FirewallD Command in Linux With Examples

FirewallD Commands in Linux With Examples

FirewallD is a dynamic demon, front end firewall management tool which is written in Python Language. It follows zones concept and also supports IPv4 and IPv6 networks. The connections to the server can be limited using Firewalld. Various command to add firewalld rule is discussed in this article.


Environment for Testing


Operating System : CentOS Linux release 7.0.1406 (Core)
IP Address : 192.168.7.56
Host-name : linuxhelp

To Install Firewalld Package

Run the following ' YUM' command to install Firewalld package, in CentOS 7/RHEL and Fedora 21.

[root@linuxhelp ~]# yum install firewalld -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* extras: centos.webwerks.com
* updates: centos.webwerks.com
Resolving Dependencies
-->  Running transaction check
--->  Package firewalld-0.3.9-14.el7 will be installed
.
.
.
Installed:
firewalld-0.3.9-14.el7
Complete!


The Firewalld is successfully installed.
Now verify the execution of iptables service. If the services are unavailable, stop and mask the iptables service using the following command.

[root@linuxhelp ~]# systemctl stop iptables
[root@linuxhelp ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service)
Active: inactive (dead).

Firewalld Components

Various zones of firewalld:

Zone Description
Block Allows the established connections inside the server & rejects other incoming connections
DMZ It allows access to some of the services to public
Drop Incoming packets are dropped using this zone
External This zone acts as a router option
Home Allows only the selected connections and is mainly used in home areas
Public Define rules in public to allow the selected connections
Internal Permits only selected connections
Trusted All the traffic are accepted
Work Provides access to the private networks


Execute the following command to list the zones of firewalld.

[root@linuxhelp ~]# firewall-cmd --get-zones
block dmz drop external Home internal public trusted work.


Run the following command to list the default zone of your system.

[root@linuxhelp ~]# firewall-cmd --get-default-zone
public


Use the following command to list all the zones.

[root@linuxhelp ~]# firewall-cmd --list-all-zones
block
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
dmz
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
.
.
.
work
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

To set a Default Zone

Run the following command for setting the default zone.

[root@linuxhelp ~]# firewall-cmd --set-default-zone=internal
Success


Now Verify the default zone.

[root@linuxhelp ~]# firewall-cmd --get-default-zone
internal


Run the following command along with the interface, to identify the zone in which our interface is connected

[root@linuxhelp ~]# firewall-cmd --get-zone-of-interface=eno16777736
internal


The important feature of firewalld is ' icmptype' . Execute the following command to list the supported icmp types.



[root@linuxhelp ~]# firewall-cmd --get-icmptypes

To Create Own Services in Firewalld

Services enabled in firewalld will be automatically loaded, when the firewall is up and running. Use the following command, for listing all the available services.

[root@linuxhelp ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap 
 freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec 
iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs 
 ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd 
samba samba-client smtp squid ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https


Go to the directory ' /usr/lib/firewalld/services/' and list all the default services.



[root@linuxhelp ~]# cd /usr/lib/firewalld/services/
[root@linuxhelp services]# ls



To create a new services, open the directory ' /etc/firewalld/services/' and copy the newly created services inside the directory. Here we are adding rtmp port ' 1935' 



[root@linuxhelp ~]# cd /etc/firewalld/services/
[root@linuxhelp services]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/



Rename the ‘ ssh.xml‘ file to ‘ rtmp.xml'



Open the file and edit Heading, Description, Port number, and Protocol as follows.

[root@linuxhelp services]# vim rtmp.xml



Reload the firewalld services.

[root@linuxhelp ~]# firewall-cmd --reload
success


To confirm the addition of service, run the below command.

[root@linuxhelp ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap 
  freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec 
iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs 
  ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind 
rsyncd rtmp samba samba-client smtp squid ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

To assign Services to Zones

Use the following command, to check the current state of the firewall and the other active zones.

[root@linuxhelp ~]# firewall-cmd --state
running
[root@linuxhelp ~]# firewall-cmd --get-active-zones
internal 
interfaces:eno16777736


The interface eno16777736 is defined as DefaultZone=public, in /etc/firewalld/firewalld.conf file, to avail it as public zone.

To Add Services to Zones

Use the following command to add rtmp service to the zone.

[root@linuxhelp ~]# firewall-cmd --add-service=rtmp
success


Type the following to Remove added zone.

[root@linuxhelp ~]# firewall-cmd --zone=internal --remove-service=rtmp
success


To add the services permanently, execute the following command.

[root@linuxhelp ~]# firewall-cmd --add-service=rtmp --permanent
success
[root@linuxhelp ~]# firewall-cmd --reload
success


Run the following commands to set rules for a network range of ‘ 192.168.0.0/24’ and port ‘ 1935’ .

[root@linuxhelp ~]# firewall-cmd --permanent --add-source=192.168.0.0/24
success
[root@linuxhelp ~]# firewall-cmd --permanent --add-port=1935/tcp
success


Reload the firewall rules and list the rules using the below command.

[root@linuxhelp ~]# firewall-cmd --reload
success
[root@linuxhelp ~]# firewall-cmd --list-all
internal (default,active)
  interfaces: eno16777736 
  sources: 192.168.0.0./24
  services: dhcpv6-client ssh samba-client rtmp mdns ipp-client
  ports: 1935/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

To add a Rich Rules for Network Range

Add and reload the rule to allow the http, PostgreSQL, https, vnc-server, services as follows.

[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" http"  accept' 
success
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" http"  accept'  --permanent
success
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" https"  accept' 
success
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" https"  accept'  --permanent
success
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" vnc-server"  accept' 
success
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" vnc-server"  accept'  --permanent
succcess
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" postgresql"  accept' 
success
[root@linuxhelp ~]# firewall-cmd --add-rich-rule ' rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" postgresql"  accept'  --permanent
success


After making the services permanent, check with the client access.
Reload the firewall rules and list the rules using the below command.

[root@linuxhelp ~]# firewall-cmd --reload
success
[root@linuxhelp ~]# firewall-cmd --list-all
internal (default,active)
  interfaces: eno16777736 
  sources: 192.168.0.0./24
  services: dhcpv6-client ssh samba-client rtmp mdns ipp-client
  ports: 1935/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
      rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" https"  accept
      rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" vnc-server"  accept
      rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" http"  accept
      rule family=" ipv4"  source address=" 192.168.0.0/24"  service name=" postgresql"  accept


Go to man page, to know more about firewalld commands.

[root@linuxhelp ~]# man firewalld
Tag : Firewalld
FAQ
Q
How to Remove added zone?
A
Type the following command to Remove added zone:

#firewall-cmd --zone=internal --remove-service=rtmp
Q
How to Add Services to Zones?
A
By using this command to get the new service:

#firewall-cmd --add-service=rtmp
Q
How to Install Firewalld Package in Linux?
A
Run the following ' YUM' command to install Firewalld package, in CentOS 7/RHEL and Fedora 21.

#yum install firewalld -y
Q
How to list the default zone of firewalld in Linux?
A
The following command to list the default zone of your system

#firewall-cmd --get-default-zone
Q
How to set a Default Zone in Linux?
A
Using this command to set the default zone:

#firewall-cmd --set-default-zone=internal