2. Firewalld Commands.md

1. Basic Firewalld Control

Check Firewalld Status

sudo systemctl status firewalld

• If Firewalld is inactive, start it:

  sudo systemctl start firewalld

• Enable Firewalld on boot:

  sudo systemctl enable firewalld

• Stop Firewalld:

  sudo systemctl stop firewalld

• Disable Firewalld from starting at boot:

  sudo systemctl disable firewalld

List Active Zones

sudo firewall-cmd --get-active-zones

Find Out Which Zone an Interface Belongs To

sudo firewall-cmd --get-zone-of-interface=<interface>

(Replace <interface> with your actual network interface, e.g., eth0 or wlan0)

---

2. Adding, Removing, and Managing Rules

List Current Rules

sudo firewall-cmd --list-all

Adding a Rule (Allowing Traffic)

• Allow Incoming HTTP (Port 80)

  sudo firewall-cmd --zone=public --add-service=http --permanent

• Allow HTTPS (Port 443)

  sudo firewall-cmd --zone=public --add-service=https --permanent

• Allow SSH (Port 22)

  sudo firewall-cmd --zone=public --add-service=ssh --permanent

• Allow a Custom Port (e.g., 8080 for a web server)

  sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

Remove a Rule (Deny Traffic)

• Remove Allowed HTTP Service

  sudo firewall-cmd --zone=public --remove-service=http --permanent

• Remove Allowed Port 8080

  sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent

Reload Firewall Rules to Apply Changes

sudo firewall-cmd --reload

---

3. Masquerading and Port Forwarding

Enable IP Masquerading

sudo firewall-cmd --zone=public --add-masquerade --permanent

Port Forwarding Example (Forward Traffic from Port 8080 to 80)

sudo firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80 --permanent

---

4. Traffic Filtering and Security

Block Outgoing Traffic (Replacing iptables OUTPUT Rules)

• Block all outgoing traffic on port 443 (HTTPS)

  sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 443 -j REJECT

Blocking a Specific IP or Subnet

• Block a single IP (e.g., 192.168.1.100)

  sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"

• Block an entire subnet (e.g., 192.168.1.0/24)

  sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Allow or Reject Specific Traffic

• Allow SSH only from a specific IP (e.g., 192.168.1.200)

  sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.200' service name='ssh' accept"

• Reject All Incoming ICMP Ping Requests

  sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' protocol value='icmp' drop"

---

5. Saving, Restoring, and Reloading Rules

Save the Current Rules

sudo firewall-cmd --runtime-to-permanent

Restore Firewalld to Default Settings

sudo firewall-cmd --complete-reload

Reset Firewalld (Erase All Custom Rules and Restore Defaults)

sudo firewall-cmd --complete-reload
sudo firewall-cmd --set-default-zone=public

---

6. Zone Management Commands

Change Default Zone

sudo firewall-cmd --set-default-zone=home

Assign an Interface to a Zone

sudo firewall-cmd --zone=home --change-interface=eth0 --permanent

---

7. Advanced Rich Rules

Allow Only TCP Traffic on a Specific Port from an IP

sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' port protocol='tcp' port='8080' accept"

Log and Drop Incoming Traffic from a Specific IP

sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.50' log prefix='[BLOCKED]' level='info' drop"

Allow Traffic from a Specific MAC Address

sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source mac='AA:BB:CC:DD:EE:FF' accept"

---

Final Step: Reload to Apply All Changes

sudo firewall-cmd --reload

---

✅ Summary

✔ Start, Stop, Enable, and Check Firewalld Status
✔ Add, Remove, and List Rules
✔ Allow or Block Traffic
✔ Manage Zones, Services, and Ports
✔ Use Advanced Rich Rules for Fine Control
✔ Save, Reload, and Reset Rules

---