The “firewall-cmd” is a command line tool for managing the firewalld service in Linux. Firewalld is a firewall management tool for Linux systems that provides a dynamically managed firewall. It replaces the older iptables service and is used to control incoming and outgoing network traffic on a Linux system. The purpose of “firewall-cmd” is to allow administrators to configure and manage the firewalld services.
This article will illustrate the “firewall-cmd” command along with the most useful examples:
- Example 1: List the Firewall Rules
- Example 2: Allow a Service Through the Firewall
- Example 3: Block a Port Through the Firewall
- Example 4: Reload the Firewall Configuration
- Example 5: Get the Default Firewall Zone
- Example 6: Allow Incoming Traffic on a Specific Port
- Example 7: Allow Incoming Traffic From a Specific IP Address
- Example 8: Block Incoming Traffic From a Specific IP Address
- Example 9: Enable a Specific Service
- Example 10: Disable a Specific Service
Prerequisite: Install “firewall-cmd” Utility
The “firewall-cmd” is an essential tool for system administrators to secure their systems and control network traffic. To install this utility, execute the below script with the “sudo” privileges:
$ sudo apt install firewalld # Ubuntu, Debian and LinuxMint
$ sudo pacman -S firewalld # Arch, Manjaro
$ sudo yum install firewalld # CentOS, Fedora
The output shows that the “firewalld” utility along with all dependencies has been installed.
Example 1: List the firewall Rules
To list the firewall rules currently in effect, use the “firewall-cmd” command with the “list-all” option:
$ sudo firewall-cmd --list-all
The output displays all the firewall rules, including the default zone and the services and ports that are allowed.
Example 2: Allow a Service Through the Firewall
To allow a specific service through the firewall, use the “firewall-cmd” command by specifying the service name. In our case, “ssh” services are allowed by assigning to the “add-service” option:
$ sudo firewall-cmd --permanent --add-service=ssh
The above command allows the ssh service through the firewall.
Example 3: Block a Port Through the Firewall
To block a specific port through the firewall, use the “firewall-cmd” command by assigning a port number to the “remove-port” option. For instance, the below command blocks the “port 80” for the “tcp” protocol:
$ sudo firewall-cmd --permanent --remove-port=80/tcp
The output shows that “port 80” has been blocked for the “tcp” protocol.
Example 4: Reload the Firewall Configuration
To reload the firewall configuration without disrupting existing connections, execute the “firewall-cmd” command with the “reload” option:
$ sudo firewall-cmd --reload
The above command reloads the firewall and applies any changes to the firewall rules.
Example 5: Get the Default Firewall Zone
To display the default firewall zone, execute the “firewall-cmd” command with the “get-default-zone”:
$ sudo firewall-cmd --get-default-zone
The outcome of the above command displays the “public” firewall zone.
Example 6: Allow Incoming Traffic on a Specific Port
To allow incoming traffic on a specific port, use the “firewall-cmd” command that allows incoming traffic on the specified port by adding a new rule to the firewall. Specify the port number “80” to allow traffic:
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
It allows the incoming traffic on port 80.
Example 7: Allow Incoming Traffic From a Specific IP Address
To allow incoming traffic from a specific IP address, specify the IP address “192.168.157.132” as below:
$ sudo firewall-cmd --zone=public --add-source=192.168.157.132 --permanent
This command allows incoming traffic from the specified IP address by adding a new rule to the firewall.
Example 8: Block Incoming Traffic From a Specific IP Address
To block incoming traffic from a specific IP address, specify the IP address “192.168.157.132” to block for traffic:
$ sudo firewall-cmd --zone=public --remove-source=192.168.157.132 --permanent
It blocks incoming traffic from the specified IP address by removing the corresponding firewall rule.
Example 9: Enable a Specific Service
To enable a specific service, specify the service name such as “ssh” to enable its services:
$ sudo firewall-cmd --zone=public --add-service=ssh --permanent
This command allows incoming traffic for the specified service by adding a new rule to the firewall.
Example 10: Disable a Specific Service
To disable a specific service, specify the service name such as “ssh” with the actual name of the service to disable:
$ sudo firewall-cmd --zone=public --remove-service=ssh --permanent
This command blocks incoming traffic for the specified service by removing the corresponding firewall rule.
Conclusion
Linux offers the “firewall-cmd” command to manage the firewall by allowing incoming and outgoing network traffic. Through this command, users can list down the firewall rules, allow a specific service, block a port, reload the firewall configuration, get the default firewall zone, and many more.
This article has explained the most useful examples of the “firewall-cmd” command in Linux.
