> Operating System - Kernel (Windows, Unix, Linux) > Linux / Unix

1 - About

Firewalld is a Linux - Firewall which acts as a frontend for the iptables packet filtering system provided by the Linux kernel


3 - Service

3.1 - Start / Stop

# init
service firewalld start
service firewalld stop
# or systemd
systemctl firewalld start
systemctl firewalld stop
Redirecting to /bin/systemctl start  firewalld.service

3.2 - Status

# init
service firewalld status
# systemd
systemctl firewalld status
Redirecting to /bin/systemctl status  firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-02-09 09:41:17 UTC; 58s ago
     Docs: man:firewalld(1)
 Main PID: 3963 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─3963 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Feb 09 09:41:17 HI-INFA-BDM-01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 09 09:41:17 HI-INFA-BDM-01 systemd[1]: Started firewalld - dynamic firewall daemon.

3.3 - Log

firewall-cmd --get-log-denied
firewall-cmd --set-log-denied=<value>
  • value may be one of: all, unicast, broadcast, multicast, or off

3.3.1 - Reload

firewall-cmd --reload        
firewall-cmd  --complete-reload    

3.3.2 - State

  • Return and print firewalld state
firewall-cmd --state

4 - Zone

Zones are a sets of rules dictating what traffic should be allowed.

Each Network interfaces got one zone assigned.

Zones ⁠separate networks interface into different level of trust.

4.1 - Get

Firewalld comes with predefined rules. Doc

firewall-cmd --get-zones
block dmz drop external home internal public trusted work

from least trusted to most trusted, the predefined zones are:

  • drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
  • block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
  • public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
  • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
  • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: Trust all of the machines in the network.

4.2 - Configuration

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.


cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>

4.3 - Active

firewall-cmd --get-active-zones

4.4 - Default

  • Get (By default public)
firewall-cmd --get-default-zone
  • Set
sudo firewall-cmd --set-default-zone=home

4.5 - List Properties

firewall-cmd --list-all
  • List the properties of a specified zone
firewall-cmd --zone=public --list-all
  • List all zones
firewall-cmd --list-all-zones
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: ssh dhcpv6-client
  ports: 80/tcp 9999/tcp
  masquerade: no
  rich rules:

  target: ACCEPT
  icmp-block-inversion: no

4.6 - Active

firewall-cmd --get-active-zones

5 - Rule

5.1 - Services

Services are pre-configured firewall properties (ie port) for known service.

  • List all known services
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
  • Get their properties
ll /usr/lib/firewalld/services/
# and for one specific
cat /usr/lib/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
# default
firewall-cmd --list-services
# given a zone
firewall-cmd --list-services --zone=public
dhcpv6-client ssh
firewall-cmd --add-service=kerberos --permanent
firewall-cmd --remove-service=kerberos --permanent
  • Add or remove a service from a custom zone
firewall-cmd --add-service=ssh --zone=home --permanent
firewall-cmd --remove-service=kerberos --zone=public --permanent

5.2 - Port

Port are also available via the notion of service. It the service is not known, you can add the port manually.

5.2.1 - Add a port

  • firewall cmd
firewall-cmd --zone=public --add-port=5000/tcp --permanent
- name: "Open the web console port"
  become: yes
    port: 8443/tcp
    permanent: yes
    state: enabled
  notify: firewalld reload
  • Handler to restart ie firewall-cmd –reload
- name: "firewalld reload"
    state: restarted
    name: firewalld

5.2.2 - List Port

firewall-cmd --zone=public --list-ports

5.2.3 - Remove Port

firewall-cmd --zone=public --remove-port=22/tcp --permanent

5.3 - Rich Rule

doc and syntax


  • IP and Port filtering
  • Forward-Port

5.3.1 - IP + Port filtering

firewall-cmd --permanent \
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="" port port="8080" protocol="tcp" accept'

5.3.2 - Forward-port (Redirect)

rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443

5.3.3 - Other

rule service name="ftp" audit limit value="1/m" accept

6 - Documentation / Reference