10 Useful firewall-cmd Commands in Linux

“Firewall-cmd” is a command-line tool used to manage firewalld, a dynamic firewall management tool found in many Linux distributions, such as Fedora, Red Hat, and CentOS. When it comes to managing firewall rules, Firewalld is more user-friendly and dynamic than the previous IPtables system. Administrators can configure the firewall by adding or removing rules, services, and zones using firewall-cmd, which facilitates interaction with firewalld. Both beginner and experienced administrators will find it especially helpful, as it streamlines firewall rule management and offers a simple method of adapting to changing network conditions.

Uses of Firewall-cmd

Firewall-cmd is used for a wide range of tasks related to configuring and maintaining the firewall. Some of the common uses of firewall-cmd are given below:

Adding and Modifying Rules:

• Establishing firewall rules to permit or prohibit traffic
• Establishing regulations based on services or ports
• Establishing unique rules to provide more precise control

Managing Services:

• Configuring the firewall with additional services
• Adjusting the service’s settings
• Enabling or disabling services

Managing Zones:

• Defining unique zones with particular firewall regulations
• Altering the zone’s properties.
• Assigning zones to network interfaces

Configuring Ports:

• Enabling particular network ports
• Defining protocols and port ranges (TCP/UDP)
• Blocking traffic by closing ports.

Listing Information:

• Looking at active zones.
• Listing the available services.
• Allowable ports are displayed.
• Active rules and configurations are displayed.

Advantages of Using firewall-cmd

firewall-cmd enables administrators to configure and maintain firewall rules to secure their Linux systems and effectively control network traffic. When combined with the firewalld (firewall management tool), it provides several advantages for managing firewall rules on Linux systems. Some of the key advantages are:

Dynamic Rule Management:

You can dynamically modify firewall rules with Firewalld without interfering with ongoing network connections. While the firewall is active, you can add, remove, or modify rules, which is particularly helpful for servers and environments where uptime is crucial.

Zones:

The concept of zones is introduced by Firewalld, which makes it simple to assign various security policies to various network interfaces. Granular control over network access is possible by attaching rules that you have defined for particular zones to interfaces.

Rich Rules and Services:

Rich rules are supported by Firewalld, allowing for more complex and expressive rule definitions. It also includes several predefined services (e.g., HTTP, SSH, FTP) that make configuring access to common network services easier.

User-Friendly:

Firewalld and firewall-cmd are intended to be more user-friendly and accessible to both beginner and experienced administrators. When compared to iptables, the traditional firewall management tool, the commands and options are easier to understand and remember.

Logging:

The ability of Firewalld to log firewall events facilitates network traffic monitoring and troubleshooting. Additionally, logging policies for particular zones can be modified.

Some Useful firewall-cmd Commands

Some of the useful firewall-cmd commands for managing the firewall are given below:

Note: Here we are using “Fedora Workstation 38” as “Firewall-cmd” comes pre-installed in this distribution of Linux.

1. Checking the Firewall Status:

The purpose of this command is to see if the firewall is operational. If the firewall is active, it will return the “running” as a result; if not, it will return the “not running” as a result. Type the command below to check the firewall status.

firewall-cmd –state

Output:

Checking the Firewall Status

2. Getting the Active Zones:

It displays the firewall zones that are currently active for every network interface in your system. Zones establish the degree of trust for particular network segments. Type the command below to get the active zones.

firewall-cmd –get-active-zones

Output:

3. Listing All Available Services:

A list of available services is shown by this command. Services are predefined configurations you can quickly add to your firewall rules for popular network services like SSH and HTTP. Type the command below to list all the services.

firewall-cmd –list-services

Output:

4. Listing All Ports:

It displays a list of permitted ports in the configuration of the active zone. This is useful to confirm which ports are available and open. Type the command below to list all available ports.

firewall-cmd –list-ports

Output:

5. Getting the Default Zone:

The default firewall zone is shown by this command. Network interfaces that are not specifically assigned to a zone operate in the default zone. Type the command below to get the default zone.

firewall-cmd –get-default-zone

Output:

6. Changing the Default Zone:

For network interfaces without an explicitly defined zone, this command modifies the default zone. To change the default zone, first, check the list of zones available. Type the command given below to list available zones.

firewall-cmd –get-zones

Output:

To set a zone as the new default, just type the command given below and replace zone_name with the name of the desired zone available in the list.

firewall-cmd –set-default-zone = zone_name

Output:

7. Adding a Service:

With this command, a predefined service (such as HTTP or SSH) is added to the zone that is currently in use. It permits both outgoing and incoming traffic for the designated service. First, check which services are currently running in the zone where we are working. Type the command given below to check running services.

firewall-cmd –info-zone=zone_name

Output:

Now type the command below to add a service in the current zone on which we are working.

firewall-cmd –add-service = service_name

Output:

Now we can check again whether the services are added to the zone or not. Type the first command (zone info) again to confirm.

Output:

8. Adding a Port:

To open a particular network port in the active zone, use this command. We can see from the previous screenshots that ports are not assigned. We can check which ports are open in the currently working zone by typing the below command.

firewall-cmd –info-zone=zone_name

Output:

Now type the command given below by just putting the desired port number and protocol (for example 443/tcp) in place of port/protocol.

firewall-cmd –add-port = port/protocol

Output:

Now we can check again whether the port is added to the zone or not. Type the first command (zone info) again to confirm.

Output:

9. Reloading the Firewall:

To make configuration changes to the firewall without breaking existing connections, use the reload command. This is necessary to guarantee that new regulations are implemented right away. Type the command given below to reload the firewall.

firewall-cmd –reload

Output:

10. Add and Remove a Network Interface:

You can add or remove network interfaces, such as network cards, from a designated zone using these commands. This is helpful when deciding which network segments to trust. Here we can see from the previous screenshots that only one interface is available. We can check which network interfaces are available in the currently working zone by typing the below command

firewall-cmd –info-zone=zone_name

Output: Only “enp0s5” available

Add: Now type the command given below to add a network interface in the zone.

firewall-cmd –zone=zone_name –add-interface = interface_name

Output:

Now we can check again whether the network interface is added to the zone or not. Type the first command (zone info) again to confirm.

Output:

Remove: Similarly, we can remove the network interface. Type the command given below to remove an interface.

Output:

Conclusion:

Linux users can improve system security and manage network traffic with the help of the firewall-cmd and firewalld firewall management tools. These tools are robust and easy to use. Firewall-cmd makes managing firewalls easier by offering predefined services, flexible zone assignments, simplified syntax, and dynamic rule management. This tool is beneficial for people who need to be flexible and manageable in a constantly changing network environment.