How to Control and Configure Your Firewall with `firewall-cmd` (with examples)
- Linux
- December 17, 2024
The firewall-cmd is an essential command-line tool for managing firewalld, a dynamic firewall daemon widely used on Linux systems. It allows users to view, configure, and adjust both the runtime and permanent states of their firewall rules and zones. By using firewall-cmd, administrators can efficiently manage their system’s network security by enabling, configuring, or disabling specific network traffic depending on their requirements.
Use case 1: Viewing All Available Firewall Zones and Rules in Their Runtime Configuration State
Code:
firewall-cmd --list-all-zones
Motivation:
The primary motivation for using this command is to gain insight into the current status of all firewall zones and their respective rules. It’s crucial for system administrators to have an overview of how traffic is being managed to ensure that the firewall is configured correctly and securely to meet specific network security policies. This insight helps prevent potential security loopholes and informs necessary configuration adjustments.
Explanation:
firewall-cmd: The base command used to interact with the firewalld service.--list-all-zones: This argument requests a detailed listing of all configured zones and their active rules. It shows the current state of the firewall, portraying how network services are permitted or denied access.
Example output:
block
target: %%REJECT%%
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
interfaces: enp0s3
sources:
services: dhcpv6-client https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Use case 2: Permanently Move the Interface into the Block Zone
Code:
firewall-cmd --permanent --zone=block --change-interface=enp1s0
Motivation:
Moving an interface into the block zone effectively isolates it by blocking all incoming and outgoing traffic through that interface. This is particularly useful in scenarios where administrators need to secure compromised systems or temporarily isolate certain parts of a network from external communication while they are being audited or secured.
Explanation:
firewall-cmd: The command interacting with firewalld.--permanent: Specifies that the change will be made to the permanent firewall configuration, which means the changes will persist after a system reboot or service restart.--zone=block: Indicates the zone to which the interface will be assigned. In this case, it’s the block zone, which denies all traffic.--change-interface=enp1s0: Modifies the configuration to associate the network interfaceenp1s0with the specified zone.
Example output:
It does not produce an output upon successful execution but changes are confirmed with another command, such as listing the zone configurations.
Use case 3: Permanently Open the Port for a Service in the Specified Zone
Code:
firewall-cmd --permanent --zone=public --add-service=https
Motivation:
Administrators often need to allow specific services to communicate over the network. Opening the port for HTTPS in the public zone ensures that secure web traffic can reach the server, thereby enabling secure communication with clients.
Explanation:
firewall-cmd: The command for configuring firewalld.--permanent: Applies the changes to the permanent configuration.--zone=public: Specifies the zone where the service should be enabled, typically used for general external communication.--add-service=https: Indicates that the HTTPS service (port 443) should be opened in the specified zone.
Example output:
Success message confirming the execution; actual success can be verified by listing services in the specified zone.
Use case 4: Permanently Close the Port for a Service in the Specified Zone
Code:
firewall-cmd --permanent --zone=public --remove-service=http
Motivation:
Removing a service from being accessible helps in securing the server by closing unnecessary or deprecated ports. For instance, if HTTP (unsecure web traffic) is no longer used in favor of HTTPS, closing port 80 minimizes security risks.
Explanation:
firewall-cmd: Utilized to modify firewalld settings.--permanent: Ensures the changes are saved persistently.--zone=public: Targets the public zone for configuration changes.--remove-service=http: Indicates that HTTP service (port 80) should be closed in the specified zone.
Example output:
As with the previous command, there is typically no direct output, but the operation’s success can be confirmed through zone service listings.
Use case 5: Permanently Forward a Port for Incoming Packets in the Specified Zone
Code:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4|ipv6" forward-port port="443" protocol="udp|tcp" to-port="8443"'
Motivation:
Port forwarding is often required to redirect traffic from one port to another, especially if services have been reconfigured to listen on non-standard ports for security reasons, or if the application architecture demands it.
Explanation:
firewall-cmd: Common interface to control firewalld.--permanent: Ensures the port-forwarding rule is persistent.--zone=public: Designates the zone where the rule applies.--add-rich-rule: Used to add more advanced rules.rule family="ipv4|ipv6": Specifies the IP family for rule applicability.forward-port port="443": Identifies the source port to be forwarded.protocol="udp|tcp": Determines which protocol the forwarding applies to.to-port="8443": The destination port where the packets will be forwarded.
Example output:
The command execution will not yield detailed results but later observations show the effect in configurations or logs.
Use case 6: Reload Firewalld to Apply Permanent Configuration
Code:
firewall-cmd --reload
Motivation:
Reloading the firewall is necessary to apply changes made to the permanent configuration immediately. This action discards any runtime changes and implements the saved permanent settings, ensuring the firewall’s actual behavior aligns with its saved state.
Explanation:
firewall-cmd: Engages the firewalld service.--reload: Command to refresh the running configuration using the permanent settings.
Example output:
Upon successful reloading, the command usually returns without an error.
Use case 7: Save the Runtime Configuration State to the Permanent Configuration
Code:
firewall-cmd --runtime-to-permanent
Motivation:
This command is useful when the runtime state of the firewall has been operating smoothly and aligns with security policies, allowing administrators to save this state as the official configuration to persist through reboots or service restarts.
Explanation:
firewall-cmd: Command-line tool for managing firewall settings.--runtime-to-permanent: Transfers the currently active configurations to the permanent setting.
Example output:
The command will execute silently, but it ensures that the presently operating configurations are saved as default.
Use case 8: Enable Panic Mode in Case of Emergency
Code:
firewall-cmd --panic-on
Motivation:
Panic mode provides a drastic measure to immediately isolate the system during an emergency, such as detecting a substantial security breach. It drops all network traffic and terminates active connections instantly, providing a protective barricade.
Explanation:
firewall-cmd: Executes the firewall command.--panic-on: Activates a mode where all traffic is halted to protect against emergencies.
Example output:
While there is no typical output, verifying connectivity in the network will indicate the traffic halt.
Conclusion
The firewall-cmd provides extensive control over a Linux system’s firewall settings, crucial for maintaining robust network security. Whether viewing configurations, adjusting service accessibility, forwarding ports, or invoking panic mode during emergencies, understanding how to employ these commands ensures effective firewall administration. By mastering these commands, system administrators can confidently manage firewall activities to align with their organization’s security policies and network requirements.
