Firewalld

Commands

• sudo firewall-cmd --list-all: list rules

• sudo firewall-cmd --add-port=PORT/tcp: Add a port

• sudo firewall-cmd --remove-port=PORT/tcp: Remove a port

• sudo firewall-cmd --add-service=SERVICE: Add a service

• sudo firewall-cmd --add-source=IP: Add a source

• sudo firewall-cmd --remove-source=IP: Remove a source

• sudo firewall-cmd --remove-service=SERVICE: Remove a service

• sudo firewall-cmd --set-default-zone=ZONE

• sudo firewall-cmd --reload: Reload firewall, when any change is made

• sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="IPAddress" reject': block traffic from specific IP

• sudo firewall-cmd --remove-rule=RULE_Number

• sudo firewall-cmd --get-zone: list zones

• sudo firewall-cmd --runtime-to-permanent: Save running config to permanent

• dmesg: view log

Rich Rules

• The rules or parts of them are placed in separate chains according to the priority and action of the rule:

  • zone_pre

  • zone_log

  • zone_deny

  • zone_allow

  • zone_post

• When priority < 0, the rich rule will be placed in the zone_pre chain.

• When priority == 0 Then all logging rules will be placed in the zone_log chain. All reject and drop rules will be placed in the zone_deny chain, which will be walked after the log chain. All accept rules will be placed in the zone_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.

• When priority > 0, the rich rule will be placed in the zone_post chain.

• firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.1.111.21/24 service name=ssh log prefix="SSH Logs" level="notice" accept'

• firewall-cmd --add-rich-rule='rule protocol value=icmp reject'

• firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.92.10.90/32 port port=21 protocol=tcp reject'

Reference

• Rich Language - Firewalld