In this blog post, we are going to explain 10 useful firewall-cmd commands in Linux with real examples.
The firewall-cmd is the command-line client used to manage the runtime configurations. It is a firewall solution as an alternative to the iptables service. We know that a properly configured firewall is the only weapon that can defend the server from attacks caused by internal influences. The firewall-cmd is part of the firewalld application that can be used for managing the firewall.
In this blog post, we are going to use Ubuntu 22.04 as Linux OS. You can use any Linux distribution. Let’s get started!
Prerequisites
- Fresh install of Ubuntu 22.04 OS
- User privileges: root or non-root user with sudo privileges
Update the System
Before we start with the firewall-cmd command we are going to update the system packages to the latest versions available.
sudo apt update -y && sudo apt upgrade -y
Once the system is updated we are ready to show you the basic firewall-cmd commands in Linux.
1. Install Firewalld
Let’s check what we will get if we execute the firewall-cmd command.
root@host:~# firewall-cmd Command 'firewall-cmd' not found, but can be installed with: apt install firewalld
We can see that the firewall-cmd is not installed by default, so we will have to install it with the command provided in the output above.
sudo apt install firewalld
Since the firewalld is a service, it will be automatically started after the installation, but if we want to be sure, we can start and enable it manually with the following commands:
sudo systemctl start firewalld && sudo systemctl enable firewalld
To check the status of the firewalld service, execute the following command:
sudo systemctl status firewalld
You will receive the following output:
root@host:~# sudo systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-07-06 18:34:51 UTC; 6min ago Docs: man:firewalld(1) Main PID: 1761 (firewalld) Tasks: 2 (limit: 4548) Memory: 24.8M CPU: 1.689s CGroup: /system.slice/firewalld.service └─1761 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid Jul 06 18:34:50 host.test.vps systemd[1]: Starting firewalld - dynamic firewall daemon...
2. Firewall-cmd Help Command
The firewall-cmd help command will show us the syntax of the firewall-cmd, options, and usage.
root@host:~# firewall-cmd --help Usage: firewall-cmd [OPTIONS...] General Options -h, --help Prints a short help text and exists -V, --version Print the version string of firewalld -q, --quiet Do not print status messages Status Options --state Return and print firewalld state --reload Reload firewall and keep state information --complete-reload Reload firewall and lose state information --runtime-to-permanent Create permanent from runtime configuration --check-config Check permanent configuration for errors Log Denied Options --get-log-denied Print the log denied value --set-log-denied= Set log denied value
3. Firewall-cmd List Services
This command firewall-cmd –list-services will show us the enabled service on our system.
root@host:~# firewall-cmd --list-services dhcpv6-client ssh
3. Open Port with Firewall-cmd
With this command, we can easily open a port on our server for incoming or outgoing connections.
sudo firewall-cmd --add-port=80/tcp sudo firewall-cmd --add-port=443/tcp sudo firewall-cmd --zone=public --add-port=3306/tcp
With these commands, we opened ports 80, and 443 for HTTP and HTTPS requests and port 3306 for MySQL service.
4. List Open Ports with Firewall-cmd
With this command, we can list the previously opened ports.
root@host:~# <strong>firewall-cmd --list-ports</strong> 80/tcp 443/tcp 3306/tcp
To make the new settings persistent, execute the following command:
sudo firewall-cmd --runtime-to-permanent
5. Closing Port with Firewall-cmd
To close the port, for example, 3306 in Firewall-cmd execute the following command:
sudo firewall-cmd --remove-port=3306/tcp
To make the new settings persistent, execute the following command:
sudo firewall-cmd --runtime-to-permanent
Now, list the opened ports again:
root@host:~# firewall-cmd --list-ports 80/tcp 443/tcp
As you can see, port 3306 is not on the list anymore./p>
6. List all zones with Firewall-cmd
With this command, we can list all zones and information about them.
sudo firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: .... dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh .... home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: forward: yes ....
7. Firewall-cmd port forwarding
To forward, for example, port 80 to port 443 on your server, you can use the following command:
sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=443 --permanent sudo firewall-cmd --reload
As you can see on all successfull commands, you will receive the success message.
root@host:~# sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=443 --permanent success root@host:~# sudo firewall-cmd --reload success
8. Access to Port from a specific IP address
In this example, we are going to allow access to port 3306 only from IP 192.168.0.15
sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.100" port port=3306 protocol=tcp accept' sudo firewall-cmd --reload
9. List all rules
To list all rules, execute the following command:
sudo firewall-cmd --list-all
If you follow all commands from the previous steps, you will receive the following output:
root@host:~# sudo firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp 443/tcp protocols: forward: yes masquerade: no forward-ports: port=80:proto=tcp:toport=443:toaddr= source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.0.100" port port="3306" protocol="tcp" accept
10. Firewalld Man Command
Finally, the last command will be the man for firewalld-cmd, which is very useful if you want to know everything about the firewalld. Execute the command sudo man firewall-cmd, and you will receive the following output:
root@host:~# sudo man firewall-cmd FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1) NAME firewall-cmd - firewalld command line client SYNOPSIS firewall-cmd [OPTIONS...] DESCRIPTION firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations. The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.
That’s all. In this tutorial, we explained some basic firewalld-cmd commands that are very often used in the world of system administrators and other curious users. If you find it difficult to understand the basic firewalld-cmd commands, you can always contact our technical support, and they will do the rest for you. We are available 24/7.
If you liked this post about ten useful firewall-cmd commands in Linux, please share it with your friends on social networks using the buttons on the left or simply leave a reply below.
The title is “10 useful firewall-cmd commands in Linux “, when it should be “10 useful firewall-cmd commands in Ubuntu”! These commands do not on any of my machines, because they have a different firewall installed and are not Ubuntu based. Ubuntu is only ONE Linux distribution, it is not Linux!
Thanks for noticing, we mentioned in the article that we will be using Ubuntu 22.04 OS in the first paragraphs.
i would think the firewalld and firewall-cmd commands are going to be the same regardless of distro.
While not 100% universal these work on basically any distro with firewalld, which is a lot of them. I just ran many of these on RedHat and they worked.