Firewalld is Linux firewall management tool with support for IPv4, IPv6, Ethernet bridges and IPSet firewall settings. It acts as a front-end to Linux kernel’s netfilter framework. Firewalld is a default firewall management software on RHEL 7 family.
In this guide, I’ll show you the basic usage of Firewalld on Ubuntu 18.04 and Ubuntu 16.04 Linux distributions.
How to Install Firewalld on Ubuntu 18.04 / Ubuntu 16.04
The default firewall system for Ubuntu is ufw but you can install and use Firewalld if you prefer. Firewalld works fine for me since I’m a heavy CentOS 7 user.
Install Firewalld on Ubuntu 18.04 / Ubuntu 16.04 by running the commands:
sudo apt-get install firewalld
By default, the service should be started, if not running, start and enable it to start on boot:
sudo systemctl enable firewalld sudo systemctl start firewalld
Confirm that the service is running:
$ sudo firewall-cmd --state running
If you have ufw enabled, disable it to make firewalld your default firewall
sudo ufw disable
Using Firewalld on Ubuntu 18.04 / Ubuntu 16.04
Now that the package has been installed and firewalld service started, let’ look at few usage examples
See below examples for the basic usage of firewalld.
1. List all firewall rules configured
# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
ssh and dhcpv6-client services are enabled by default when you start firewalld service.
2. Get a list of all services that can be enabled using a name
sudo firewall-cmd --get-services
3. Enable http service
sudo firewall-cmd --add-service=http --permanent
The --permanent option means persist rules against server reboots.
4. Enable both http and https on a single line
sudo firewall-cmd --permanent --add-service={http,https} --permanent
5. Enable TCP port 7070
sudo firewall-cmd --add-port=7070/tcp --permanent
6. Enable UDP port 514
sudo firewall-cmd --add-port=514/udp --permanent
7. Create a new zone
sudo firewall-cmd --new-zone=myzone --permanent
8. Enable service on a specific zone
sudo firewall-cmd --zone=myzone --add-port=4567/tcp --permanent
9. Set default zone
sudo firewall-cmd --set-default-zone=public --permanent
10. Add an interface to a zone
sudo firewall-cmd --get-zone-of-interface=eth0 --permanent sudo firewall-cmd --zone=<zone> --add-interface=eth0 --permanent
11. Allow access to a port from specific subnet/IP
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \ source address="192.168.0.12/32" accept' --permanent $ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \ source address="10.1.1.0/24" accept' --permanent
12. List rich rules
sudo firewall-cmd --list-rich-rules
13. Configure Port forwarding
# Enable masquerading $ sudo firewall-cmd --add-masquerade --permanent # Port forward to a different port within same server ( 22 > 2022) $ sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent # Port forward to same port on a different server (local:22 > 192.168.2.10:22) $ sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.168.2.10 --permanent # Port forward to different port on a different server (local:7071 > 10.50.142.37:9071) $ sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr=10.50.142.37 --permanent
14. Removing port/service
Replace --add with –-remove
For further reading, refer to the Official Firewalld Documentation
