This article will describe Firewalld.
Table of Contents
1 Install Firewalld
Install firewalld package.
$ sudo dnf install firewalld $ sudo systemctl enable firewalld $ sudo systemctl start firewalld
2 Add rule
–add-port option or –add-service option adds rules. Without –permanent option, rule is applied temporally.
$ sudo firewall-cmd --add-port=80/tcp $ sudo firewall-cmd --add-service=http
Argument of –add-service option is filename in /usr/lib/firewalld/services/*.
$ sudo cat /usr/lib/firewalld/services/http.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (HTTP)</short> <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description> <port protocol="tcp" port="80"/> </service>
With –permanent option, rule is applied permanently. But –permanent option needs to run firewall-cmd –reload for applying rule.
$ sudo firewall-cmd --add-port=80/tcp --permanent $ sudo firewall-cmd --add-service=https --permanent $ sudo firewall-cmd --reload
3 Show rule list
–list-all option shows all rules.
$ sudo firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: dhcpv6-client ssh mdns samba-client http ports: 1025-65535/udp 1025-65535/tcp 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
–list-ports option shows rules applied by –add-port option.
$ sudo firewall-cmd --list-ports 1025-65535/udp 1025-65535/tcp 80/tcp
–list-services option shows rules applied by –add-service option.
$ sudo firewall-cmd --list-services dhcpv6-client ssh mdns samba-client http
4 Delete rule
–remove-port option or –remove-service option deletes rule. Without –permanent option, rule is applied temporally.
$ sudo firewall-cmd --remove-port=80/tcp $ sudo firewall-cmd --remove-service=http
With –permanent option, rule is applied permanently. But –permanent option needs to run firewall-cmd –reload for applying rule.
$ sudo firewall-cmd --remove-port=80/tcp --permanent $ sudo firewall-cmd --remove-service=https --permanent $ sudo firewall-cmd --reload
5 Customize service at /etc/firewalld/services
If you need to customize service or need to add new service, you should save service at /etc/firewalld/services.
If there are same name services in /usr/lib/firewalld/services and /etc/firealld/services, the service in /etc/firewalld/services will be used.
For example, there is a service named test.
$ cat <<EOF | sudo tee /usr/lib/firewalld/services/test.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>test</short> <description>Test for firewalld</description> <port protocol="tcp" port="100"/> </service> EOF $ sudo firewall-cmd --reload > /dev/null
Adding rule with this service will enable 100/tcp access.
$ sudo firewall-cmd --add-service=test --permanent > /dev/null $ sudo firewall-cmd --reload > /dev/null
When adding /etc/firewalld/services/test.xml which is same name with test, firewalld will disable 100/tcp access and enable 101/tcp access.
$ cat <<EOF | sudo tee /etc/firewalld/services/test.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>test</short> <description>Another test for firewalld</description> <port protocol="tcp" port="101"/> </service> EOF $ sudo firewall-cmd --reload > /dev/null