10 Useful firewall-cmd Commands in Linux

In this blog post, we are going to explain 10 useful firewall-cmd commands in Linux with real examples.

The firewall-cmd is the command-line client used to manage the runtime configurations. It is a firewall solution as an alternative to the iptables service. We know that a properly configured firewall is the only weapon that can defend the server from attacks caused by internal influences. The firewall-cmd is part of the firewalld application that can be used for managing the firewall.

In this blog post, we are going to use Ubuntu 22.04 as Linux OS. You can use any Linux distribution. Let’s get started!

Prerequisites

• Fresh install of Ubuntu 22.04 OS
• User privileges: root or non-root user with sudo privileges

Update the System

Before we start with the firewall-cmd command we are going to update the system packages to the latest versions available.

sudo apt update -y && sudo apt upgrade -y

Once the system is updated we are ready to show you the basic firewall-cmd commands in Linux.

1. Install Firewalld

Let’s check what we will get if we execute the firewall-cmd command.

root@host:~# firewall-cmd
Command 'firewall-cmd' not found, but can be installed with:
apt install firewalld

We can see that the firewall-cmd is not installed by default, so we will have to install it with the command provided in the output above.

sudo apt install firewalld

Since the firewalld is a service, it will be automatically started after the installation, but if we want to be sure, we can start and enable it manually with the following commands:

sudo systemctl start firewalld && sudo systemctl enable firewalld

To check the status of the firewalld service, execute the following command:

sudo systemctl status firewalld

You will receive the following output:

root@host:~# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-07-06 18:34:51 UTC; 6min ago
       Docs: man:firewalld(1)
   Main PID: 1761 (firewalld)
      Tasks: 2 (limit: 4548)
     Memory: 24.8M
        CPU: 1.689s
     CGroup: /system.slice/firewalld.service
             └─1761 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Jul 06 18:34:50 host.test.vps systemd[1]: Starting firewalld - dynamic firewall daemon...

2. Firewall-cmd Help Command

The firewall-cmd help command will show us the syntax of the firewall-cmd, options, and usage.

root@host:~# firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options
  -h, --help           Prints a short help text and exists
  -V, --version        Print the version string of firewalld
  -q, --quiet          Do not print status messages

Status Options
  --state              Return and print firewalld state
  --reload             Reload firewall and keep state information
  --complete-reload    Reload firewall and lose state information
  --runtime-to-permanent
                       Create permanent from runtime configuration
  --check-config       Check permanent configuration for errors

Log Denied Options
  --get-log-denied     Print the log denied value
  --set-log-denied=
                       Set log denied value

3. Firewall-cmd List Services

This command firewall-cmd –list-services will show us the enabled service on our system.

root@host:~# firewall-cmd --list-services
dhcpv6-client ssh

3. Open Port with Firewall-cmd

With this command, we can easily open a port on our server for incoming or outgoing connections.

sudo firewall-cmd --add-port=80/tcp

sudo firewall-cmd --add-port=443/tcp

sudo firewall-cmd --zone=public --add-port=3306/tcp

With these commands, we opened ports 80, and 443 for HTTP and HTTPS requests and port 3306 for MySQL service.

4. List Open Ports with Firewall-cmd

With this command, we can list the previously opened ports.

root@host:~# <strong>firewall-cmd --list-ports</strong>
80/tcp 443/tcp 3306/tcp

To make the new settings persistent, execute the following command:

sudo firewall-cmd --runtime-to-permanent

5. Closing Port with Firewall-cmd

To close the port, for example, 3306 in Firewall-cmd execute the following command:

sudo firewall-cmd --remove-port=3306/tcp

To make the new settings persistent, execute the following command:

sudo firewall-cmd --runtime-to-permanent

Now, list the opened ports again:

root@host:~# firewall-cmd --list-ports
80/tcp 443/tcp

As you can see, port 3306 is not on the list anymore./p>

6. List all zones with Firewall-cmd

With this command, we can list all zones and information about them.

sudo firewall-cmd --list-all-zones

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
....

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
 ....

home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  forward: yes
  ....

7. Firewall-cmd port forwarding

To forward, for example, port 80 to port 443 on your server, you can use the following command:

sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=443 --permanent

sudo firewall-cmd --reload

As you can see on all successfull commands, you will receive the success message.

root@host:~# sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=443 --permanent
success
root@host:~# sudo firewall-cmd --reload
success

8. Access to Port from a specific IP address

In this example, we are going to allow access to port 3306 only from IP 192.168.0.15

sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.100" port port=3306 protocol=tcp accept'

sudo firewall-cmd --reload

9. List all rules

To list all rules, execute the following command:

sudo firewall-cmd --list-all

If you follow all commands from the previous steps, you will receive the following output:

root@host:~# sudo firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 80/tcp 443/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
        port=80:proto=tcp:toport=443:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.100" port port="3306" protocol="tcp" accept

10. Firewalld Man Command

Finally, the last command will be the man for firewalld-cmd, which is very useful if you want to know everything about the firewalld. Execute the command sudo man firewall-cmd, and you will receive the following output:

root@host:~# sudo man firewall-cmd
FIREWALL-CMD(1)                                                             firewall-cmd                                                            FIREWALL-CMD(1)

NAME
       firewall-cmd - firewalld command line client

SYNOPSIS
       firewall-cmd [OPTIONS...]

DESCRIPTION
       firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations.

       The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent
       configuration.

That’s all. In this tutorial, we explained some basic firewalld-cmd commands that are very often used in the world of system administrators and other curious users. If you find it difficult to understand the basic firewalld-cmd commands, you can always contact our technical support, and they will do the rest for you. We are available 24/7.

If you liked this post about ten useful firewall-cmd commands in Linux, please share it with your friends on social networks using the buttons on the left or simply leave a reply below.