tcp	SSH connection
http	80/tcp	Web server
https	443/tcp	SSL Web server
ftp	21/tcp	FTP server
mysql	3306/tcp	MySQL database
postgresql	5432/tcp	PostgreSQL database
smtp	25/tcp	Mail sending
dns	53/tcp,53/udp	DNS server
nfs	2049/tcp	NFS file sharing
samba	445/tcp, 139/tcp	Samba file sharing

Port Configuration

Direct Port Specification

# Add port (temporary)
sudo firewall-cmd --add-port=8080/tcp

# Add port (permanent)
sudo firewall-cmd --add-port=8080/tcp --permanent

# Specify port range
sudo firewall-cmd --add-port=8000-8100/tcp --permanent

# Add multiple ports simultaneously
sudo firewall-cmd --add-port={80/tcp,443/tcp,8080/tcp} --permanent

# Add UDP port
sudo firewall-cmd --add-port=1194/udp --permanent

# Remove port
sudo firewall-cmd --remove-port=8080/tcp --permanent

# Check open ports
sudo firewall-cmd --list-ports

Port Forwarding

# Configure port forwarding
sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

# Forward to different host
sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.100:toport=80 --permanent

# Check forwarding rules
sudo firewall-cmd --list-forward-ports

Rich Rules (Advanced Rules)

Rich Rules Syntax

# Basic syntax
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="IP/mask" service name="service_name" accept'

Practical Rich Rules Examples

# Allow SSH connection from specific IP only
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent

# Allow HTTP connection from specific network
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept' --permanent

# Reject connection from specific IP
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.50" reject' --permanent

# Time-limited rule (removed after 1 hour)
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ftp" accept' --timeout=3600

# Rule with logging
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" service name="ssh" log prefix="SSH-LOG" level="info" limit value="3/m" accept' --permanent

# List Rich Rules
sudo firewall-cmd --list-rich-rules

Outbound Control Examples

# Control external connections to specific port
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 443 -j ACCEPT --permanent

# Allow connection to specific IP only
sudo firewall-cmd --add-rich-rule='rule family="ipv4" destination address="8.8.8.8" accept' --permanent

Persistence and Applying Configuration

Configuration Change Flow

sequenceDiagram
    participant U as User
    participant R as Runtime Config
    participant P as Permanent Config
    participant S as System

    U->>R: firewall-cmd (temporary setting)
    Note over R: Applied immediately<br/>Lost on restart

    U->>P: firewall-cmd --permanent
    Note over P: Saved to file<br/>Waiting for reload

    U->>S: firewall-cmd --reload
    P->>R: Apply settings to runtime
    Note over R,P: Permanent settings become active

Configuration Management Commands

# Reload configuration (permanent → runtime)
sudo firewall-cmd --reload

# Complete restart (disconnects all connections)
sudo firewall-cmd --complete-reload

# Save current configuration to permanent
sudo firewall-cmd --runtime-to-permanent

# Check configuration files
ls /etc/firewalld/zones/

# View configuration content
sudo cat /etc/firewalld/zones/public.xml

Troubleshooting

Configuration Check and Diagnostics

# Detailed status check
sudo firewall-cmd --state
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all

# Check logs
sudo journalctl -f -u firewalld
sudo journalctl -u firewalld --since "1 hour ago"

# Connection test
telnet server_IP port_number
nc -zv server_IP port_number

# Check iptables rules (for reference)
sudo iptables -L -n
sudo iptables -t nat -L -n

Common Problems and Solutions

1. Configured but Cannot Connect

# Check if set to permanent
sudo firewall-cmd --list-services --permanent

# Check if reloaded
sudo firewall-cmd --reload

# Check if set to correct zone
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all --zone=appropriate_zone

2. SSH Connection Lost

# Emergency response via console access
sudo firewall-cmd --add-service=ssh
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

# Stop firewall temporarily (last resort)
sudo systemctl stop firewalld

3. Want to Reset Complex Configuration

# Restore to default settings
sudo firewall-cmd --complete-reload
sudo rm /etc/firewalld/zones/*.xml
sudo systemctl reload firewalld

Security Best Practices

Basic Principles

1. Principle of Least Privilege: Open only the minimum necessary services
2. Source Restriction: Restrict source IPs whenever possible
3. Regular Audits: Periodic review of configurations
4. Log Monitoring: Detection of suspicious access

Recommended Configuration Example

# Set default zone to public
sudo firewall-cmd --set-default-zone=public

# Restrict SSH connection to specific IP
sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="admin_IP" service name="ssh" accept' --permanent

# Web server configuration
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent

# Remove unnecessary services
sudo firewall-cmd --remove-service=dhcpv6-client --permanent

# Apply configuration
sudo firewall-cmd --reload

Performance Considerations

Optimization for Large Rule Sets

# Check number of rules
sudo firewall-cmd --list-all | wc -l

# Use IP sets (for controlling many IPs)
sudo firewall-cmd --new-ipset=allowed_ips --type=hash:ip --permanent
sudo firewall-cmd --ipset=allowed_ips --add-entry=192.168.1.100 --permanent
sudo firewall-cmd --add-rich-rule='rule source ipset="allowed_ips" accept' --permanent

Summary

firewalld is characterized by flexible zone-based configuration and ease of use through service definitions.

Key Points for Configuration: - ✅ Understand the zone concept and use it appropriately - ✅ Persist configuration with the permanent option - ✅ Implement advanced control with Rich Rules - ✅ Maintain security through regular configuration reviews

Related Articles

• iptables Command Guide
• Differences and Use Cases: firewalld vs iptables
• SELinux Configuration
• Network Diagnostic Commands