how to firewalld

“Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.” – firewalld.org

Firewalld is the default firewall included in many Linux distros in the last few years, it is the most common iptables replacement out there.

Unlike iptables, firewalld has a very convenient way of setting up custom services and deploying them to other servers.

firewalld has many builtin services that will save you the time of setting them up manually.

To get a list of those services you can use:


1
firewall-cmd --get-service

The first example will cover how to open ports 80/443 (http/https services) for a web server:


1
2
3
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload

Now that we covered how to use the builtin services we will configure our own service and apply it.

We will configure a Minecraft server (port 25565 TCP by default) but that can apply to any service you might need.

First we will create a XML file describing the service called “/etc/firewalld/services/minecraft.xml”:


1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>minecraft</short>
  <description>Ports used to allow remote connections to a Minecraft server running on this machine.</description>
  <port protocol="tcp" port="25565"/>
</service>

After creating the service XML file we need to reload firewalld so we can use the new service:


1
firewall-cmd --reload

Now can can enable the service just like in our first HTTP/HTTPS example:


1
2
firewall-cmd --zone=public --add-service=minecraft --permanent
firewall-cmd --reload

query firewall-cmd to verify that the service is enabled:


1
firewall-cmd --zone=public --query-service=minecraft

to remove a service we use the following command:


1
2
firewall-cmd --zone=public --add-service=minecraft --permanent
firewall-cmd --reload

to create a service with port range and not just a single port , for example (25565-25569):


1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>minecraft</short>
  <description>Ports used to allow remote connections to a Minecraft server running on this machine.</description>
  <port protocol="tcp" port="25565-25569"/>
</service>

Now you can copy the XML file to any other host and enable/disable when needed 🙂

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.