RHEL based Linux Systems use
firewalld as firewall-service. You can configure it with the
firewall-cmd-command. In this article I will guide you through the basic concepts of configuring
firewalld is a wrapper-program and uses
nftables under the hood. But if you want to you can switch to
iptables instead. But this is not in the scope of the article.
If you want to display your current ruleset, use the
[tux@server]$ firewall-cmd --list-all
This will display all rules in the default zone, normally
public. If you want to display the ruleset for another zone, add
--zone=<zone> to the command.
[tux@server]$ firewall-cmd --list-all --zone=docker
Zones will be discussed later in the article.
Add new Rules
Allow single Port
Normally you would allow single ports in your configuration. It is important that you specify if the connection is tcp or udp.
[tux@server]$ firewall-cmd --add-port=80/tcp # Add to a specific zone [tux@server]$ firewall-cmd --add-port=80/tcp --zone=docker # Add udp and tcp [tux@server]$ firewall-cmd --add-port=1024/tcp [tux@server]$ firewall-cmd --add-port=1024/udp
There are predefined services for many common use-cases like
ssh. Service are a collection of ports, used by the protocol or program. That can make your configuration easier to read of you have a service, that requires a lot of open ports.
[tux@server]$ firewall-cmd --add-service=ssh
Define a custom Service
If you want to create a service-configuration for your own service, you can do so by creating an XML-File under
Save current Ruleset
If you add a new rules, like opening a port, this is only in memory. In case you screwed up a rule, just restart your system and the old configuration is loaded. If you are sure your ruleset is working as intended, you can write the current configuration to disk.
[tux@server]$ firewall-cmd --runtime-to-permanent
This will write your configured rules to a XML-File under
If you want to revert the changes you made you can reload the configuration from disk.
[tux@server]$ firewall-cmd --reload
Delete a Rule
If you want to delete a rule you can do it like so.
[tux@server]$ firewall-cmd --remove-port=80/tcp [tux@server]$ firewall-cmd --remove-service=http
Zones are a way to configure profiles for different kinds of networks. If you are connected to a public network you most certainly don't want to open as many ports as in your home-network. You can utilize zones to quickly switch between these configurations. There are a few predefined zones, but you may define new ones as well.
Usually only the rules in the active zone are considered by
firewalld. The only exception is, if the incoming source IP matches a source-range of another zone. Than the matching source-range will override the active zone and the zone with the matching source will be used to process the request.
# All zones [tux@server]$ firewall-cmd --list-all-zones # Only active zone [tux@server]$ firewall-cmd --get-active-zone
You can assign an interface to a zone. That way all connections on this interface use the ruleset of the particular zone. A good example is to assign you WiFi Interface to the public zones, to open a minimal number of ports in public networks.
# Add a new interface [tux@server]$ firewall-cmd --zone=work --add-interface=eth0 # change an existing interface [tux@server]$ firewall-cmd --zone=work --change-interface=eth0
trusted zone is a special one. If you specify an IP or IP-Range in the source, all connections from this source will be accepted. That might be useful in a cluster, because the firewall will never block inter-cluster-communication, but you may define strict rules for access from the outside.
[tux@server]$ firewall-cmd --zone=trusted --add-source=cluster-server-01.local [tux@server]$ firewall-cmd --zone=trusted --add-source=10.0.0.0/22
Bonus Tipp for Remote Environments
If you are working on a remote server and don't have physical access to a console, firewall-configuration can be somewhat risky. If you do something wrong you locked your self out.
A little trick is to create rules with a timer.
[tux@server]$ firewall-cmd --remove-port=22/tcp && sleep 60 && firewall-cmd --reload
That way your configuration will be changed, then the shell sleeps for a minute, which gives you time to test the changes, before they get reverted. If you should do something wrong, you only have to wait for a minute before you get access again. If you know that it works, make the changes permanent.