30+ firewalld command examples [Rules Cheat Sheet]


Written by - Deepak Prasad
Topics we will cover hide

Getting started with firewalld

firewalld is major available for RHEL/CentOS and similar distro using the same source code. But here's where things get a bit confusing. On RHEL/CentOS 7, firewalld is implemented differently from the way it is on RHEL/CentOS 8. That's because, on RHEL/CentOS 7, firewalld uses the iptables engine as its backend. On RHEL/CentOS 8, firewalld uses nftables as its backend. Either way, you can't create rules with normal iptables or nftables commands because firewalld stores the rules in an incompatible format.

NOTE:
Now, however, firewalld is also available in the Ubuntu repositories. So, if you want to run firewalld on Ubuntu, you finally have that choice.

A big advantage of firewalld is the fact that it's dynamically managed. That means that you can change the firewall configuration without restarting the firewall service, and without interrupting any existing connections to your server.

 

Install firewalld

On RHEL Linux variants such CentOS, Rocky Linux, Alma Linux, Fedora the firewalld is installed by default as it is the default firewall on the system.

You can verify the same using:

~]# rpm -qa | grep firewalld
firewalld-filesystem-1.0.0-4.el9.noarch
firewalld-1.0.0-4.el9.noarch

If it is not installed, you can search for this package in your available repository and install it:

~]# yum search firewalld
=========================== Name Exactly Matched: firewalld ============================
firewalld.noarch : A firewall daemon with D-Bus interface providing a dynamic firewall
========================== Name & Summary Matched: firewalld ===========================
firewalld-filesystem.noarch : Firewalld directory layout and rpm macros
============================== Summary Matched: firewalld ==============================
python3-firewall.noarch : Python3 bindings for firewalld

Now that you have the package name, go ahead and install it:

~]# yum install firewalld -y

OR

~]# dnf install firewalld -y

 

Check firewalld status

The firewalld is managed via systemctl so make sure the service is up and running:

systemctl status firewalld

30+ firewalld command examples [Rules Cheat Sheet]

If it is not in running state, then you can start the same using:

systemctl start firewalld

Make sure the service is in "enabled" state to auto start on reboot:

~]# systemctl is-enabled firewalld
enabled

If it is in disabled state, then you can enable it using

systemctl enable firewalld

While the firewalld program uses standard text configuration files, you can also use the firewall-cmd command-line command for most of the things you need to do. To check if firewalld is running:

~]# firewall-cmd --state
running

If firewalld was not active, the output would show as not running.

 

Different configuration items under firewalld

firewalld manages three concepts in its configuration:

  • Zones: A firewalld zone is a group of rules that can be activated all together and assigned to a network interface. It includes different services and rules but also settings that alter the behavior of network traffic filtering.
  • Services: A firewalld service is a port or group of ports that must be configured together for a specific system service (hence the name) to work properly.
  • Ports: A firewalld port includes a port number (that is, 80) and a type of traffic (that is, TCP) and can be used to manually enable network traffic to a custom system service.

 

Understanding Firewalld Zones

Firewalld makes firewall management easier by working with zones. A zone is a collection of rules that are applied to incoming packets matching a specific source address or network interface. Firewalld applies to incoming packets only by default, and no filtering happens on outgoing packets.

The use of zones is particularly important on servers that have multiple interfaces. On such servers, zones allow administrators to easily assign a specific set of rules. On servers that have just one network interface, you might very well do with just one zone, which is the default zone. Every packet that comes into a system is analyzed for its source address, and based on that source address, Firewalld analyzes whether or not the packet belongs to a specific zone. If not, the zone for the incoming network interface is used. If no specific zone is available, the packet is handled by the settings in the default zone.

Zone Name Default Settings
block Incoming network connections are rejected with an “icmp-host-prohibited” message. Only network connections that were initiated on this system are allowed.
dmz For use on computers in the demilitarized zone. Only selected incoming connections are accepted, and limited access to the internal network is allowed.
drop Any incoming packets are dropped and there is no reply.
external For use on external networks with masquerading (Network Address Translation [NAT]) enabled, used especially on routers. Only selected incoming connections are accepted.
home For use with home networks. Most computers on the same network are trusted, and only selected incoming connections are accepted.
internal For use in internal networks. Most computers on the same network are trusted, and only selected incoming connections are accepted.
public For use in public areas. Other computers in the same network are not trusted, and limited connections are accepted. This is the default zone for all newly created network interfaces.
trusted All network connections are accepted.
work For use in work areas. Most computers on the same network are trusted, and only selected incoming connections are accepted.

 

Understanding Firewalld Services

The second key element while working with Firewalld is the service.

Note that a service in Firewalld is not the same as a service in Systemd; a Firewalld service specifies what exactly should be accepted as incoming and outgoing traffic in the firewall. It typically includes ports to be opened, as well as supporting kernel modules that should be loaded. In Firewalld, some default services are defined, which allows administrators to easily allow or deny access to specific ports on a server.

Behind each service is a configuration file that explains which UDP or TCP ports are involved and, if so required, which kernel modules must be loaded. To get a list of all services available on your computer, you can use the command firewall-cmd --get-services:

~]# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-controller-manager kube-scheduler kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Behind each service is an XML configuration file. Changes are easily made to these XML files. Default (RPM installed) XML files are stored in /usr/lib/firewalld/services. Custom XML files can be added to the /etc/firewalld/services directory and will automatically be picked up after restarting the Firewalld service.

Here is sample contents of the ftp.xml Service File

~]# cat /usr/lib/firewalld/services/ftp.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="21"/>
  <helper name="ftp"/>
</service>

 

Create a new firewalld service

Let's say we want to install an Oracle database in our server. We must have the 1521 port open, and it must be of the TCP type. Let's create the /etc/firewalld/services/oracledb.xml file with the following content:

~]# cat /etc/firewalld/services/oracledb.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>OracleDB</short>
  <description>Oracle Database firewalld service. It allows connections to the Oracle Database service. You will need to deploy Oracle Database in this machine and enable it for this option to be useful.</description>
  <port protocol="tcp" port="1521"/>
</service>

We can enable it by using the following code:

~]# firewall-cmd --reload
success

~]# firewall-cmd --add-service oracledb
success

~]# firewall-cmd --list-services
cockpit dhcpv6-client oracledb ssh vnc-server

Now, it's ready to be used in the running configuration. We can add it to the permanent configuration like so:

~]# firewall-cmd --add-service oracledb --permanent
success

 

Most used common firewall-cmd options

firewall-cmd Options Explanation
--get-zones Lists all available zones
--get-default-zone Shows the zone currently set as the default zone
--set-default-zone=<ZONE> Changes the default zone
--get-services Shows all available services
--list-services Shows services currently in use
--add-service=<service-name> [--zone=<ZONE>] Adds a service to the current default zone or the zone that is specified
--remove-service=<service-name> Removes a service from the configuration
--list-all-zones Shows configuration for all zones
--add-port=<port/protocol> [--zone=<ZONE>] Adds a port and protocol
--remove-port=<port/protocol> [--zone=<ZONE>] Removes a port from the configuration
--add-interface=<INTERFACE> [--zone=<ZONE>] Adds an interface to the default zone or a specific zone that is specified
--remove-interface=<INTERFACE> [--zone=<ZONE>] Removes an interface from a specific zone
--add-source=<ipaddress/netmask> [--zone=<ZONE>] Adds a specific IP address
--remove-source=<ipaddress/netmask> [--zone=<ZONE>] Removes an IP address from the configuration
--permanent Writes configuration to disk and not to runtime
--reload Reloads the on-disk configuration

 

Basic firewall-cmd command examples

1. Difference between adding firewall rule with and without --permanent

You may have seen some people using --permanent argument with each of their firewall rule while some of us don't use this option. So what is the difference? Let's check an example:

We will add vnc server to the firewall configuration without --permanent:

~]# firewall-cmd --add-service=vnc-server
success

~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh vnc-server

Next restart the firewall service using systemctl restart firewalld and repeat firewall-cmd --list-all to make sure vnc-server is still present in our default zone:

~]# systemctl restart firewalld

~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh

Notice that the vnc-server service is no longer listed; the reason is that the previous command has added the service to the runtime configuration but not to the persistent configuration.

Add the vnc-server service again, but make it permanent this time, using --permanent argument:

~]# firewall-cmd --add-service vnc-server --permanent
success

Verify if vnc-server is added in our default zone. You’ll see that VNC server service is not listed. Services that have been added to the on-disk configuration are not added automatically to the runtime configuration.

 ~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh

We have to reload the configuration using --reload to reload the on-disk configuration into the runtime configuration.

~]# firewall-cmd --reload
success

 ~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh vnc-server

So if you wish to make runtime changes to verify certain application flow without making permanent changes then you can apply the rule without using --permanent otherwise it is recommended to use --permanent flag for persistent changes. But make sure to reload the configuration if you are applying the firewall rule using --permanent flag.

 

2. Show firewall rules for all the available zones

Use --list-all-zone argument to list all the available zones on the server along with the rules defined for respective zone:

~]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

...

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

 

3. Show firewall rules for specific zone

To show firewall rules for a specific zone we have to use --list-all --zone=<zone_name>. For example to list all the rules of public zone:

firewall-cmd --list-all --zone=public

30+ firewalld command examples [Rules Cheat Sheet]

The output shows the features and what items are allowed through the firewall for that zone. The target feature defines the action for the zone:

  • default: Rejects all packets not matching the zone rules, but sends an ICMP packet to the client indicating why.
  • ACCEPT: Accepts packets not matching the zone rules.
  • DROP: Drop packets not matching the zone rules.
  • %%REJECT%%: Rejects all packets not matching the zone rules.

The sourcesservicesports, and protocols features define the rule items that are either allowed or blocked, based on the target setting.

 

4. Get the list of available zones

To see which zones are available, use firewall-cmd --get-zones.

~]# firewall-cmd --get-zones
block dmz drop eth0 eth1 eth2 eth3 eth4 external home internal lo nm-shared public trusted work

 

5. Check your default zone

To check your default firewall zone, use the following command:

~]# firewall-cmd --get-default-zone
public

 

6. Change your default zone

If you need to utilize zones, you can choose the default zone and assign interfaces to specific zones as well. Firstly, assign a new default zone as follows:

firewall-cmd --set-default-zone=work

Here, we redirect the default zone to the work zone. In this way, all NICs that have not been explicitly assigned will participate in the work zone. The preceding command should report back with success

 

7. Assign a zone to specific interface

We can also explicitly assign a zone to an interface. To add interface eth1 to public zone.

firewall-cmd --zone=public --change-interface=eth1 --permanent
firewall-cmd --reload

 

8. Get the list of active zones

Use --get-active-zone to get the list of active zones along with the interfaces attached to each respective zone:

~]# firewall-cmd --get-active-zones
eth0
  interfaces: eth0
eth1
  interfaces: eth1
eth2
  interfaces: eth2
eth3
  interfaces: eth3
eth4
  interfaces: eth4
lo
  interfaces: lo

 

9. Create new zone and add an interface to this zone

Besides the default zones, you can create your own zones to help customize your server's network environment. The --new-zone option of the firewall-cmd command defines the zone name:

# firewall-cmd --permanent --new-zone=mytest 
success

Before you can use the zone, you must tell firewalld to reload the configuration file so it knows about the new zone:

# firewall-cmd --reload
success

Then you can list the zones to see if the new zone exists:

# firewall-cmd --get-zones
block dmz drop external home internal mytest nm-shared public trusted work

Once you've created the zone, you can move a network interface to the zone using the --add-interface option:

# firewall-cmd –zone=mytest --add-interface=enp0s8
success

 

10. Check interface is mapped to which zone

You can check what zone a specific interface is currently in by using the --get-zone-of-interface option:

~]# firewall-cmd --get-zone-of-interface=enp0s8
public

 

11. Add a firewall rule to allow TCP port

Apply the following command to allow port TCP 2020 permanent to the system followed by firewall-cmd --reload:

 ~]# firewall-cmd --add-port=2020/tcp --permanent // Add a port to default zone
success

~]# firewall-cmd --reload
success

~]# firewall-cmd --list-ports
22/tcp 80/tcp 443/tcp 2020/tcp 7878/tcp 162/udp

 ~]# firewall-cmd --remove-port=2020/tcp --permanent // Remove a port from default zone
success

 ~]# firewall-cmd --reload
success

 ~]# firewall-cmd --list-ports
22/tcp 80/tcp 443/tcp 7878/tcp 162/udp

 

12. Add or Remove a service from a specific zone

Let's try to add and remove service from public zone:

~]# firewall-cmd --add-service http --zone=public --permanent // Add a service to public zone
success

~]# firewall-cmd --reload
success

~]# firewall-cmd --list-services --zone=public
cockpit dhcpv6-client http ssh vnc-server

~]# firewall-cmd --remove-service http --zone=public --permanent // Remove a service to public zone
success

~]# firewall-cmd --reload
success

~]# firewall-cmd --list-services --zone=public
cockpit dhcpv6-client ssh vnc-server

 

13. Drop all INPUT and FORWARD packets only

We would like to specifically drop all input and forward packets only (unless explicitly permitted). On top of that, we want to permit all output packets by default.

firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ethX -j ACCEPT
firewall-cmd --set-default-zone=drop

This will ensure that ssh is not blocked, so you will still be able to login if you block everything. Easily allow all traffic outbound with direct rules. Set all other traffic to be dropped.

 

14. Log dropped packets to specified file location

In the firewalld configuration file, configure firewalld to log dropped packets.

vim /etc/firewalld/firewalld.conf 
# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=all

Alternatively, this can also set this by running the following command:

~]# firewall-cmd --set-log-denied=all
success

Supported value may be one of: all, unicast, broadcast, multicast, or off

The default behaviour of this firewalld logging option is to log the dropped packets to /var/log/messages. In order to change the logging location we need to configure rsyslog to capture the dropped packets messages.

Create /etc/rsyslog.d/firewalld.conf with the following:

# log DROP and REJECT firewalld messages to /var/log/firewalld.log
:msg,contains,"_DROP" /var/log/firewalld.log
& stop
:msg,contains,"_REJECT" /var/log/firewalld.log
& stop

You can replace any desired file path and name with /var/log/firewalld.log above.

Restart rsyslog

systemctl restart rsyslog.service

To verify if the configuration worked, check /var/log/firewalld.log - the file should contain DROP and REJECT logs. Also verify that no new DROP and REJECT messages are put in the /var/log/messages file.

 

15. Enable debugging in firewalld

You can enable and incremdent the debug range inside firewalld configuration file:

# vim /etc/sysconfig/firewalld

FIREWALLD_ARGS=--debug=10

Then restart firewalld service to enable debug

systemctl restart firewalld

 

Working with firewalld Rich Rules

1. Add comment to firewalld rule

There is no option for firewalld rich rules yet, but direct rule can via '-m comment --comment "description"'.

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -m tcp -s 10.10.10.60 --dport=80 -j ACCEPT -m comment --comment "Accept ip 60"

It can be checked '--get-all-rules' option not 'firewall-cmd --list-all'

# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m tcp -s 10.10.10.60 --dport=80 -m comment --comment 'Accept ip 60' -j ACCEPT

 

2. Allow the echo requests in the drop zone

Use the following firewall command

# firewall-cmd --permanent --zone=drop --add-rich-rule='rule icmp-type name="echo-request" accept'
success

You can read more at How to disable ICMP and ICMPv6 redirects in Linux and How to stop ICMP ping flood attack (DOS) on Linux

 

3. Add rich rule with firewall-cmd

The program also uses what it calls rich rules, which allow you to customize a rule to specify a specific object, such as a single IP address and a port or service:

# firewall-cmd --zone=mytest --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.70 port port=22 protocol=tcp reject'
success 

# firewall-cmd --reload 
success

This rich rule example rejects SSH packets (port 22) coming from a specific source address, 192.168.1.70. The command applies this rich rule to the mytest zone. You can then check if the rule was applied:

# firewall-cmd --zone=mytest --list-all
mytest
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports: 631/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.1.70" port port="22"
 protocol="tcp" reject

 

4. Firewalld rich rule to allow all incoming traffic

Execute following commands to allow all incoming traffic.

// For IPV4 traffic
# firewall-cmd --zone=home --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" accept'

// For IPV6 traffic
# firewall-cmd --zone=home --add-rich-rule='rule family="ipv6" source address="::/0" accept'

// Make changes permanent
# firewall-cmd --runtime-to-permanent

 

5. Create and use ipset with firewalld rich rule

First, create an ipset with the list of ip addresses:

# firewall-cmd --permanent --new-ipset=myipset --type=hash:ip
success

# firewall-cmd --permanent --ipset=myipset --add-entry=10.0.0.1
success

# firewall-cmd --permanent --ipset=myipset --add-entry=10.0.0.2
success

Then configure a firewalld rich rule to make use of the ipset for a particular tcp port:

# firewall-cmd --permanent --zone=work --add-rich-rule='rule source ipset=myipset port port=12345 protocol=tcp accept'
success

# firewall-cmd --reload
success

 

6. In firewalld, are rich rules or direct rules processed first?

You can see the order of rule processing with iptables -nvxL

firewalld is just a state machine for managing iptables rules (or nftables rules on RHEL8).

Direct rules appear in the chains called _direct, for example INPUT_direct and OUTPUT_direct.

By following the entry point of a default chain (eg: INPUT or OUTPUT) you can follow the hierarchy like:

 INPUT
   INPUT_direct  # direct rules in here
   INPUT_ZONES
     IN_public
       IN_public_log
       IN_public_deny
       IN_public_allow  # firewalld services and rich rules in here

 

Advanced firewalld rules

1. Add rule for port forwarding

To forward an incoming port to another listening port and make it permanent

# firewall-cmd --zone=<desired_zone> --add-forward-port=port=<incoming_port>:proto=<protocol>:toport=<destination_port> --permanent
# firewall-cmd --reload

The destination port must also be open for this to work.

# firewall-cmd --zone=<desired_zone> --add-port=<port>/<protocol> --permanent
# firewall-cmd --reload

Example:

Incoming http request coming in port 80, but Apache is configured to listen on port 8080. I need to forward the incoming request to port 8080 in the public zone.

firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
firewall-cmd --reload

 

2. Add firewall rule to block icmp packet to the certain IP

To block only ICMP packet to certain host.

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type 8 -d xx.xx.xx.xx -j DROP

To block all the traffic destined to a certain host.

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 --dst xx.xx.xx.xx -j DROP

To get the list of direct rule.

 ~]# firewall-cmd --direct --get-all-rules 
ipv4 filter OUTPUT 0 -p icmp --icmp-type 8 -d xx.xx.xxx.xx -j DROP
ipv4 filter OUTPUT 0 --dst xx.xx.xx.xx -j DROP

To remove this rule use "--remove-rule".

firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 --dst xx.xx.xx.xx -j DROP

Also Read: How to disable ICMP timestamp responses in Linux

 

3. Block ICMPv4 message type 17 (Address Mask Request) and 18 (Address Mask Reply)

Use the firewall direct rules to block the ICMPv4 message type 17 and 18:

# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-request -j DROP
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-reply -j DROP

Reload the firewall rules:

# firewall-cmd --reload

Verify the configuration :

# firewall-cmd --permanent --direct --get-all-rules 
ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-request -j DROP
ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-reply -j DROP

 

4. Implement TCP Wrappers user/group match in firewall rules

User and group matching is implemented in iptables and firewalld direct rules with with the owner extension, eg:

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -m owner --uid-owner USERNAME -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -m owner --gid-owner GROUPNAME -j ACCEPT

You can also use a numeric UID (eg: 1000) or a range (eg: 1000-9999).

 

5. Restrict access to a server from a specific sub-network

Users can set and control IP sets to restrict the access using firewalld. To add a new IP set:

# firewall-cmd --permanent --new-ipset=block_subnet --type=hash:net

To add an entry (192.168.122.0/24) to the block_subnet IP set:

# firewall-cmd --permanent --ipset=block_subnet --add-entry=192.168.122.0/24

To get the list of current entries in block_subnet IP set:

# firewall-cmd --permanent --ipset=block_subnet --get-entries

To add the block_subnet IP set as a source to the drop zone to drop all packets coming from all entries listed in the block_subnet IP set:

# firewall-cmd --permanent --zone=drop --add-source=ipset:block_subnet

To reload firewalld configuration to activate the changes:

# firewall-cmd --reload

To list blocked ipset:

# firewall-cmd --info-zone=drop
...
sources: ipset:block_subnet
...

 

Using cockpit web interface to manage firewall

To use the RHEL web administrative interface of RHEL8, we must install it. The package and service running it are both called cockpit. We can install it by running the following code:

dnf install cockpit -y

Next enable and start the service

~]# systemctl enable --now cockpit.socket
Created symlink /etc/systemd/system/sockets.target.wants/cockpit.socket → /usr/lib/systemd/system/cockpit.socket.

Cockpit uses a clever trick to save resources. The interface is stopped but a socket is enabled to listen on port 9090. When it receives a connection, cockpit is started. This way, it will only consume resources in your machine when it is in use.

Let's access cockpit by pointing a browser to the IP of the machine and port 9090 –

 ~]# ip a
...
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:05:a8:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.171/24 brd 192.168.0.255 scope global dynamic noprefixroute enp0s8
       valid_lft 6248sec preferred_lft 6248sec
    inet6 fe80::a00:27ff:fe05:a837/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
...

in this case, https://192.168.0.171:9090. Let's log in as root with the password that was provided during installation:

30+ firewalld command examples [Rules Cheat Sheet]


Now, we can access the cockpit dashboard, which contains information about the system:

30+ firewalld command examples [Rules Cheat Sheet]


Now, let's go to Networking and then click on Firewall, as shown in the following screenshot:

30+ firewalld command examples [Rules Cheat Sheet]


At this point, we can click on Add Services in the public zone section to modify it and add one more service:

30+ firewalld command examples [Rules Cheat Sheet]


The steps to add the dns service to the public zone section of the firewall are simple:

  1. Click on Services.
  2. Filter the services by typing dns into it.
  3. Select the dns service with TCP:53 and UDP:53.
  4. Click on Add Services:

30+ firewalld command examples [Rules Cheat Sheet]


Once you've done this, the service will be added to the running and permanent configurations. It will be displayed on the public zone section of cockpit:

30+ firewalld command examples [Rules Cheat Sheet]

With this, we know how to make modifications to the firewall in RHEL8 using a web interface.

 

Manage firewall rule using firewall-config GUI

By default firewall-config may not be installed on your server so you can manually install it using:

dnf -y install firewall-config

OR

yum -y install firewall-config

To access firewall-config you must connect to graphical desktop of your RHEL server and execute following command as root user from the terminal:

~]# firewall-config &

This will open the firewall configuration GUI

30+ firewalld command examples [Rules Cheat Sheet]


If all you need to do is open some firewall ports to allow access to selected services, that's very easy to do from the Firewall Configuration window. With the public zone selected, just click the services you want to open. The port allowing access to that service is opened immediately (when you select the Runtime configuration) and opened permanently (when you select the Permanent configuration).

30+ firewalld command examples [Rules Cheat Sheet]

 

 

Further Reading

How to configure firewalld in RHEL?

 

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can reach out to him on his LinkedIn profile or join on Facebook page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment