A Beginner’s Guide to Using Firewalld in Linux Systems

What is Firewalld?

It is a front-end management tool for the Linux kernel’s Netfilter/iptables system. It provides a more user-friendly interface for managing firewall rules, simplifying the complexity of directly using iptables. Firewalld supports dynamic updates, allowing modifications to rules without restarting the service, and introduces the concepts of “zones” and “services” for quickly switching between different policy scenarios and setting service rules.

What is NetFilter?

It is a subsystem in the Linux kernel, first introduced in version 2.4.x. It is the packet filtering functionality framework located in the Linux kernel, providing a complete set of hook function management mechanisms, including packet filtering, network address translation (NAT), and protocol-based connection tracking, making it the “kernel space” of the Linux firewall.

Relationship between Firewalld and Iptables

Both Firewalld and Iptables are tools used to manage firewalls. Iptables primarily sets rules based on interfaces, while Firewalld sets different rules based on zones. Firewalld stores configurations in various XML files located in/etc/firewalld/ and /usr/lib/firewalld/.

Using firewall-cmd

Check running status

firewall-cmd --state

Getting “running” indicates normal operation.

Query all rules

firewall-cmd --list-all

You will see the following output:

public (default, active)              # Current default zone: public, and has been activated (bound to the network card)  target: default                     # Zone action: default means "process according to built-in rules"  icmp-block-inversion: no            # ICMP block inversion not enabled (normal response to ping)  interfaces: ens160                  # List of network cards bound to this zone  sources:                            # List of source IPs/subnets (empty = no restriction on source address)  services: cockpit dhcpv6-client ssh # A set of system services that are permanently allowed  ports:                              # Additional raw ports (empty = no manually added ports)  protocols:                          # Additional protocols (empty = no manually added protocols)  forward: yes                        # IPv4 forwarding not enabled  masquerade: no                      # IP masquerading not enabled (SNAT)  forward-ports:                      # Port forwarding entries (empty = no forwarding)  source-ports:                       # Source port restrictions (empty = no restrictions)  icmp-blocks:                        # Explicitly blocked ICMP types (empty = no additional blocks)  rich rules:                         # Advanced rich rules (empty = no custom ACL)

Additional:

Firewalld divides all network traffic into multiple zones (zone), each of which defines its own list of open or closed ports and services.

Predefined zones include trusted, public, external, home, internal, work, dmz, block, and drop.

Query service ports

<span>Rocky 10 defaults to adding three Service rules. When we are unsure which ports are open under this rule, we can use the following command to query:</span>

firewall-cmd --service=&lt;service_name&gt; --get-ports --permanent

Example:

firewall-cmd --service=cockpit --get-ports --permanent# 9090/tcpfirewall-cmd --service=dhcpv6-client --get-ports --permanent# 546/udpfirewall-cmd --service=ssh --get-ports --permanent# 22/tcp

Note: To query a Service, you must add the –permanent parameter, which can be abbreviated as –per.

Open specified port

Temporarily add

# Takes effect immediately but will not persist after restartfirewall-cmd --add-port=8080/tcp

Permanent addition

# Add --permanent, takes effect after reloadfirewall-cmd --permanent --add-port=8080/tcp# successfirewall-cmd --reload# success

Query port

# You can continue to use the --list-all command to query, no need to remember too many commandsfirewall-cmd --list-allpublic (default, active)  target: default  ingress-priority: 0  egress-priority: 0  icmp-block-inversion: no  interfaces: ens160  sources:   services: cockpit dhcpv6-client ssh  ports: 8080/tcp  # Port has been opened  protocols:   forward: yes  masquerade: no  forward-ports:   source-ports:   icmp-blocks:   rich rules: 
# Only query ports--list-portsfirewall-cmd --list-ports# 8080/tcp

Close specified port

Similar to opening, but with different parameters

Temporarily close

# Takes effect immediately but will not persist after restart, suitable for temporarily disabling a portfirewall-cmd --remove-port=8080/tcp

Permanent closure

# Add --permanent, takes effect after reloadfirewall-cmd --permanent --remove-port=8080/tcp# successfirewall-cmd --reload# success

Advanced usage (Rich Rules)

Rich rules are a set of advanced syntax with finer granularity than service/port, supporting conditional combinations, capable of doing far more than “opening a single port”.

Only allow 192.168.1.1 to access port 8080 on this machine

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp accept'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp accept'# firewall-cmd --reload

Only deny 192.168.1.1 access to port 8080 on this machine

# First set all to allowfirewall-cmd --permanent --add-port=8080/tcpfirewall-cmd --reload

Set rule

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp reject'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port port=8080 protocol=tcp reject'# firewall-cmd --reload

Only deny 192.168.1.1 access to all ports

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" drop'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" drop'# firewall-cmd --reload

Only allow 192.168.1.1 access to all ports

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" accept'firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" accept'# firewall-cmd --reload

Additional:

In the operation of denying ports, rich rules have two types of deny actions: reject and drop.

Reject notifies the source address after receiving the request, denying the request.

Drop discards the request directly after receiving it, without notifying the rejection.Common Technique 1: Disable ping

Ping uses the ICMP protocol.

The first method disables all ICMP protocols to block ping requests.

The second method blocks the ICMP protocol’s echo-request to block ping requests.

The first method

Reverse select icmp block policy

firewall-cmd --permanent --add-icmp-block-inversionfirewall-cmd --reload# When deleting# firewall-cmd --permanent --remove-icmp-block-inversion# firewall-cmd --reload

Explanation:

# When firewall-cmd --list-all is executed, public (default, active)  ...  icmp-block-inversion: yes  # When it is no, the contents of icmp-blocks are disabled (no content means all allowed), and vice versa  ...  icmp-blocks: # Here fill icmptype, which can be queried through firewall-cmd --get-icmptype  ...

The second method

# Query all icmptypes, choose the icmp type to disablefirewall-cmd --get-icmptype

You will see the following output (very many):

address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad mld-listener-done mld-listener-query mld-listener-report mld2-listener-report neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

To block ping, you only need to disablethe echo-request type (to block echo requests).

firewall-cmd --permanent --add-icmp-block=echo-requestfirewall-cmd --reload# When deleting# firewall-cmd --permanent --remove-icmp-block=echo-request# firewall-cmd --reload

Common Technique 2: Port Forwarding

There are two types: local port forwarding and cross-host port forwarding.

Local port forwarding

firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080firewall-cmd --reload

Delete forwarding rule

firewall-cmd --permanent --remove-forward-port=port=80:proto=tcp:toport=8080firewall-cmd --reload

Cross-host port forwarding

# Need to enable IP masquerading in advancefirewall-cmd --permanent --add-masqueradefirewall-cmd --reload# When deleting# firewall-cmd --permanent --remove-masquerade# firewall-cmd --reload

Add rule

firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.3firewall-cmd --reload# Delete rule# firewall-cmd --permanent --remove-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.1.3# firewall-cmd --reload

Explanation:

192.168.1.3:8080 is the remote address, ensure that 1.3’s 8080 allows access from this machine.

80 is the port on this machine after forwarding.

Common Issues

1. Why can I still access a port or ICMP even though it is disabled?

When the configuration is correct and the rules are effective, new connections will start executing the rules. If a connection has already been established or has not yet expired, access to the port may still be possible.

At this point, you either have to wait for the connection to expire or forcibly close the connection.

Solution:

# Install connection tracking toolyum install -y conntrack-tools# View established connections, confirm if your connection is among them, the third column is the expiration timeconntrack -L | grep icmp# ICMP expiration time querysysctl net.netfilter.nf_conntrack_icmp_timeout or cat /proc/sys/net/netfilter/nf_conntrack_icmp_timeout 

Force close connection

# Immediately discard all recorded network connection states (regardless of whether the connection is established).conntrack -F

Leave a Comment