Skip to main content
🗎 Refs:
https://blog.programster.org/ufw-cheatsheet
https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/

Installation

sudo dnf update && sudo dnf -y install firewalld

Enable/Disable/Reload

# Start (in-memory)
sudo systemctl start firewalld

# Enable at boot
sudo systemctl enable firewalld

# Stop
sudo systemctl stop firewalld

# Disable at boot
sudo systemctl disable firewalld

# Reload (keeps stateful connections)
sudo firewall-cmd --reload

Check status

# Status of daemon
sudo firewall-cmd --state

# View (active) zones
sudo firewall-cmd --get-zones
sudo firewall-cmd --get-active-zones

# List all zones + settings
sudo firewall-cmd --list-all-zones

# List all rules for active zone(s)
sudo firewall-cmd --list-all

# List all applied config by zone
sudo firewall-cmd --zone=public --list-all

# Get default zone
sudo firewall-cmd --get-default

# List all defined services
sudo firewall-cmd --get-services

Initial setup

# Set default zone to drop
# Note: In drop zone, outgoing is ALLOWED by default, incoming is DROPPED.
sudo firewall-cmd --set-default-zone=drop

# Add interface eth0 to specified zone
#sudo firewall-cmd --change-interface=eth0 --zone=home
✍🏻Tips: Common zones: public, home, work, drop, trusted.

Add rule

# Remove `--permanent` for temporary rule (until system reboot/ firewalld reload)
sudo firewall-cmd --zone=public --permanent --add-service=http

# Allow traffic on `murmur` ports in zone `home`
sudo firewall-cmd --zone=home --add-service murmur

# Allow TCP traffic on port `123` in zone `home`
sudo firewall-cmd --zone=home --add-port=123/tcp

# Reload to apply
sudo firewall-cmd --reload

# Direct rule
# Permit IPv6 traffic from/to tap0
sudo firewall-cmd --direct --passthrough ipv6 -I FORWARD -o tap0 -j ACCEPT
sudo firewall-cmd --direct --passthrough ipv6 -I FORWARD -i tap0 -j ACCEPT

Delete rule

sudo firewall-cmd --zone=public --permanent --remove-port=22/tcp
sudo firewall-cmd --zone=public --remove-service murmur