Control the firewall at the command line

A network firewall is more or less what it sounds like: a protective barrier that prevents unwanted network transmissions. They are most frequently used to prevent outsiders from contacting or using network services on a system. For instance, if you’re running a laptop at school or in a coffee shop, you probably don’t want strangers poking around on it.

Every Fedora system has a firewall built in. It’s part of the network functions in the Linux kernel inside. This article shows you how to change its settings using firewall-cmd.

Network basics

This article can’t teach you everything about computer networks. But a few basics suffice to get you started.

Any computer on a network has an IP address. Think of this just like a mailing address that allows correct routing of data. Each computer also has a set of ports, numbered 0-65535. These are not physical ports; instead, you can think of them as a set of connection points at the address.

In many cases, the port is a standard number or range depending on the application expected to answer. For instance, a web server typically reserves port 80 for non-secure HTTP communications, and/or 443 for secure HTTPS. The port numbers under 1024 are reserved for system and well-known purposes, ports 1024-49151 are registered, and ports 49152 and above are usually ephemeral (used only for a short time).

Each of the two most common protocols for Internet data transfer, TCP and UDP, have this set of ports. TCP is used when it’s important that all data be received and, if it arrives out of order, reassembled in the right order. UDP is used for more time-sensitive services that can withstand losing some data.

An application running on the system, such as a web server, reserves one or more ports (as seen above, 80 and 443 for example). Then during network communication, a host establishes a connection between a source address and port, and the destination address and port.

A network firewall can block or permit transmissions of network data based on rules like address, port, or other criteria. The firewall-cmd utility lets you interact with the rule set to view or change how the firewall works.

Firewall zones

To verify the firewall is running, use this command with sudo. (In fairness, you can run firewall-cmd without the sudo command in environments where PolicyKit is running.)

$ sudo firewall-cmd --state
running

The firewalld service supports any number of zones. Each zone can have its own settings and rules for protection. In addition, each network interface can be placed in any zone individually The default zone for an external facing interface (like the wifi or wired network card) on a Fedora Workstation is the FedoraWorkstation zone.

To see what zones are active, use the ––get-active-zones flag. On this system, there are two network interfaces, a wired Ethernet card wlp2s0 and a virtualization (libvirt) bridge interface virbr0:

$ sudo firewall-cmd --get-active-zones
FedoraWorkstation
  interfaces: wlp2s0
libvirt
  interfaces: virbr0

To see the default zone, or all the defined zones:

$ sudo firewall-cmd --get-default-zone
FedoraWorkstation
$ sudo firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal libvirt public trusted work

To see the services the firewall is allowing other systems to access in the default zone, use the ––list-services flag. Here is an example from a customized system; you may see something different.

$ sudo firewall-cmd --list-services
dhcpv6-client mdns samba-client ssh

This system has four services exposed. Each of these has a well-known port number. The firewall recognizes them by name. For instance, the ssh service is associated with port 22.

To see other port settings for the firewall in the current zone, use the ––list-ports flag. By the way, you can always declare the zone you want to check:

$ sudo firewall-cmd --list-ports --zone=FedoraWorkstation
1025-65535/udp 1025-65535/tcp

This shows that ports 1025 and above (both UDP and TCP) are open by default.

Changing zones, ports, and services

The above setting is a design decision.* It ensures novice users can use network facing applications they install. If you know what you’re doing and want a more protective default, you can move the interface to the FedoraServer zone, which prohibits any ports not explicitly allowed. (Warning: if you’re using the host via the network, you may break your connection — meaning you’ll have to go to that box physically to make further changes!)

$ sudo firewall-cmd --change-interface=<ifname> --zone=FedoraServer
success

* This article is not the place to discuss that decision, which went through many rounds of review and debate in the Fedora community. You are welcome to change settings as needed.

If you want to open a well-known port that belongs to a service, you can add that service to the default zone (or use ––zone to adjust a different zone). You can add more than one at once. This example opens up the well-known ports for your web server for both HTTP and HTTPS traffic, on ports 80 and 443:

$ sudo firewall-cmd --add-service=http --add-service=https
success

Not all services are defined, but many are. To see the whole list, use the ––get-services flag.

If you want to add specific ports, you can do that by number and protocol as well. (You can also combine ––add-service and ––add-port flags, as many as necessary.) This example opens up the UDP service for a network boot service:

$ sudo firewall-cmd --add-port=67/udp
success

Important: If you want your changes to be effective after you reboot your system or restart the firewalld service, you must add the ––permanent flag to your commands. The examples here only change the firewall until one of those events next happens.

These are just some of the many functions of the firewall-cmd utility and the firewalld service. There is much more information on firewalld at the project’s home page that’s worth reading and trying out.


Photo by Jakob Braun on Unsplash.

FAQs and Guides Using Software

19 Comments

  1. Joao Rodrigues

    Or setup your firewall as you like, and in the end use:

    $ sudo firewall-cmd –runtime-to-permanent

    To make your configuration permanent.

  2. kb

    Best firewald zone for desktop or home laptop ?

    • Joao Rodrigues

      Zones are not for desktop or laptops.

      Zones are for networks. Home networks, Work networks, public networks.

      When I connect to my home network, I trust every computer that connects to that network and I expose some services (like samba shares).
      In a public network I don’t trust any of the computers, so I don’t want to expose any service.

      The cool thing is that you can bind firewalld zones to wifi connections (you have to use nm-connection-editor or nmcli, though), so when I connect to my home wifi I always land on the home zone and if I go to a public library or cafe I usually set it to public, block or drop.

      • You’re correct, and I don’t believe the article states zones are for types of systems. It says instead they allow grouping rules. The names of the packaged zones (such as dmv, public, home, etc.) do hint they can be used to assert a level a trust on a specific network type.

  3. Nils

    Thanks for the tutorial!
    I think the next interesting step would be to add own services. This is actually quite easy and described here: https://firewalld.org/documentation/howto/add-a-service.html

  4. Ondrej

    What I miss written about firewalld is writting complete router setup. Like masquerading, different zones, etc.

    I would be really grateful for complete tutorial like that. 🙂

    I am really enjoying using firewall-cmd in oposite to iptables syntax, which I usually have to look up all the time.

  5. Jordan

    Nice! I want more post about this.

  6. I suspect that Paul got inspired with this after the recent article on Firewalld and OpenSnitch in the Linux Pro magazine.

    • Nope, it was actually just an idea someone put in our idea queue for the Magazine some weeks ago, and since no one else wrote it, I decided to. 🙂

      • Earl Ramirez

        Can you share a bit of detail on the “Idea queue” is this something available for the public?

        • Earl: Sure, refer to https://docs.fedoraproject.org/en-US/fedora-magazine/ for the big picture and instructions.

          • Earl Ramirez

            Thank you, sir

          • Paul Thanks for making this! I think i need your help! I was recently hi-jhacked by some clown and am currently on what appears to be a contaminated node on THEIR network. I’m so new to linux that I probably installed all of this stuff for them. Where can a nub like me go to clean out my computer, reset my 1 tarabyte hd (it says i have 3 partitions with 999gigs free on 1 I cant access) Where can a noob go to setup his firewall at like AEGIS levels, DETOX the damn drives and be assured his Fedora installation is CLEAN???? Thanking you again, in advance, I am 🙂

  7. Thanks Paul, you’re great!

  8. Mark

    You do have to keep an eye on what ports are opened when adding services, while a service like http, ssh or cockpit adds 80, 22, 9090 repectively but if you were to add (found from playing around after a previous article on GSConnect) “firewall-cmd –add-service kde-connect” (service provided by the kdeconnectd package) you will see that (on F30 anyway) it opens a huge port range of 1714 to 1764 on both tcp and udp.
    Which after a few reboots to check I found the kde-connect process consistently only ever used one port so removed the service and just added the one tcp and udp port.

    It does highlight that you need to be aware of what ports a service opens rather than assuming the service knows best, whether by examining the service file at /usr/lib/firewalld/services/yourservicename.xml (where you can also create your own services) or as I do in my active environments by a server checking script that as one of its functions checks that every port defined in the active firewall rules actually matches a port in a listening state on the server which helps me keep the rules up to date when I remove packages.

    On the mention in the post for the output of the command “sudo firewall-cmd –list-ports –zone=FedoraWorkstation” allowing ports 1025 and above thanks for mentioning that, most users of a new Fedora desktop install probably don’t realise they are wide open by default and must really trust everything in their network so it is good you mentioned it. The first thing any desktop user should do is change the default/active zone or delete that port range and just define what they need.

    • So….if I catch a virus, I think its this new Minergate trojan/worm, whatever they did MS released CVE-ID-2020 (hehe THE CVE-ID-19 VIRUS!), to fix that gets in on the printer ports and then acts like WANNACRY, on a network with 2 windows computers, it infects both, i install fedora, it comes in such a state that the virus may be able to mess my brand new fedora up from the windows connection? how do i check/stop it? what can i do, i can see where its adding firewall exceptions in the anaconda files in the jump drive :(.

  9. typo near the end or your two dashes were turned into an em dash: it say’s add ‘-permanent’ to your commands for the setting to survive reboot, it’s two dashes. could you put that in the code example or in a monospaced font ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: