What is Firewalld?
It is a front-end management tool for the Linux kernel’s Netfilter/iptables system. It provides a more user-friendly interface for managing firewall rules, simplifying the complexity of directly using iptables. Firewalld supports dynamic updates, allowing modifications to rules without restarting the service, and introduces the concepts of “zones” and “services” for quickly switching between different policy scenarios and setting service rules.
What is NetFilter?
It is a subsystem in the Linux kernel, first introduced in version 2.4.x. It is the packet filtering functionality framework located in the Linux kernel, providing a complete set of hook function management mechanisms, including packet filtering, network address translation (NAT), and protocol-based connection tracking, making it the “kernel space” of the Linux firewall.
Relationship between Firewalld and Iptables
Both Firewalld and Iptables are tools used to manage firewalls. Iptables primarily sets rules based on interfaces, while Firewalld sets different rules based on zones. Firewalld stores configurations in various XML files located in/etc/firewalld/ and /usr/lib/firewalld/.
Using firewall-cmd
Check running status
firewall-cmd --state
Getting “running” indicates normal operation.
Query all rules
firewall-cmd --list-all
You will see the following output:
public (default, active) # Current default zone: public, and has been activated (bound to the network card) target: default # Zone action: default means "process according to built-in rules" icmp-block-inversion: no # ICMP block inversion not enabled (normal response to ping) interfaces: ens160 # List of network cards bound to this zone sources: # List of source IPs/subnets (empty = no restriction on source address) services: cockpit dhcpv6-client ssh # A set of system services that are permanently allowed ports: # Additional raw ports (empty = no manually added ports) protocols: # Additional protocols (empty = no manually added protocols) forward: yes # IPv4 forwarding not enabled masquerade: no # IP masquerading not enabled (SNAT) forward-ports: # Port forwarding entries (empty = no forwarding) source-ports: # Source port restrictions (empty = no restrictions) icmp-blocks: # Explicitly blocked ICMP types (empty = no additional blocks) rich rules: # Advanced rich rules (empty = no custom ACL)
Additional:
Firewalld divides all network traffic into multiple zones (zone), each of which defines its own list of open or closed ports and services.
Predefined zones include trusted, public, external, home, internal, work, dmz, block, and drop.
Query service ports
<span>Rocky 10 defaults to adding three Service rules. When we are unsure which ports are open under this rule, we can use the following command to query:</span>
firewall-cmd --service=<service_name> --get-ports --permanent
Example:
firewall-cmd --service=cockpit --get-ports --permanent# 9090/tcpfirewall-cmd --service=dhcpv6-client --get-ports --permanent# 546/udpfirewall-cmd --service=ssh --get-ports --permanent# 22/tcp
Note: To query a Service, you must add the –permanent parameter, which can be abbreviated as –per.
Open specified port
Temporarily add
# Takes effect immediately but will not persist after restartfirewall-cmd --add-port=8080/tcp
Permanent addition
# Add --permanent, takes effect after reloadfirewall-cmd --permanent --add-port=8080/tcp# successfirewall-cmd --reload# success
Query port
# You can continue to use the --list-all command to query, no need to remember too many commandsfirewall-cmd --list-allpublic (default, active) target: default ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: 8080/tcp # Port has been opened protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
# Only query ports--list-portsfirewall-cmd --list-ports# 8080/tcp
Close specified port
Similar to opening, but with different parameters
Temporarily close
# Takes effect immediately but will not persist after restart, suitable for temporarily disabling a portfirewall-cmd --remove-port=8080/tcp
Permanent closure
# Add --permanent, takes effect after reloadfirewall-cmd --permanent --remove-port=8080/tcp# successfirewall-cmd --reload# success
Advanced usage (Rich Rules)
Rich rules are a set of advanced syntax with finer granularity than service/port, supporting conditional combinations, capable of doing far more than “opening a single port”.
Only allow 192.168.1.1 to access port 8080 on this machine
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp accept'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp accept'# firewall-cmd --reload
Only deny 192.168.1.1 access to port 8080 on this machine
# First set all to allowfirewall-cmd --permanent --add-port=8080/tcpfirewall-cmd --reload
Set rule
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp reject'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp reject'# firewall-cmd --reload
Only deny 192.168.1.1 access to all ports
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" drop'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" drop'# firewall-cmd --reload
Only allow 192.168.1.1 access to all ports
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" accept'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" accept'# firewall-cmd --reload
Additional:
In the operation of denying ports, rich rules have two types of deny actions: reject and drop.
Reject notifies the source address after receiving the request, denying the request.
Drop discards the request directly after receiving it, without notifying the rejection.Common Technique 1: Disable ping
Ping uses the ICMP protocol.
The first method disables all ICMP protocols to block ping requests.
The second method blocks the ICMP protocol’s echo-request to block ping requests.
The first method
Reverse select icmp block policy
firewall-cmd --permanent --add-icmp-block-inversionfirewall-cmd --reload# When deleting# firewall-cmd --permanent --remove-icmp-block-inversion# firewall-cmd --reload
Explanation:
# When firewall-cmd --list-all is executed, public (default, active) ... icmp-block-inversion: yes # When it is no, the contents of icmp-blocks are disabled (no content means all allowed), and vice versa ... icmp-blocks: # Here fill icmptype, which can be queried through firewall-cmd --get-icmptype ...
The second method
# Query all icmptypes, choose the icmp type to disablefirewall-cmd --get-icmptype
You will see the following output (very many):
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad mld-listener-done mld-listener-query mld-listener-report mld2-listener-report neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
To block ping, you only need to disablethe echo-request type (to block echo requests).
firewall-cmd --permanent --add-icmp-block=echo-requestfirewall-cmd --reload# When deleting# firewall-cmd --permanent --remove-icmp-block=echo-request# firewall-cmd --reload
Common Technique 2: Port Forwarding
There are two types: local port forwarding and cross-host port forwarding.
Local port forwarding
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080firewall-cmd --reload
Delete forwarding rule
firewall-cmd --permanent --remove-forward-port=port=80:proto=tcp:toport=8080firewall-cmd --reload
Cross-host port forwarding
# Need to enable IP masquerading in advancefirewall-cmd --permanent --add-masqueradefirewall-cmd --reload# When deleting# firewall-cmd --permanent --remove-masquerade# firewall-cmd --reload
Add rule
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.3firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.1.3# firewall-cmd --reload
Explanation:
192.168.1.3:8080 is the remote address, ensure that 1.3’s 8080 allows access from this machine.
80 is the port on this machine after forwarding.
Common Issues
1. Why can I still access a port or ICMP even though it is disabled?
When the configuration is correct and the rules are effective, new connections will start executing the rules. If a connection has already been established or has not yet expired, access to the port may still be possible.
At this point, you either have to wait for the connection to expire or forcibly close the connection.
Solution:
# Install connection tracking toolyum install -y conntrack-tools# View established connections, confirm if your connection is among them, the third column is the expiration timeconntrack -L | grep icmp# ICMP expiration time querysysctl net.netfilter.nf_conntrack_icmp_timeout or cat /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
Force close connection
# Immediately discard all recorded network connection states (regardless of whether the connection is established).conntrack -F