How to disable firewall in Rocky Linux? [SOLVED]


Tips and Tricks, Rocky Linux

Author: Omer Cakmak
Reviewer: Deepak Prasad

Introduction

firewalld is an open source, free (GPL-2.0 licensed) firewall management tool for Linux operating systems. It provides firewall capabilities by acting as a front-end for the Linux kernel's netfilter framework. It has support for IPv4, IPv6 firewall settings and ethernet bridges, and a separation of runtime and persistent configuration options. Firewalld is coded with Python.

A firewall is a must for every server system but there are times when for debugging purpose we would like to stop and disable the firewalld service. In this article, we will examine "How to disable firewall in Rocky Linux".

NOTE:
Although this article is written using Rocky Linux, but the same steps can be used on Ubuntu, Debian, RHEL, CentOS or any other Linux variants having support for firewalld.

Are you sure you want to disable firewalld service instead of adding the right rules?

Here we have written an extensive tutorial covering 30+ firewalld rules along with many other explanations.

 

Pre-requisites

The user trying to stop and disable firewall must have root or equivalent sudo access to manage firewalld service.

For our lab we will directly use root user to perform the task

 

Stop Firewalld Manually

Step-1: Stop firewalld service

Before starting we will check the status of firewalld service:

How to disable firewall in Rocky Linux? [SOLVED]

Next we will stop the firewalld service using systemctl command

# systemctl stop firewalld

 

Step-2: Check firewalld service status

There are a couple of ways you can check the status of your firewalld service:

# firewall-cmd --state
not running

OR

# systemctl is-active firewalld
inactive

OR

# systemctl status firewalld

How to disable firewall in Rocky Linux? [SOLVED]

So as we can see in all the commands, our firewalld service is in inactive state.

 

Step-3: Disable firewalld to avoid restart post reboot

To avoid automated restart of the service, we must disable the service:

# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Check the status

# systemctl is-enabled firewalld
disabled

 

Step-4: Mask the firewalld service

It is still possible for any user with root level access to go ahead and start the service so we can mask the service to avoid startup. This is only optional and may not be required in many cases. But if you really want to be sure that no one starts the service, then you can apply following command:

~]# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.

Verify the service status

~]# systemctl status firewalld
○ firewalld.service
     Loaded: masked (Reason: Unit firewalld.service is masked.)
     Active: inactive (dead) since Sat 2023-01-07 12:57:01 IST; 1h 39min ago
   Main PID: 871 (code=exited, status=0/SUCCESS)
        CPU: 1.537s

As you can see, the service is in masked state. So even if we attempt to start the service, it would fail

~]# systemctl start firewalld
Failed to start firewalld.service: Unit firewalld.service is masked.

To unmask the service, you can execute following command:

~]# systemctl unmask firewalld
Removed /etc/systemd/system/firewalld.service.

 

One liner command to disable and stop firewalld service

Instead of executing multiple steps to stop and disable firewalld service, we can achieve this in one liner command:

~]# systemctl disable firewalld --now
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Here we are using --now argument along with systemctl disable command to also apply the changes to runtime environment.

Check the status

~]# systemctl is-active firewalld
inactive

~]# firewall-cmd --state
not running

Similarly to enable you can use:

~]# systemctl enable firewalld --now
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

Check the status

~]# firewall-cmd --state
running

~]# systemctl is-active firewalld
active

 

Disable and stop firewalld service using shell script

Here I have written a shell script which will start/stop/enable/disable/mask/unmask a service based on user input. The same can be used to manager any other systemctl service:

#!/bin/bash

state=$1
service=$2

if [[ -z $state ]] || [[ -z $service ]]; then
   echo "one or more mandatory parameters missing"
   exit 1
fi

function check_service_status {
   
   status=`systemctl status $service | grep Loaded: | awk -F " " '{print $2}'`
   if [[ $status == "loaded" ]]; then
      status=`systemctl status $service | grep Active: | awk -F " " '{print $2}'`
   elif  [[ $status == "masked" ]]; then
      status="masked"
   else
      status=""
   fi   

}	

function start_stop_service {

    echo "Executing systemctl with $state option for $service service"
    systemctl $state $service  >/dev/null 2>&1
    [[ $? -ne 0 ]] && echo "Failed to $state $service service" && exit 1

}

function enable_disable_service {

    state=$1

    read -p "Do you want to make permanent changes for reboot? (yes/no) " INPUT
    if [[ $INPUT == "yes" ]]; then
        systemctl $state $service >/dev/null 2>&1
        [[ $? -ne 0 ]] && echo "$state operation failed for $service service" && exit 1
    else
        echo "user enterred $INPUT, skipping.."	
    fi   

}

function mask_unmask_service {

    state=$1

    systemctl $1 $service >/dev/null 2>&1
    [[ $? -ne 0 ]] && echo "$state operation failed for $service service" && exit 1
}

# main function
if [[ $state == "start" ]]; then
    mask_unmask_service "unmask"
    start_stop_service
    enable_disable_service "enable"

else
    start_stop_service
    enable_disable_service "disable"
    mask_unmask_service "mask"
fi    

check_service_status
echo "current status of $service service: $status"
echo ""
echo "Have a Good Day!"

Output (starting a service):

~]# sh manage_service.sh start firewalld
Executing systemctl with unmask option for firewalld service
Do you want to make permanent changes for reboot? (yes/no) yes
current status of firewalld service: inactive

Have a Good Day!

Output (stopping a service):

~]# sh manage_service.sh stop firewalld
Executing systemctl with stop option for firewalld service
Do you want to make permanent changes for reboot? (yes/no) yes
current status of firewalld service: masked

Have a Good Day!

 

Summary

Attention should be paid to the settings related to the firewall. By checking the running applications and services, a firewall rule should be added and the firewall should be disabled. Access to the server may be lost in an incorrect operation.

Port and service-based firewalls seem simpler to manage, while zone-based firewalls seem to be for more complex systems.

You can also get local help with "--help" for firewall-cmd parameters:

[foc@rocky9 ~]$ firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options
  -h, --help           Prints a short help text and exists
  -V, --version        Print the version string of firewalld
  -q, --quiet          Do not print status messages

Status Options
  --state              Return and print firewalld state
  --reload             Reload firewall and keep state information
  --complete-reload    Reload firewall and lose state information
  --runtime-to-permanent
                       Create permanent from runtime configuration
  --check-config       Check permanent configuration for errors
...

 

References

docs.rockylinux.org - firewalld for Beginners

 

Omer Cakmak

Omer Cakmak

He is highly skilled at managing Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat servers. Proficient in bash scripting, Ansible, and AWX central server management, he handles server operations on OpenStack, KVM, Proxmox, and VMware. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment