Using the firewall-cmd command in Linux

 

Introduction

Are you looking to fortify your system’s security by effectively managing your firewall settings? Look no further! In this comprehensive guide, we’ll delve into the powerful capabilities of the firewall-cmd command, equipping you with the knowledge to navigate your firewall configurations like a pro.

Understanding the firewall-cmd Command

Firewalls serve as crucial gatekeepers, regulating network traffic to protect your system from unauthorized access and potential threats. The firewall-cmd command, a part of the Firewalld firewall management tool in Linux systems, offers a user-friendly interface to configure and manage firewall rules.

Getting Started

Before diving into the intricacies of firewall-cmd, let’s ensure you have it installed on your system. Most modern Linux distributions come pre-installed with Firewalld. However, if you need to install it, you can do so using your package manager. For example, on CentOS/RHEL, you can install Firewalld with:

sudo yum install firewalld
sudo dnf install firewalld  # For RHEL/CentOS version 8+

Once installed, start the Firewalld service and enable it to start on boot:

sudo systemctl enable --now firewalld

Basic Usage

The firewall-cmd command follows a straightforward syntax:

firewall-cmd [OPTIONS] [ARGUMENTS]

To view the current firewall configuration, simply execute:

firewall-cmd --list-all

public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: cockpit dhcpv6-client ssh ports: 80/tcp 443/tcp 7000/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

This command provides an overview of your firewall settings, including configured zones, services, ports, and source/destination addresses. In the output above, you can see that the firewall settings are configured to permit TCP traffic on ports 80, 443, and 7000. In addition, the cockpit, dhcp-client, and ssh services are also permitted.

Managing Zones

Zones define the level of trust assigned to a particular network interface. The firewall-cmd command allows you to add, remove, or modify zones effortlessly. For instance, to add a new zone named “myzone,” use:

firewall-cmd --permanent --new-zone=myzone

To assign an interface to the newly created zone, execute:

firewall-cmd --permanent --zone=myzone --add-interface=eth0

Configuring Services and Ports

firewall-cmd simplifies the process of permitting or blocking network services and ports. To allow SSH traffic, for example, use:

firewall-cmd --permanent --zone=public --add-service=ssh

Likewise, to open port 80 for HTTP traffic, execute:

firewall-cmd --permanent --zone=public --add-port=80/tcp

Rich Rules

Rich rules offer fine-grained control over firewall settings, allowing you to define complex filtering criteria. Let’s say you want to allow incoming traffic from a specific IP address range (192.168.1.0/24) to access your web server on port 443. You can achieve this with a rich rule:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="443" protocol="tcp"