In this manual, I just list the basic commands for setup and configure iptables firewall using firewalld agent.

IMPORTANT: The agent firewalld.service must be startet before you can use firewall-cmd command!

NOTE: To the most arguments, you can add –permanent option, to list the permanent settings (not dynamic ones!). You can eather use the –permanent option and then the firewall-cmd –reload command, or, do the command first with –permanent option and then do the same command without –permanent option.

• List all options for firewall-cmd

  firewall-cmd --help

• Get default firewall zone

  firewall-cmd --get-default-zone
  public

• To set the default zone

  --set-default-zone=myzone

• Get all active firewall zones

  firewall-cmd --get-active-zones
  public
    interfaces: enp0s31f6

To list everything from one zone, you can use the –list-all switch:

• List everything in a zone

  firewall-cmd --list-all --zone=public
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: enp0s31f6
    sources:
    services: ssh mdns dhcpv6-client http https
    ports: 8080/tcp 8443/tcp
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

• Get all firewall zones

  firewall-cmd --get-zones
  FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work

• Get all firewall (preconfigured) services

  firewall-cmd --get-services
  RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc 
  ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch 
  freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https 
  imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt 
  libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole 
  ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster 
  quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync 
  squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server 
  wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

• Get firewall zone for interface enp0s31f6

  firewall-cmd --get-zone-of-interface=enp0s31f6
  public

• Get firewall zone for interface virbr0

  firewall-cmd --get-zone-of-interface=virbr0
  no zone

NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list no zone!

To list the interfaces of all zones, use this command:

• Get intefaces of all zones

  for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-interfaces --zone=$z; done
  === FedoraServer:
   
  === FedoraWorkstation:
   
  === block:
   
  === dmz:
   
  === drop:
   
  === external:
   
  === home:
   
  === internal:
   
  === public:
  enp0s31f6
  === trusted:
   
  === work:

A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services, to list all services of default zone, use following command:

• List all services for default zones

  firewall-cmd --list-all-services
  ssh mdns dhcpv6-client

• List all services for a defined zones

  firewall-cmd --list-services --zone=<zone name>
  ssh mdns dhcpv6-client

If you want to list all services, you can use this for loop:

• Get services of all zones (per zone)

  for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-services --zone=$z; done
  === FedoraServer:
  ssh dhcpv6-client
  === FedoraWorkstation:
  dhcpv6-client ssh samba-client
  === block:
   
  === dmz:
  ssh
  === drop:
   
  === external:
  ssh
  === home:
  ssh mdns samba-client dhcpv6-client
  === internal:
  ssh mdns samba-client dhcpv6-client
  === public:
  ssh mdns dhcpv6-client
  === trusted:
   
  === work:
  ssh mdns dhcpv6-client

Sometimes you want to have more information about a service configuration, which is pre-defined.

• Show service configuration

  firewall-cmd --info-service=vnc-server
  vnc-server
    ports: 5900-5903/tcp
    protocols:
    source-ports:
    modules:
    destination:

If the port is not defined in a pre-defined service, you also can add ports to the configuration of the firewall. Here, I show how-to list these ports in a zone.

• List active port in a zone

  firewall-cmd --list-ports --zone=public
  8080/tcp 8443/tcp

• Get default firewall zone

  firewall-cmd --get-default-zone
  public

IMPORTANT: Also for the configuration, you can add the –permanent switch, this will make the setting permanent. If you ommit this switch, the setting is set dynamically, it will not survife a reboot!

NOTE: To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch.

NOTE: If you work on only one zone, it makes sense to define this zone as the default zone:

• Get default firewall 'zone'

  firewall-cmd --set-default-zone=<zone name>

NOTE: Don't forget the command to list all services, see «Firewall services»

• Setup 'http' and 'https' services dynamically

  firewall-cmd --add-service=http --add-service=https --zone=public
  success

• Setup 'http' and 'https' services permanently

  firewall-cmd --permanent --add-service=http --add-service=https --zone=public
  success

• Get all available firewall icmp types

  firewall-cmd --get-icmptypes
  address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy 
  fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad 
  neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable 
  no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route 
  required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded 
  timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable 
  ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

• Get all 'ipset' types

  firewall-cmd --get-ipset-types
  hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

• Show all available ipsets

  firewall-cmd --get-ipsets

NOTE: To list all services of the zone, check this out: «Firewall services»

• Remove 'http' and 'https' services dynamically

  firewall-cmd --remove-service=http --remove-service=https --zone=public
  success

• Remove 'http' and 'https' services permanently

  firewall-cmd --permanent --remove-service=http --remove-service=https --zone=public
  success

If the service you want to configure is not pre-defined, you can add the ports manually.

• Setup 8080 and 8443 port dynamically

  firewall-cmd --add-port=8080/tcp --add-port=8443/tcp --zone=public
  success

• Setup 8080 and 8443 ports permanently

  firewall-cmd --permanent --add-port=8080/tcp --add-port=8443/tcp --zone=public
  success

NOTE: To list all ports in a zone, refer to «Firewall ports» chapter.

• Setup 8080 and 8443 port dynamically

  firewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
  success

• Setup 8080 and 8443 ports permanently

  firewall-cmd --permanent --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
  success

Sometimes, it's necesary to add an interface to a zone.

• Add a interface to a zone

firewall-cmd --add-interface=eth0 --zone=public

Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch –add-rich-rule:

In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to.

• Add the whole subnet (192.168.11.0/24, TCP) to config:

  firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=tcp accept' --zone=public
  firewall-cmd --reload

• The same, but for UDP:

  firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=udp accept' --zone=public
  firewall-cmd --reload

In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet.

• Setup 'nfs' service to allow only from '192.168.122.0/24' network

  firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
  success
  firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
  success

It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port:

• Setup port 389 to allow only from 192.168.122.0/24 network

  firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
  success
  firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
  success

NOTE: This could also be done using the service rule!

Sometimes, you also need some UDP port open. For example DNS:

• Setup UDP port 53 for DNS service:

  firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" port protocol=udp port=53 accept' --zone=public
  firewall-cmd --reload

Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to:

• Add a rich rule

  firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public

• Remove a rich rule

  firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public

IMPORTANT: In this example the rule is not defined permanently!

In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: iptables or nftables syntax).

firewall-cmd --direct --get-all-rules

The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP 

Description (based on iptables backend):

firewall-cmd --direct --add-rule <protocol> <table (filter, mangle, nat, ...)> <chain> <priority> <arguments> -j <action (DROP, ACCEPT, ...)> 

To remove a rich rule, the syntax is the same, except –remove-rule:

firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP 

If you want to forward a port from extern to an internal network, you have to configure this on the external zone.

• Allow port 5665 to internal network IP 192.168.122.20

  firewall-cmd --permanent --zone=external --add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20

• Allow port 2222 to internal network IP 192.168.122.17 port 22

  firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17

• List forwarded ports

  firewall-cmd --zone=external --list-forward-ports
  port=5665:proto=tcp:toport=:toaddr=192.168.122.20
  port=2222:proto=tcp:toport=22:toaddr=192.168.122.17

Very important: This procedure does not work with firewalld and nftables backend!

To setup a blacklist using ipset, you have to follow this example:

1. If you want to add first an old (active) ipset rule, do following:

   ipset save blockednets > ipsetsavelist.ipset
   sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create' > list

2. Create the 'hash:net' ipset hash:

   firewall-cmd --permanent --new-ipset=blockednets --type=hash:net

3. Add the network, you want to drop, from a file list. Each line must have only one IP:

   firewall-cmd --permanent --ipset=blockednets --add-entries-from-file=list

4. Optionally add additional networks:

   firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24

5. Shows the permanent entries in a ipset:

   firewall-cmd --permanent --ipset=blockednets --get-entries

6. Add the ipset to the firewalld 'drop' zone and List forwarded ports:

   firewall-cmd --permanent --zone=drop --add-source=ipset:blockednets

7. Reload firewalld after these changes:

   firewall-cmd --reload

• List all ipsets

  firewall-cmd --get-ipsets

• List ipset sources

  firewall-cmd --permanent --list-sources --zone=drop

• Example result for the drop zone

  ipset:blockednets ipset:blacklist

Here an example, how-to add an official blacklist into ipset:

• Example to install the chinese IP's in the blacklist ipset

  firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet \
   --option=hashsize=4096 --option=maxelem=200000
  wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
  mkdir -p zones
  cd zones
  tar -xzf ../all-zones.tar.gz cn.zone
  firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=cn.zone
  firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
  firewall-cmd --reload