Skip to content

firewalld

… managed using firewall-cmd

list all firewall rules

firewall-cmd --list-all

get active firewalld zone

firewall-cmd --get-active-zones

set default firewalld zone

there's a list of predefined firewall zones:

  • drop - Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
  • block - Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
  • public
  • external
  • dmz
  • work
  • home
  • internal
  • trusted

set the default to block:

firewall-cmd --persistent --set-default-zone=block

allow incoming connections for service

firewall-cmd --persistent --zone=block --add-service=ssh
firewall-cmd --persistent --zone=block --add-service=https

allow incoming connections for a specific port

firewall-cmd --persistent --zone=block --add-port=80/tcp
firewall-cmd --persistent --zone=block --add-port=443/tcp

reload firewall

firewall-cmd --reload