Fedora 25: Firewall with Firewalld

This article will describe Firewalld.

1 Install Firewalld

Install firewalld package.

$ sudo dnf install firewalld
$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld

2 Add rule

–add-port option or –add-service option adds rules. Without –permanent option, rule is applied temporally.

$ sudo firewall-cmd --add-port=80/tcp
$ sudo firewall-cmd --add-service=http

Argument of –add-service option is filename in /usr/lib/firewalld/services/*.

$ sudo cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you
plan to make your Web server publicly available, enable this option.
This option is not required for viewing pages locally or developing
Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

With –permanent option, rule is applied permanently. But –permanent option needs to run firewall-cmd –reload for applying rule.

$ sudo firewall-cmd --add-port=80/tcp --permanent
$ sudo firewall-cmd --add-service=https --permanent
$ sudo firewall-cmd --reload

3 Show rule list

–list-all option shows all rules.

$ sudo firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: dhcpv6-client ssh mdns samba-client http
  ports: 1025-65535/udp 1025-65535/tcp 80/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

–list-ports option shows rules applied by –add-port option.

$ sudo firewall-cmd --list-ports
1025-65535/udp 1025-65535/tcp 80/tcp

–list-services option shows rules applied by –add-service option.

$ sudo firewall-cmd --list-services
dhcpv6-client ssh mdns samba-client http

4 Delete rule

–remove-port option or –remove-service option deletes rule. Without –permanent option, rule is applied temporally.

$ sudo firewall-cmd --remove-port=80/tcp
$ sudo firewall-cmd --remove-service=http