Mastering firewall-cmd: How to Effectively Manage Firewall Rules

    skycentral.co.uk | Mastering firewall-cmd: How to Effectively Manage Firewall Rules

    Mastering firewall-cmd: How to Effectively Manage Firewall Rules

    Firewalls are a crucial component of network security, serving as the first line of defense against malicious activity and unauthorized access. Configuring and managing firewalls can be a daunting task, especially for those who are new to the world of network security. However, with the right tools and knowledge, mastering firewall management becomes much easier.

    Understanding firewall-cmd

    One tool that can greatly simplify firewall management is firewall-cmd. Firewall-cmd is a command-line utility that allows you to manage the firewall rules of a system using the firewalld service. It provides a user-friendly and powerful interface for controlling the firewall settings.

    Firewall-cmd is the default utility for managing firewalld on most modern Linux distributions, including CentOS, Fedora, and Red Hat Enterprise Linux. It offers a wide range of options and commands that enable you to add, modify, and delete firewall rules, zones, and services.

    Getting Started with firewall-cmd

    If you are new to firewall-cmd, the first step is to familiarize yourself with the basic concepts and syntax. The firewall-cmd command follows a straightforward structure, with the general syntax being:

    firewall-cmd [options] [commands]

    To view the current firewall configuration, you can use the --list-all option:

    firewall-cmd --list-all

    This command will display all the firewall settings, including the active zones, services, and enabled ports. It gives you a comprehensive overview of the current firewall state, which is useful for troubleshooting and determining the existing rules.

    Managing Firewall Zones

    In firewall-cmd, zones play a pivotal role in organizing and applying firewall rules. A zone represents a specific level of trust and defines the network interfaces and services associated with it. By assigning interfaces to different zones, you can control the traffic flow and security policies for each interface.

    To list all available zones, you can use the following command:

    firewall-cmd --get-zones

    This command provides you with a list of available zones, such as public, trusted, and drop. Each zone has its own set of predefined rules and defaults, making it easier to define specific security policies for different network interfaces.

    To assign an interface to a specific zone, you can use the --zone option followed by the zone name and the --add-interface option, as shown below:

    firewall-cmd --zone=public --add-interface=eth0

    This command assigns the interface eth0 to the public zone, allowing you to control the incoming and outgoing traffic on that interface according to the rules specified for the public zone.

    Adding Firewall Rules

    Firewall rules define the type and direction of network traffic that is allowed or denied by the firewall. By adding specific rules, you can fine-tune the firewall settings to meet your connectivity and security requirements.

    To add a new rule using firewall-cmd, you need to specify the zone, protocol, port, and other relevant parameters. Here’s an example that demonstrates how to allow incoming HTTP traffic on port 80:

    firewall-cmd --zone=public --add-port=80/tcp --permanent

    In this example, the --zone=public option assigns the rule to the public zone, while --add-port=80/tcp allows incoming TCP traffic on port 80. The --permanent flag makes the rule persistent, ensuring that it survives firewall reloads and system reboots.

    By default, any rules added with firewall-cmd become immediately active. However, you can also use the --runtime-to-permanent option to make runtime rules permanent:

    firewall-cmd --runtime-to-permanent

    This command saves all runtime changes to the permanent configuration, ensuring that your firewall remains consistent across reboots.

    Modifying and Deleting Firewall Rules

    Firewall-cmd allows you to modify and delete existing firewall rules with ease. To modify a rule, you can use the --add-flags option followed by the appropriate flag:

    firewall-cmd --zone=public --add-flags=masquerade

    This command adds the masquerade flag to the existing rules in the public zone. Flags provide additional functionality to the rules, allowing you to enhance the security and traffic control capabilities of the firewall.

    To delete a rule, you need to specify the zone, protocol, and port, as well as the --remove-port option. Here’s an example that demonstrates how to remove a rule allowing incoming SSH traffic on port 22:

    firewall-cmd --zone=public --remove-port=22/tcp --permanent

    This command removes the rule allowing incoming TCP traffic on port 22 from the public zone. The --permanent flag ensures that the rule is deleted from the permanent firewall configuration as well.


    Mastering firewall-cmd is essential for effectively managing firewall rules and ensuring the security of your network. By understanding the basic commands and syntax of firewall-cmd, you can confidently configure and modify firewall settings, add or delete rules, and assign interfaces to different zones. This level of control over your firewall empowers you to create a robust network security infrastructure that protects your systems from unauthorized access and malicious activity.