Introduction
firewalld is an open source, free (GPL-2.0 licensed) firewall management tool for Linux operating systems. It provides firewall capabilities by acting as a front-end for the Linux kernel's netfilter framework. It has support for IPv4, IPv6 firewall settings and ethernet bridges, and a separation of runtime and persistent configuration options. Firewalld is coded with Python.
A firewall is a must for every server system but there are times when for debugging purpose we would like to stop and disable the firewalld service. In this article, we will examine "How to disable firewall in Rocky Linux".
Are you sure you want to disable firewalld service instead of adding the right rules?
Here we have written an extensive tutorial covering 30+ firewalld rules along with many other explanations.
Pre-requisites
The user trying to stop and disable firewall must have root or equivalent sudo access to manage firewalld service.
For our lab we will directly use root user to perform the task
Stop Firewalld Manually
Step-1: Stop firewalld service
Before starting we will check the status of firewalld service:
Next we will stop the firewalld service using systemctl
command
# systemctl stop firewalld
Step-2: Check firewalld service status
There are a couple of ways you can check the status of your firewalld service:
# firewall-cmd --state
not running
OR
# systemctl is-active firewalld
inactive
OR
# systemctl status firewalld
So as we can see in all the commands, our firewalld service is in inactive
state.
Step-3: Disable firewalld to avoid restart post reboot
To avoid automated restart of the service, we must disable the service:
# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Check the status
# systemctl is-enabled firewalld
disabled
Step-4: Mask the firewalld service
It is still possible for any user with root level access to go ahead and start the service so we can mask the service to avoid startup. This is only optional and may not be required in many cases. But if you really want to be sure that no one starts the service, then you can apply following command:
~]# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
Verify the service status
~]# systemctl status firewalld
○ firewalld.service
Loaded: masked (Reason: Unit firewalld.service is masked.)
Active: inactive (dead) since Sat 2023-01-07 12:57:01 IST; 1h 39min ago
Main PID: 871 (code=exited, status=0/SUCCESS)
CPU: 1.537s
As you can see, the service is in masked state. So even if we attempt to start the service, it would fail
~]# systemctl start firewalld
Failed to start firewalld.service: Unit firewalld.service is masked.
To unmask the service, you can execute following command:
~]# systemctl unmask firewalld
Removed /etc/systemd/system/firewalld.service.
One liner command to disable and stop firewalld service
Instead of executing multiple steps to stop and disable firewalld service, we can achieve this in one liner command:
~]# systemctl disable firewalld --now Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Here we are using --now
argument along with systemctl disable
command to also apply the changes to runtime environment.
Check the status
~]# systemctl is-active firewalld inactive ~]# firewall-cmd --state not running
Similarly to enable you can use:
~]# systemctl enable firewalld --now Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
Check the status
~]# firewall-cmd --state running ~]# systemctl is-active firewalld active
Disable and stop firewalld service using shell script
Here I have written a shell script which will start/stop/enable/disable/mask/unmask a service based on user input. The same can be used to manager any other systemctl service:
#!/bin/bash
state=$1
service=$2
if [[ -z $state ]] || [[ -z $service ]]; then
echo "one or more mandatory parameters missing"
exit 1
fi
function check_service_status {
status=`systemctl status $service | grep Loaded: | awk -F " " '{print $2}'`
if [[ $status == "loaded" ]]; then
status=`systemctl status $service | grep Active: | awk -F " " '{print $2}'`
elif [[ $status == "masked" ]]; then
status="masked"
else
status=""
fi
}
function start_stop_service {
echo "Executing systemctl with $state option for $service service"
systemctl $state $service >/dev/null 2>&1
[[ $? -ne 0 ]] && echo "Failed to $state $service service" && exit 1
}
function enable_disable_service {
state=$1
read -p "Do you want to make permanent changes for reboot? (yes/no) " INPUT
if [[ $INPUT == "yes" ]]; then
systemctl $state $service >/dev/null 2>&1
[[ $? -ne 0 ]] && echo "$state operation failed for $service service" && exit 1
else
echo "user enterred $INPUT, skipping.."
fi
}
function mask_unmask_service {
state=$1
systemctl $1 $service >/dev/null 2>&1
[[ $? -ne 0 ]] && echo "$state operation failed for $service service" && exit 1
}
# main function
if [[ $state == "start" ]]; then
mask_unmask_service "unmask"
start_stop_service
enable_disable_service "enable"
else
start_stop_service
enable_disable_service "disable"
mask_unmask_service "mask"
fi
check_service_status
echo "current status of $service service: $status"
echo ""
echo "Have a Good Day!"
Output (starting a service):
~]# sh manage_service.sh start firewalld Executing systemctl with unmask option for firewalld service Do you want to make permanent changes for reboot? (yes/no) yes current status of firewalld service: inactive Have a Good Day!
Output (stopping a service):
~]# sh manage_service.sh stop firewalld Executing systemctl with stop option for firewalld service Do you want to make permanent changes for reboot? (yes/no) yes current status of firewalld service: masked Have a Good Day!
Summary
Attention should be paid to the settings related to the firewall. By checking the running applications and services, a firewall rule should be added and the firewall should be disabled. Access to the server may be lost in an incorrect operation.
Port and service-based firewalls seem simpler to manage, while zone-based firewalls seem to be for more complex systems.
You can also get local help with "--help" for firewall-cmd parameters:
[foc@rocky9 ~]$ firewall-cmd --help Usage: firewall-cmd [OPTIONS...] General Options -h, --help Prints a short help text and exists -V, --version Print the version string of firewalld -q, --quiet Do not print status messages Status Options --state Return and print firewalld state --reload Reload firewall and keep state information --complete-reload Reload firewall and lose state information --runtime-to-permanent Create permanent from runtime configuration --check-config Check permanent configuration for errors ...
References
docs.rockylinux.org - firewalld for Beginners