5.3. Configuring firewalld

The firewall service, implemented by the firewalld daemon, can be configured using the firewall-config graphical user interface tool, using the firewall-cmd and firewall-offline-cmd command-line interface tools, and by editing XML configuration files. These methods will be described in order.

5.3.1. Configuring firewalld Using The Graphical User Interface

5.3.1.1. Starting the Graphical Firewall Configuration Tool

To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall, and press Enter. The firewall-config tool appears. You will be prompted for an administrator password.
To start the graphical firewall configuration tool using the command-line, enter the following command:
~]$ firewall-config
The Firewall Configuration window opens. Note that this command can be run as a normal user, but you will be prompted occasionally for an administrator password.

Figure 5.2. The Firewall Configuration Tool

Look for the Connection to firewalld established message in the lower-left corner. This indicates that the firewall-config tool is connected to firewalld. Note that the ICMP Types, IPSets, Direct Configuration, and Lockdown Whitelist tabs are only visible after being selected from the View drop-down menu. The Active Bindings sidebar on the left is visible by default.

5.3.1.2. Changing the Firewall Settings

To immediately change the current firewall settings, ensure the current view is set to Runtime. Alternatively, to edit the settings to be applied at the next system start or firewall reload, select Permanent from the drop-down list.

Note

When making changes to the firewall settings in Runtime mode, your selection takes immediate effect when you set or clear the check box associated with the service. You should keep this in mind when working on a system that may be in use by other users.
When making changes to the firewall settings in Permanent mode, your selection will only take effect when you reload the firewall or the system restarts. Click the Options menu and select Reload Firewall.
You can select zones in the left-hand side column. You will notice the zones have some services enabled; you may need to resize the window or scroll to see the full list. You can customize the settings by selecting and deselecting a service.

5.3.1.3. Adding an Interface to a Zone

To add a connection (the interfaces used by a connection) to a zone, start firewall-config. Click on the zone in the zone list on the left and select the Interfaces tab on the right. Click on the Add button to rise a new dialog to add the interface.
To change the zone setting for an interface, double-click the proper connection or interface in the Active Bindings sidebar. Select the new firewall zone from the drop-down menu in the following dialog and confirm by clicking OK.
Alternatively, to add or reassign an interface of a connection to a zone, start firewall-config, select Options from the menu bar, and select Change Zones of Connections from the drop-down menu. The Connections, Interface, and Source list displays. Select the connection to be reassigned. The Select Zone for Connection window appears. Select the new firewall zone from the drop-down menu and click OK.
For connections handled by NetworkManager, the request to change the zone is forwarded to NetworkManager. The zone interface setting will not be saved in firewalld.
You can also use the firewall-cmd command-line tool or the firewall-applet applet to change the zone for a connection, interface, and source.
The connections without specific zone settings are automatically bound to the default zone. A change of the default zone consequently applies to the zone bindings of all such connections.

5.3.1.4. Setting the Default Zone

To set the default zone that new interfaces will be assigned to, start firewall-config, select Options from the menu bar, and select Change Default Zone from the drop-down menu. The Default Zone window appears. Select the zone from the list that you want to be used as the default zone and click OK. Alternatively, enter the following command:
~]$ firewall-cmd --set-default-zone=zone-name

5.3.1.5. Configuring Services

To enable or disable a predefined or custom service, start the firewall-config tool and select the network zone whose services are to be configured. Select the Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.
To edit a service, start the firewall-config tool and select Permanent mode from the drop-down selection menu labeled Configuration. Additional icons and menu buttons appear at the bottom of the Services window. Select the service you want to configure.
The Ports, Protocols, and Source Port tabs enables adding, changing, and removing of ports, protocols, and source port for the selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables limiting traffic to a particular destination address and Internet Protocol (IPv4 or IPv6).

Note

It is not possible to alter service settings in Runtime mode.

5.3.1.6. Opening Ports in the Firewall

To permit traffic through the firewall to a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Ports tab and click the Add button on the right-hand side. The Port and Protocol window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the drop-down list.

5.3.1.7. Opening Protocols in the Firewall

To permit traffic through the firewall using a certain protocol, start the firewall-config tool and select the network zone whose settings you want to change. Select the Protocols tab and click the Add button on the right-hand side. The Protocol window opens.
Either select a protocol from the drop-down list or select the Other Protocol check box and enter the protocol in the field.

5.3.1.8. Opening Source Ports in the Firewall

To permit traffic through the firewall from a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Source Port tab and click the Add button on the right-hand side. The Source Port window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the drop-down list.

5.3.1.9. Enabling IPv4 Address Masquerading

To translate IPv4 addresses to a single external address, start the firewall-config tool and select the network zone whose addresses are to be translated. Select the Masquerading tab and select the check box to enable the translation of IPv4 addresses to a single address.

Note

To enable masquerading for IPv6, use a rich rule.

5.3.1.10. Configuring Port Forwarding

To forward inbound network traffic, or packets, for a specific port to an internal address or alternative port, first enable IP address masquerading, then select the Port Forwarding tab.
Select the protocol of the incoming traffic and the port or range of ports on the upper section of the window. The lower section is for setting details about the destination.
To forward traffic to a local port (a port on the same system), select the Local forwarding check box. Enter the local port or range of ports for the traffic to be sent to.
To forward traffic to another IPv4 address, select the Forward to another port check box. Enter the destination IP address and port or port range. The default is to send to the same port if the port field is left empty. Click OK to apply the changes.

5.3.1.11. Configuring the ICMP Filter

To enable or disable an ICMP filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMP message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To edit an ICMP type, start the firewall-config tool and select Permanent mode from the drop-down selection menu labeled Configuration. Additional icons appear at the bottom of the Services window. Select Yes in the following dialog to enable masquerading and to make forwarding to another machine working.
To enable inverting the ICMP Filter, click the Invert Filter check box on the right. Only marked ICMP types are now accepted, all other are rejected. In a zone using the DROP target, they are dropped.

5.3.1.12. Configuring Rich Rules

To enable or disable a rich rule, start the firewall-config tool and select the network zone whose services are to be configured. Select the Rich Rules tab and click the Add button on the right-hand side. The Rich Rule window appears.
Select the Family the rule should be added to, leave it at ipv4 and ipv6 to add a rule for IPv4 and IPv6. Enable the Element check box if you want to select a service, port, protocol, icmp-block, forward-port, source port or if you want to enable masquerade in the rule. For all elements except masquerade, it is needed to click on the button on the right. The Service window appears to select the setting of the element.
With the Action check box, you can enable a custom action for the rule like accept, reject, drop, or mark. If the rule Family is set to either ipv4 or ipv6, you can enable the with the Type check box to select an alternative reject type from the drop-down menu that matches the rule Family. Additionally, you can set a limit for this action by enabling the With limit check box.
In the Source section, you can select a source match for this rule. This can be an IP address or range, a MAC address or an IP set. With the inverted check box, you can negate this match. The IP address is only selectable if the Family is either ipv4 or ipv6.
With the Destination address, you can select an IP address matching the selected Family. It is selectable only if the Family is either ipv4 or ipv6.
To enable logging to the system log with the rule, use the Log check box. It is necessary to select a logging prefix in the Prefix text field. Please select the log Level. It can be emergency, alert, critical, error, warning, notice, info or debug. With the optional limit, the amount of log messages in the system log can be selected. If logging is enabled the rule will be duplicated to be able to log.
To enable logging using the Linux Audit system, use the Audit check box. See the System Auditing chapter for more information.
If the rule is complete and the OK button is active, you can add the rule. If the button is not active, there is a tooltip that shows what is missing or not appropriate.

5.3.1.13. Configuring Sources

To add a source to a zone, start firewall-config. Click on a zone in the zone list on the left and select the Sources tab on the right. With clicking the Add button, there will be a new dialog to add the source. A source can either be an IP address or range, a MAC address or an ipset. Select the type in the drop-down menu on the left and click the button on the right to select or enter the setting.

5.3.2. Configuring IP Sets Using firewall-config

To configure IP sets, start the firewall-config tool and select the IPSets tab. Select an IP set from the list on the left to change the runtime settings of an IP set that has been created with firewalld already.
To add new IP sets or to change base IP set settings, switch to Permanent mode. Additional icons and menu buttons appear at the bottom of the IPSets window. Select the IP set you want to configure. The entries tab on the right shows the entries that are part of the IP set. There are no entries listed for IP sets that use a timeout, as the entries are kept and handled in kernel space.
With the Add button, you can add single entries, but also entries from a file. With Remove you can remove the selected entry, all entries and also entries from a file. The file should contain an entry per line. Lines starting with a hash or semicolon are ignored. Also empty lines.
After clicking on the + button to add a new IP set, a new window appears to configure the base IP set settings. There are three settings that need to be configured for an IP set: Name, Type, and Family. Name can contain all alphanumeric characters and additionally ‘-’, ‘-’, ‘:’, and ‘.’. The maximum name length is 32 characters. Type can be: hash:ip, hash:net, and hash:mac. Bitmap types are not supported by firewalld as they can be only used with IPv4. Combined types are not supported, too.
To have a simple and fast IP address or network set, use the hash:net type. The hash:ip type expands all ranges and network segments internally and reaches the hash limit soon.
For these types, it is also necessary to define Family. This can be either inet for IPv4 or inet6 for IPv6.
To store MAC addresses in an IP set use hash:mac - Family is not selectable in this case. To define a lifetime of the added entries for use with external services like fail2ban, use the Timeout setting. Note that firewalld is not able to show the temporarily stored entries with a timeout. Use the ipset command for such entries.
To define the initial hash size for an IP set, use the Hashsize setting. Limit the maximum number of elements that can be stored in an IP set by using the Maxelem field.
You can use the created IP set as a source in a zone, in a rich rule, and also in a direct rule. For more information on IP sets and the settings, see Section 5.4, “Using the iptables Service”. To use IP sets that are not supported by firewalld, see Section 5.4.1.1, “Using IP Sets with firewalld”.

5.3.3. Configuring the Firewall Using the firewall-cmd Command-Line Tool

The firewall-cmd command-line tool is part of the firewalld application that is installed by default. You can verify that it is installed by checking the version or displaying the help output. Enter the following command to check the version:
~]$ firewall-cmd --version
Enter the following command to view the help output:
~]$ firewall-cmd --help
We list a selection of commands below; for a full list see the firewall-cmd(1) man page.

Note

To make a command permanent or persistent, add the --permanent option to all commands apart from the --direct commands (which are by their nature temporary). Note that this not only means the change will be permanent, but that the change will only take effect after firewalld reload, service restart, or after system reboot. Settings made with firewall-cmd without the --permanent option take effect immediately but are only valid till next firewall reload, system boot, or firewalld service restart. Reloading the firewalld does not in itself break connections, but be aware you are discarding temporary changes by doing so.
To make a command both persistent and take effect immediately, enter the command twice: once with the --permanent and once without. This is because a firewalld reload takes more time than just repeating a command because it has to reload all configuration files and recreate the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for security reasons and is then reset to ACCEPT at the end. Service disruption is possible during the reload.

Figure 5.3. The firewalld Architecture

Important

All options to change the zone binding for interfaces that are under control of NetworkManager are forwarded to NetworkManager. These changes are not applied to the firewalld configuration if the request for NetworkManager succeeds. This is also the case with the --permanent option.
For interfaces that are not under control of NetworkManager, the change applies to the firewalld configuration. If there is an ifcfg file that uses this interface, then the ZONE= setting in this ifcfg file is adapted to make sure that the configuration in firewalld and the ifcfg file is consistent. If there is more than one ifcfg file using this interface then the first one is used.
See the Red Hat Enterprise Linux 7 Networking Guide for information on NetworkManager and working with ifcfg files.
For configuration settings such as the default zone, there is no difference between the runtime and permanent environment when using the command-line and GUI tools.

5.3.4. Viewing the Firewall Settings Using the Command-Line Interface (CLI)

To get a text display of the state of firewalld, enter the following command:
~]$ firewall-cmd --state
To view the list of active zones with a list of the interfaces currently assigned to them, enter the following command:
~]$ firewall-cmd --get-active-zones
public
  interfaces: em1
To find out the zone that an interface, for example, em1, is currently assigned to, enter the following command:
~]$ firewall-cmd --get-zone-of-interface=em1
public
To find out all the interfaces assigned to a zone, for example, the public zone, enter the following command as root:
~]# firewall-cmd --zone=public --list-interfaces
			em1 wlan0
This information is obtained from NetworkManager and only shows interfaces, not connections.
To find out all the settings of a zone, for example, the public zone, enter the following command as root:
~]# firewall-cmd --zone=public --list-all
public
  interfaces: 
  services: mdns dhcpv6-client ssh
  ports: 
  forward-ports: 
  icmp-blocks: source-quench
To view the zone information, use the --info-zone option. To get the verbose output with the description and short description, use the additional -v option.
~]# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
To view the list of services currently loaded, enter the following command as root:
~]# firewall-cmd --get-services
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
This lists the names of the predefined services loaded from /usr/lib/firewalld/services/ as well as any custom services that are currently loaded. Note that the configuration files themselves are named service-name.xml.
To list the custom services that have been created but not loaded, use the following command as root:
~]# firewall-cmd --permanent --get-services
This lists all services, including custom services configured in /etc/firewalld/services/, even if they are not yet loaded.
To show the settings of the ftp service, use the following command as root:
~]# firewall-cmd --info-service=ftp
ftp
  ports: 21/tcp
  protocols: 
  source-ports: 
  modules: nf_conntrack_ftp
  destination:
To view the settings in permanent configuration mode, use the --permanent option.

5.3.5. Changing the Firewall Settings Using the Command-Line Interface (CLI)

5.3.5.1. Dropping All Packets (Panic Mode)

To start dropping all incoming and outgoing packets, enter the following command as root:
~]# firewall-cmd --panic-on
All incoming and outgoing packets will be dropped. Active connections will be terminated after a period of inactivity; the time taken depends on the individual session timeout values.
To start passing incoming and outgoing packets again, enter the following command as root:
~]# firewall-cmd --panic-off
After disabling panic mode, established connections might work again if panic mode was enabled for a short period of time.
To find out if panic mode is enabled or disabled, enter the following command:
~]$ firewall-cmd --query-panic
The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise.

5.3.5.2. Reloading the Firewall Using the Command-Line Interface (CLI)

To reload the firewall without interrupting user connections (without losing state information), enter the following command:
~]$ firewall-cmd --reload
A firewall reload involves reloading all configuration files and recreating the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for security reasons and is then reset to ACCEPT at the end. Service disruption is therefore possible during the reload. Alternatively as the root user, send the SIGHUP signal to reload the firewall.
To reload the firewall and interrupt user connections, discarding state information, enter the following command as root:
~]# firewall-cmd --complete-reload
This command should normally only be used in case of severe firewall problems. For example, use this command if there are state information problems and no connection can be established but the firewall rules are correct.

5.3.5.3. Add an Interface to a Zone Using the Command-Line Interface (CLI)

To add an interface to a zone (for example, to add em1 to the public zone), enter the following command as root:
~]# firewall-cmd --zone=public --add-interface=em1
To make this setting persistent, repeat the commands adding the --permanent option.

5.3.5.4. Add an Interface to a Zone by Editing the Interface Configuration File

To add an interface to a zone by editing the ifcfg-em1 configuration file (for example, to add em1 to the work zone), add the following line to ifcfg-em1 as root:
ZONE=work
Note that if you omit the ZONE option, or use ZONE=, or ZONE='', then the default zone will be used.
NetworkManager will automatically reconnect and the zone will be set accordingly.

5.3.5.5. Configuring the Default Zone by Editing the firewalld Configuration File

As root, open /etc/firewalld/firewalld.conf and edit the file as follows:
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
Reload the firewall by entering the following command as root:
~]# firewall-cmd --reload
This will reload the firewall without losing state information (that is, TCP sessions will not be terminated), but service disruption is possible during the reload.

5.3.5.6. Setting the Default Zone by Using the Command-Line Interface (CLI)

To set the default zone (for example, to public), enter the following command as root:
~]# firewall-cmd --set-default-zone=public
This change will take effect immediately; in this case, it is not necessary to reload the firewall.

5.3.5.7. Opening Ports in the Firewall Using the Command-Line Interface (CLI)

To list all open ports for a zone (for example, dmz), enter the following command as root:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not show ports opened as a result of the --add-services command.
To add a port to a zone (for example, to allow TCP traffic to port 8080 to the dmz zone), enter the following command as root:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this setting persistent, repeat the command adding the --permanent option.
To add a range of ports to a zone (for example, to allow the ports from 5060 to 5061 to the public zone, enter the following command as root:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this setting persistent, repeat the command adding the --permanent option.

5.3.5.8. Opening Protocols Using the Command Line Interface (CLI)

To list all open ports for a zone (dmz, for example), enter the following command as root:
~]# firewall-cmd --zone=dmz --list-protocols
Note that this command does not show protocols opened as a result of the firewall-cmd --add-services command.
To add a protocol to a zone (for example, to allow ESP traffic to the dmz zone), enter the following command as root:
~]# firewall-cmd --zone=dmz --add-protocol=esp
To make this setting persistent, add the --permanent option.

5.3.5.9. Opening Source Ports Using the Command Line Interface (CLI)

To list all open source ports for a zone (for example, the dmz zone), enter the following command as root:
~]# firewall-cmd --zone=dmz --list-source-ports
Note that this command does not show source ports opened as a result of the firewall-cmd --add-services command.
To add a source port to a zone (for example, to allow TCP traffic from port 8080 to the dmz zone), use the following command as root:
~]# firewall-cmd --zone=dmz --add-source-port=8080/tcp
To add a range of source ports to a zone (for example, to allow the ports from 5060 to 5061 to the public zone), enter the following command as root:
~]# firewall-cmd --zone=public --add-source-port=5060-5061/udp
To make the settings persistent, add the --permanent option.

5.3.5.10. Adding a Service to a Zone Using the Command-Line Interface (CLI)

To add a service to a zone (for example, to allow SMTP to the work zone), enter the following command as root:
~]# firewall-cmd --zone=work --add-service=smtp
To make this setting persistent, repeat the command adding the --permanent option.

5.3.5.11. Removing a Service from a Zone Using the Command-Line Interface (CLI)

To remove a service from a zone (for example, to remove SMTP from the work zone), enter the following command as root:
~]# firewall-cmd --zone=work --remove-service=smtp
To make this change persistent, repeat the command adding the --permanent option. This change will not break established connections. If that is your intention, you can use the --complete-reload option, but this will break all established connections — not just for the service you have removed.

5.3.5.12. Adding a Service to a Zone by Editing XML Files

To view the default zone files, enter the following command as root:
~]# ls /usr/lib/firewalld/zones/
block.xml  drop.xml      home.xml      public.xml   work.xml
dmz.xml    external.xml  internal.xml  trusted.xml
These files must not be edited. They are used by default if no equivalent file exists in the /etc/firewalld/zones/ directory.
To view the zone files that have been changed from the default, enter the following command as root:
~]# ls /etc/firewalld/zones/
external.xml  public.xml  public.xml.old
In the example shown above, the work zone file does not exist. To add the work zone file, enter the following command as root:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now edit the file in the /etc/firewalld/zones/ directory. If you delete the file, firewalld will fall back to using the default file in /usr/lib/firewalld/zones/.
To add a service to a zone (for example, to allow SMTP to the work zone), add the following line to the /etc/firewalld/zones/work.xml file as root:
<service name="smtp"/>

5.3.5.13. Removing a Service from a Zone by Editing XML files

An editor running with root privileges is required to edit the XML zone files. To view the files for previously configured zones, enter the following command as root:
~]# ls /etc/firewalld/zones/
external.xml  public.xml  work.xml
To remove a service from a zone (for example, to remove SMTP from the work zone), use an editor with root privileges to edit the /etc/firewalld/zones/work.xml file to remove the following line:
<service name="smtp"/>
If no other changes have been made to the work.xml file, it can be removed and firewalld will use the default /usr/lib/firewalld/zones/work.xml configuration file after the next reload or system boot.

5.3.5.14. Configuring IP Address Masquerading

To check if IP masquerading is enabled (for example, for the external zone), enter the following command as root:
~]# firewall-cmd --zone=external --query-masquerade
The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise. If zone is omitted, the default zone will be used.
To enable IP masquerading, enter the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To make this setting persistent, repeat the command adding the --permanent option.
To disable IP masquerading, enter the following command as root:
~]# firewall-cmd --zone=external --remove-masquerade
To make this setting persistent, repeat the command adding the --permanent option.

5.3.5.15. Configuring Port Forwarding Using the Command-Line Interface (CLI)

To forward inbound network packets from one port to an alternative port or address, first enable IP address masquerading for a zone (for example, external), by entering the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packets to a local port (a port on the same system), enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
In this example, the packets intended for port 22 are now forwarded to port 3753. The original destination port is specified with the port option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new local port (the port or range of ports to which the traffic is being forwarded to) is specified with the toport option. To make this setting persistent, repeat the commands adding the --permanent option.
To forward packets to another IPv4 address, usually an internal address, without changing the destination port, enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
In this example, the packets intended for port 22 are now forwarded to the same port at the address given with the toaddr. The original destination port is specified with the port option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new destination port (the port or range of ports to which the traffic is being forwarded to) is specified with the toport option. To make this setting persistent, repeat the command adding the --permanent option.
To forward packets to another port at another IPv4 address, usually an internal address, enter the following command as root:
~]# firewall-cmd --zone=external \
      --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this example, the packets intended for port 22 are now forwarded to port 2055 at the address given with the toaddr option. The original destination port is specified with the port option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new destination port, the port or range of ports to which the traffic is being forwarded to, is specified with the toport option. To make this setting persistent, repeat the command adding the --permanent option.

5.3.6. Configuring the Firewall Using XML Files

The configuration settings for firewalld are stored in XML files in the /etc/firewalld/ directory. Do not edit the files in the /usr/lib/firewalld/ directory (the files define the default settings). You will need root user permissions to view and edit the XML files. The XML files are explained in three man pages:
  • firewalld.icmptype(5) man page — Describes XML configuration files for ICMP filtering.
  • firewalld.service(5) man page — Describes XML configuration files for firewalld service.
  • firewalld.zone(5) man page — Describes XML configuration files for firewalld zone configuration.
The XML files can be created and edited directly or created indirectly using the graphical and command-line tools. Organizations can distribute them in RPM files, which can make management and version control easier. Tools like Puppet can distribute such configuration files.

5.3.7. Using the Direct Interface

It is possible to add and remove chains during runtime by using the --direct option with the firewall-cmd tool. A few examples are presented here. See the firewall-cmd(1) man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the --permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. See man firewalld.direct(5) for information on the /etc/firewalld/direct.xml file.

5.3.7.1. Adding a Rule Using the Direct Interface

To add a rule to the IN_public_allow chain, enter the following command as root:
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
        0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the setting persistent.

5.3.7.2. Removing a Rule Using the Direct Interface

To remove a rule from the IN_public_allow chain, enter the following command as root:
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
        0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the setting persistent.

5.3.7.3. Listing Rules Using the Direct Interface

To list the rules in the IN_public_allow chain, enter the following command as root:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lists rules previously added using the --add-rule option. It does not list existing iptables rules added by other means.

5.3.8. Configuring Complex Firewall Rules with the "Rich Language" Syntax

With the rich language syntax, complex firewall rules can be created in a way that is easier to understand than the direct-interface method. In addition, the settings can be made permanent. The language uses keywords with values and is an abstract representation of iptables rules. Zones can be configured using this language; the current configuration method will still be supported.

5.3.8.1. Formatting of the Rich Language Commands

All the commands in this section need to be run as root. The format of the command to add a rule is as follows:
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used. If a timeout is supplied, the rule or rules only stay active for the amount of time specified and will be removed automatically afterwards. The time value can be followed by s (seconds), m (minutes), or h (hours) to specify the unit of time. The default is seconds.
To remove a rule:
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will remove a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used.
To check if a rule is present:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will return whether a rich language rule rule has been added for the zone zone. The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise. If the zone is omitted, the default zone is used.
For information about the rich language representation used in the zone configuration files, see the firewalld.zone(5) man page.

5.3.8.2. Understanding the Rich Rule Structure

The format or structure of the rich rule commands is as follows:
rule [family="rule family"]
    [ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ]
    [ destination [NOT] address="address" ]
    [ element ]
    [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
    [ audit ]
    [ action ]

Note

The structure of the rich rule in the file uses the NOT keyword to invert the sense of the source and destination address commands, but the command line uses the invert="true" option.
A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.

5.3.8.3. Understanding the Rich Rule Command Options

family
If the rule family is provided, either ipv4 or ipv6, it limits the rule to IPv4 or IPv6, respectively. If the rule family is not provided, the rule is added for both IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family needs to be provided. This is also the case for port forwarding.
Source and Destination Addresses
source
By specifying the source address, the origin of a connection attempt can be limited to the source address. A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. For IPv4, the mask can be a network mask or a plain number. For IPv6, the mask is a plain number. The use of host names is not supported. It is possible to invert the sense of the source address command by adding the NOT keyword; all but the supplied address matches.
A MAC address and also an IP set with type hash:mac can be added for IPv4 and IPv6 if no family is specified for the rule. Other IP sets need to match the family setting of the rule.
destination
By specifying the destination address, the target can be limited to the destination address. The destination address uses the same syntax as the source address for IP address or address ranges. The use of source and destination addresses is optional, and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses, for example, in service entries. You can combine destination and action.
Elements
The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block, forward-port, and source-port.
service
The service element is one of the firewalld provided services. To get a list of the predefined services, enter the following command:
~]$ firewall-cmd --get-services
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast. The command takes the following form:
service name=service_name
port
The port element can either be a single port number or a port range, for example, 5060-5062, followed by the protocol, either as tcp or udp. The command takes the following form:
port port=number_or_range protocol=protocol
protocol
The protocol value can be either a protocol ID number or a protocol name. For allowed protocol entries, see /etc/protocols. The command takes the following form:
protocol value=protocol_name_or_ID
icmp-block
Use this command to block one or more ICMP types. The ICMP type is one of the ICMP types firewalld supports. To get a listing of supported ICMP types, enter the following command:
~]$ firewall-cmd --get-icmptypes
Specifying an action is not allowed here. icmp-block uses the action reject internally. The command takes the following form:
icmp-block name=icmptype_name
masquerade
Turns on IP masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. Specifying an action is not allowed here.
forward-port
Forward packets from a local port with protocol specified as tcp or udp to either another port locally, to another machine, or to another port on another machine. The port and to-port can either be a single port number or a port range. The destination address is a simple IP address. Specifying an action is not allowed here. The forward-port command uses the action accept internally. The command takes the following form:
forward-port port=number_or_range protocol=protocol /
            to-port=number_or_range to-addr=address
source-port
Matches the source port of the packet - the port that is used on the origin of a connection attempt. To match a port on current machine, use the port element. The source-port element can either be a single port number or a port range (for example, 5060-5062) followed by the protocol as tcp or udp. The command takes the following form:
source-port port=number_or_range protocol=protocol
Logging
log
Log new connection attempts to the rule with kernel logging, for example, in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of emerg, alert, crit, error, warning, notice, info, or debug. The use of log is optional. It is possible to limit logging as follows:
log [prefix=prefix text] [level=log level] limit value=rate/duration
The rate is a natural positive number [1, ..], with the duration of s, m, h, d. s means seconds, m means minutes, h means hours, and d days. The maximum limit value is 1/d, which means at maximum one log entry per day.
audit
Audit provides an alternative way for logging using audit records sent to the service auditd. The audit type can be one of ACCEPT, REJECT, or DROP, but it is not specified after the command audit as the audit type will be automatically gathered from the rule action. Audit does not have its own parameters, but limit can be added optionally. The use of audit is optional.
Action
accept|reject|drop|mark
An action can be one of accept, reject, drop, or mark. The rule can only contain an element or a source. If the rule contains an element, then new connections matching the element will be handled with the action. If the rule contains a source, then everything from the source address will be handled with the action specified.
accept | reject [type=reject type] | drop | mark set="mark[/mask]"
With accept, all new connection attempts will be granted. With reject, they will be rejected and their source will get a reject message. The reject type can be set to use another value. With drop, all packets will be dropped immediately and no information is sent to the source. With mark all packets will be marked with the given mark and the optional mask.

5.3.8.4. Using the Rich Rule Log Command

Logging can be done with the Netfilter log target and also with the audit target. A new chain is added to all zones with a name in the format zone_log, where zone is the zone name. This is processed before the deny chain to have the proper ordering. The rules or parts of them are placed in separate chains, according to the action of the rule, as follows:
zone_log
			zone_deny
			zone_allow
All logging rules will be placed in the zone_log chain, which will be parsed first. All reject and drop rules will be placed in the zone_deny chain, which will be parsed after the log chain. All accept rules will be placed in the zone_allow chain, which will be parsed after the deny chain. If a rule contains log and also deny or allow actions, the parts of the rule that specify these actions are placed in the matching chains.
5.3.8.4.1. Using the Rich Rule Log Command Example 1
Enable new IPv4 and IPv6 connections for authentication header protocol AH:
rule protocol value="ah" accept
5.3.8.4.2. Using the Rich Rule Log Command Example 2
Allow new IPv4 and IPv6 connections for protocol FTP and log 1 per minute using audit:
rule service name="ftp" log limit value="1/m" audit accept
5.3.8.4.3. Using the Rich Rule Log Command Example 3
Allow new IPv4 connections from address 192.168.0.0/24 for protocol TFTP and log 1 per minute using syslog:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
5.3.8.4.4. Using the Rich Rule Log Command Example 4
New IPv6 connections from 1:2:3:4:6:: for protocol RADIUS are all rejected and logged at a rate of 3 per minute. New IPv6 connections from other sources are accepted:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
5.3.8.4.5. Using the Rich Rule Log Command Example 5
Forward IPv6 packets received from 1:2:3:4:6:: on port 4011 with protocol TCP to 1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
5.3.8.4.6. Using the Rich Rule Log Command Example 6
Whitelist a source address to allow all connections from this source.
rule family="ipv4" source address="192.168.2.2" accept
See the firewalld.richlanguage(5) man page for more examples.

5.3.9. Firewall Lockdown

Local applications or services are able to change the firewall configuration if they are running as root (for example, libvirt). With this feature, the administrator can lock the firewall configuration so that either no applications or only applications that are added to the lockdown whitelist are able to request firewall changes. The lockdown settings default to disabled. If enabled, the user can be sure that there are no unwanted configuration changes made to the firewall by local applications or services.

5.3.9.1. Configuring Firewall Lockdown

Using an editor running as root, add the following line to the /etc/firewalld/firewalld.conf file as follows:
Lockdown=yes
Reload the firewall using the following command as root:
~]# firewall-cmd --reload
Try to enable the imaps service in the default zone using the following command as an administrative user (a user in the wheel group; usually the first user on the system). You will be prompted for the user password:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To enable the use of firewall-cmd, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*'
Add the --permanent option if you want to make it persistent.
Reload the firewall as root:
~]# firewall-cmd --reload
Try to enable the imaps service again in the default zone by entering the following command as an administrative user. You will be prompted for the user password:
~]$ firewall-cmd --add-service=imaps
This time the command succeeds.

5.3.9.2. Configuring IP Set options with the Command-Line Client

IP sets can be used in firewalld zones as sources and also as sources in rich rules. It is also possible to use the IP sets created with firewalld in a direct rule.
To list the IP sets known to firewalld in the permanent environment, use the following command as root:
~]# firewall-cmd --permanent --get-ipsets
To add a new IP set, use the following command using the permanent environment as root:
~]# firewall-cmd --permanent --new-ipset=test --type=hash:net
success
The previous command creates a new IP set with the name test and the hash:net type for IPv4. To create an IP set for use with IPv6, add the --option=family=inet6 option. To make the new setting effective in the runtime environment, reload firewalld. List the new IP set with the following command as root:
~]# firewall-cmd --permanent --get-ipsets
test
To get more information about the IP set, use the following command as root:
~]# firewall-cmd --permanent --info-ipset=test
test
  type: hash:net
  options: 
  entries:
Note that the IP set does not have any entries at the moment. To add an entry to the test IP set, use the following command as root:
~]# firewall-cmd --permanent --ipset=test --add-entry=192.168.0.1
success
The previous command adds the IP address 192.168.0.1 to the IP set. To get the list of current entries in the IP set, use the following command as root:
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
Generate a file containing a list of IP addresses, for example:
~]# cat > iplist.txt <<EOL
192.168.0.2
192.168.0.3
192.168.1.0/24
192.168.2.254
EOL
The file with the list of IP addresses for an IP set should contain an entry per line. Lines starting with a hash, a semi-colon, or empty lines are ignored.
To add the addresses from the iplist.txt file, use the following command as root:
~]# firewall-cmd --permanent --ipset=test --add-entries-from-file=iplist.txt
success
To see the extended entries list of the IP set, use the following command as root:
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
192.168.0.2
192.168.0.3
192.168.1.0/24
192.168.2.254
To remove the addresses from the IP set and to check the updated entries list, use the following commands as root:
~]# firewall-cmd --permanent --ipset=test --remove-entries-from-file=iplist.txt
success
~]# firewall-cmd --permanent --ipset=test --get-entries 192.168.0.1
You can add the IP set as a source to a zone to handle all traffic coming in from any of the addresses listed in the IP set with a zone. For example, to add the test IP set as a source to the drop zone to drop all packets coming from all entries listed in the test IP set, use the following command as root:
~]# firewall-cmd --permanent --zone=drop --add-source=ipset:test
success
The ipset: prefix in the source shows firewalld that the source is an IP set and not an IP address or an address range.
Only the creation and removal of IP sets is limited to the permanent environment, all other IP set options can be used also in the runtime environment without the --permanent option.

5.3.9.3. Configuring Lockdown with the Command-Line Client

To query whether lockdown is enabled, use the following command as root:
~]# firewall-cmd --query-lockdown
The command prints yes with exit status 0 if lockdown is enabled. It prints no with exit status 1 otherwise.
To enable lockdown, enter the following command as root:
~]# firewall-cmd --lockdown-on
To disable lockdown, use the following command as root:
~]# firewall-cmd --lockdown-off

5.3.9.4. Configuring Lockdown Whitelist Options with the Command Line

The lockdown whitelist can contain commands, security contexts, users and user IDs. If a command entry on the whitelist ends with an asterisk *, then all command lines starting with that command will match. If the * is not there then the absolute command including arguments must match.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use the following command:
~]$ ps -e --context
That command returns all running applications. Pipe the output through the grep tool to get the application of interest. For example:
~]$ ps -e --context | grep example_program
To list all command lines that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command command to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To remove a command command from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To query whether the command command is on the whitelist, enter the following command as root:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
The command prints yes with exit status 0 if true. It prints no with exit status 1 otherwise.
To list all security contexts that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a context context to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the --permanent option to make it persistent.
To remove a context context from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the --permanent option to make it persistent.
To query whether the context context is on the whitelist, enter the following command as root:
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all user IDs that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a user ID uid to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the --permanent option to make it persistent.
To remove a user ID uid from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent option to make it persistent.
To query whether the user ID uid is on the whitelist, enter the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all user names that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-users
To add a user name user to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-user=user
Add the --permanent option to make it persistent.
To remove a user name user from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-user=user
Add the --permanent option to make it persistent.
To query whether the user name user is on the whitelist, enter the following command:
~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.

5.3.9.5. Configuring Lockdown Whitelist Options with Configuration Files

The default whitelist configuration file contains the NetworkManager context and the default context of libvirt. The user ID 0 is also in the list.
<?xml version="1.0" encoding="utf-8"?>
			<whitelist>
			  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
			  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
			  <user id="0"/>
			</whitelist>
Following is an example whitelist configuration file enabling all commands for the firewall-cmd utility, for a user called user whose user ID is 815:
<?xml version="1.0" encoding="utf-8"?>
			<whitelist>
			  <command name="/usr/bin/python -Es /bin/firewall-cmd*"/>
			  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
			  <user id="815"/>
			  <user name="user"/>
			</whitelist>
This example shows both user id and user name, but only one option is required. Python is the interpreter and is prepended to the command line. You can also use a specific command, for example:
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that example only the --lockdown-on command will be allowed.

Note

In Red Hat Enterprise Linux 7, all utilities are placed in the /usr/bin/ directory and the /bin/ directory is sym-linked to the /usr/bin/ directory. In other words, although the path for firewall-cmd when run as root might resolve to /bin/firewall-cmd, /usr/bin/firewall-cmd can now be used. All new scripts should use the new location. But be aware that if scripts that run as root have been written to use the /bin/firewall-cmd path, then that command path must be whitelisted in addition to the /usr/bin/firewall-cmd path traditionally used only for non-root users.
The * at the end of the name attribute of a command means that all commands that start with this string will match. If the * is not there then the absolute command including arguments must match.

5.3.10. Configuring Logging for Denied Packets

With the LogDenied option in the firewalld, it is possible to add a simple logging mechanism for denied packets. These are the packets that are rejected or dropped. To change the setting of the logging, edit the /etc/firewalld/firewalld.conf file or use the command-line or GUI configuration tool.
If LogDenied is enabled, logging rules are added right before the reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also the final reject and drop rules in zones. The possible values for this setting are: all, unicast, broadcast, multicast, and off. The default setting is off. With the unicast, broadcast, and multicast setting, the pkttype match is used to match the link-layer packet type. With all, all packets are logged.
To list the actual LogDenied setting with firewall-cmd, use the following command as root:
~]# firewall-cmd --get-log-denied 
off
To change the LogDenied setting, use the following command as root:
~]# firewall-cmd --set-log-denied=all
success
To change the LogDenied setting with the firewalld GUI configuration tool, start firewall-config, click the Options menu and select Change Log Denied menuitem. The LogDenied window appears. Select the new LogDenied setting from the drop-down menu and click OK.