Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux

Firewalld provides a way to configure
dynamic firewall rules in Linux that can be applied instantly, without
the need of firewall restart and also it support D-BUS and zone
concepts which makes configuration easy.

Useful Firewalld Rules to Manage Linux Firewall

Useful Firewalld Rules to Manage Linux

Firewalld replaced old Fedora’s
firewall (Fedora 18 onwards) mechanism,
RHEL/CentOS 7 and other latest
distributions rely on this new mechanism. One of the biggest motive of
introducing new firewall system is that the old firewall needs a
restart after making each change, thus breaking all active connections.
As said above, that the latest firewalld supports dynamic zones which
is useful in configuring different set of zones and rules for your
office or home network via a command line or using a GUI method.
Initially, firewalld concept looks very difficult to configure, but
services and zones makes it easier by keeping both together as covered
in this article. In our earlier article, where we have seen how to
play with firewalld and its zones, now here, in this article, we will
see some useful firewalld rules to configure your current Linux systems
using command line way.

  1. Firewalld Configuration in RHEL/CentOS 7

All the examples covered in this article are
practically tested on CentOS 7 distribution, and also
works on RHEL and Fedora distributions. Before implementing firewalld
rules, make sure to first check whether firewalld service enabled and

# systemctl status firewalld

Firewalld Status Check

Status Check

The above picture shows that firewalld is
active and running. Now it’s time to check all the active zones and
active services.

# firewall-cmd --get-active-zones # firewall-cmd 

Check Firewalld Zones and Services

Check Zones
and Services

If incase, you’re not familiar with command
line, you can also manage firewalld from the GUI, for this you need to
have GUI package installed on the system, if not install it using the
following command.

# yum install firewalld firewall-config

As said above, this article is specially written for command line
lovers and all the examples, which we’re going to cover are based on
command line only, no GUI way..sorry….. Before moving further, first
make sure to confirm on which public zone you’re going to configure
Linux firewall and list all active services, ports, rich rules for
public zone using following command.

# firewall-cmd --zone=public 

Check Firewalld Public Zones

Check Public

In the above picture, there isn’t any active rules
are added yet, let’s see how to add, remove and modify rules in the
remaining part of this article….

1. Adding and Removing Ports in

To open any port for public zone, use the following
command. For example, the following command will open port 80 for
public zone.

# firewall-cmd --permanent --zone=public 

Similarly, to remove added port, just use the
–remove‘ option with firewalld command as shown

# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether
the port is added or removed by using ‘–list-ports

# firewall-cmd --zone=public --list-ports

Add Port in Firewalld

Add Port in

2. Adding and Removing Services in

By default firewalld comes with pre-defined services, if
you want to add a list of specific services, you need to create a new
xml file with all services included in the file or else you can also
define or remove each service manually by running following commands.
For example, the following commands will help you to add or remove
specific services, like we did for FTP here in this example.

firewall-cmd --zone=public --add-service=ftp # firewall-cmd 
--zone=public --remove-service=ftp # firewall-cmd --zone=public 

Add Services in Firewalld

Add Services
in Firewalld

3. Block Incoming and Outgoing Packets
(Panic Mode)

If you wish to block any incoming or outgoing
connections, you need to use a ‘panic-on‘ mode to
block such requests. For example, the following rule will drop any
existing established connection on the system.

# firewall-cmd 

After enabling panic mode, try to ping any domain
(say and check whether the panic mode is
ON using ‘–query-panic‘ option as
listed below.

# ping -c 1 # firewall-cmd --query-panic 

Block Incoming Connections in Firewalld

Incoming Connections in Firewalld

Do you see in the above
picture, the panic query says “Unknown host
“. Now try to disable the panic mode and then once
again ping and check.

# firewall-cmd --query-panic # firewall-cmd 
--panic-off # ping -c 1

Disable Panic Mode in Firewalld

Disable Panic
Mode in Firewalld

Now this time, there will be a ping
request from


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.