How to Configure Firewalld (Basic Commands) Updated on March 21, 2024 by InMotion Hosting Contributor 3 Minutes, 6 Seconds to Read Installing Firewalld grants a long list of commands available for configuring iptables rules. But there are a few tasks you should understand to get started with securing your server. Below we cover: Basic Firewalld CLI Commands Change Firewalld status Runtime Vs. Permanent Reload Firewalld Firewalld Zones Firewalld Services Firewalld Ports Panic mode Firewalld raw files Firewall-config Desktop App Firewalld is pre-installed with our Cloud Server Hosting. Basic Firewalld Commands Firewalld Status These Systemd and Firewalld commands affect whether or how Firewalld is running on your system. Start Firewalld for the current session: sudo systemctl start firewalld Enable Firewalld to always start at server boot: sudo systemctl enable firewalld Stop Firewalld for the current session: sudo systemctl stop firewalld Disable Firewalld from starting at boot: sudo systemctl disable firewalld Check whether Firewalld is running: sudo systemctl status firewalld Check the Firewalld state – similar to systemctl status: sudo firewall-cmd --state The output will be running or not running. Runtime Firewalld Configuration to Permanent Runtime changes are temporary and removed when the firewall restarts. Permanent changes are stored in configuration files. Save --runtime changes to your permanent configuration: sudo firewall-cmd --runtime-to-permanent Reload Firewalld Reload Firewalld to merge --permanent rules to the runtime configuration (doesn’t close current connections): Reloading will remove –runtime changes to apply the –permanent configuration. sudo firewall-cmd --reload Firewalld Zones Firewalld zones are predefined whitelist combinations to easily apply to your system. Default Firewalld zones: block dmz drop external home internal public trusted work View all Firewalld zones available: sudo firewall-cmd --get-zones You can also view the raw zone files: ls /etc/firewalld/zone/ See currently used zones: sudo firewall-cmd --get-active-zones Change the current Firewalld zone (e.g. public): sudo firewall-cmd --change-zone=public To apply a change to a specific zone, add the following to the end of the command (e.g. public): --zone=public Manage Services Predefined Firewalld services use a name in lieu of port number and protocol (TCP or UDP) for easier management. List available services to whitelist: sudo firewall-cmd --get-services List currently whitelisted services: sudo firewall-cmd --list-services Whitelist a service for runtime only in the current zone (e.g. http): sudo firewall-cmd --add-service=http Whitelist a service permanently in the current zone: sudo firewall-cmd --add-service=http --permanent Whitelist a service permanently in a specific zone: sudo firewall-cmd --zone=public --add-service=http --permanent Remove a service permanently from a specific zone (e.g. dhcpv6-client): sudo firewall-cmd --remove-service=dhcpv6-client --permanent Manage Ports Any ports not listed as a predefined service can be managed via port/protocol (e.g. 80/http). List currently open ports: sudo firewall-cmd --list-ports List whitelisted ports on a specific zone: sudo firewall-cmd --zone=public --list-ports Open a port with a specified protocol in runtime only (e.g. Mattermost): sudo firewall-cmd --add-port=8065/tcp Open a port permanently: sudo firewall-cmd --add-port=8065/tcp --permanent Remove a port in runtime only: sudo firewall-cmd --zone=public --remove-port=8065/tcp Remove a port permanently: sudo firewall-cmd --zone=public --remove-port=8065/tcp --permanent Panic Mode Panic mode closes and blocks all incoming and outgoing connections on the machine. If you run this while remotely connected to a machine (e.g. SSH), your session will drop and you’ll have to restart the server to regain access and reset panic mode. sudo firewall-cmd --panic-on Check panic mode status: sudo firewall-cmd --query-panic It should simply state no. Firewalld Files View system configuration files which overwrite default configurations. ls /etc/firewalld View default IMCP, service, and zone configurations. Changes to these files are overwritten during firewalld updates. ls /usr/lib/Firewalld Firewall-config Desktop Application Users installing Firewalld on a Linux desktop environment can install the firewall-config GUI application to configure firewall zones on that machine. Have any questions about Firewalld? Ask in our Community Support Center. Share this Article InMotion Hosting Contributor Content Writer InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals! More Articles by InMotion Hosting Related Articles Content Security Policy (CSP) Headers – Complete Reference Guide Why You Need To Keep Your Website’s PHP Version Up-to-Date Learning About Mod_security and Disabling Mod_security Close Open Ports for PCI Compliance How to Pass PCI Compliance Scans DDoS Protection Using Corero How to Open a Port in Firewalld Secure Your Debian Cloud Server With UFW (Uncomplicated Firewall) How to Open a Port in UFW WP Cerber Security Antispam and Bot Detection Settings
