Lesson 9.1: Configure firewall settings using firewall-cmd/firewalld

Installation of firewall service

[root@server ~]# rpm -q firewalld 
firewalld-1.2.5-1.el9.noarch
# If not present then install
[root@server ~]# yum -y install firewalld

Starting and Enabling firewalld service

[root@server ~]# systemctl start firewalld 
[root@server ~]# systemctl enable firewalld
[root@server ~]# systemctl status firewalld

Listing the firewall zones

[root@server ~]# firewall-cmd --list-all-zones

To get the default zones

[root@server ~]# firewall-cmd --get-default-zone 
public

List all

[root@server ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: cockpit dhcpv6-client http mountd nfs rpc-bind ssh
  ports: 8098/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Changing default zone

[root@server ~]# firewall-cmd --set-default-zone=home 
success
[root@server ~]# firewall-cmd --get-default-zone 
home
[root@server ~]# firewall-cmd --list-all 
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Add a service in firewall

[root@server ~]# firewall-cmd --permanent --add-service=smtp
success
[root@server ~]# firewall-cmd --reload 
success
 
# To add for a specific zone 
[root@server ~]# firewall-cmd --permanent --add-service=smtp --zone=work
success
[root@server ~]# firewall-cmd --reload 
success
[root@server ~]# firewall-cmd --list-all --zone=work
 
# To add multiple service at the same command 
[root@server ~]# firewall-cmd --permanent --add-service={ftp,dns,nfs} --zone=work

To allow a port in firewall

[root@server ~]# firewall-cmd --permanent --add-port=4455/tcp
success
[root@server ~]# firewall-cmd --reload 
success
[root@server ~]# firewall-cmd --list-all 
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: cockpit dhcpv6-client http mountd nfs rpc-bind smtp ssh
  ports: 8098/tcp 4455/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
 
# To add multiple ports at the same command use {}

Removing port and service from a firewall

[root@server ~]# firewall-cmd --permanent --remove-service={nfs,smtp} 
success
[root@server ~]# firewall-cmd --permanent --remove-port=4455/tcp
success

Rich Rule

# Rich rule command are lengthy to remember , so you can see EXAMPLES from man page
[root@server ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.203.225/21" service name="http" accept'
success
All systems normal

© 2025 2023 Sanjeeb KC. All rights reserved.