2018-03-27 03:55:23 +00:00
[[ch-FirewallD]]
= FirewallD
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[[sect-what-is-firewalld]]
== What is FirewallD?
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
FirewallD allows users to control which network ports they want opened, or closed, to keep their system secure from unauthorized access.
FirewallD is integrated with SystemD and NetworkManager, and supports IPv4, IPv6 and ethernet bridges.
It also supports an interface for services and applications to add firewall rules directly.
These settings can be controlled from the command-line, or with the `firewall-config` graphic-user-interface.
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[[sect-do-i-have-firewalld-on-my-system]]
== Do I have FirewallD on my system?
FirewallD is the default firewall service for current releases of Fedora and is enabled by default.
To check if your system has FirewallD enabled, at the command-line, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --state
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
This command will show if it is `running` or `not running`
2018-01-26 18:29:28 +00:00
2018-03-27 03:55:23 +00:00
If FirewallD is `not running`, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo systemctl enable --now firewalld
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
This will enable the FirewallD service when booting the system, and immediately start the service.
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
If these commands do not work, FirewallD may not be installed. To install it, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo dnf install firewalld
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
To install the FirewallD graphical-user-interface application and open it from the command-line, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo dnf install firewall-config
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-config
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[[sect-opening-and-closing-ports-with-firewalld]]
== Opening and closing ports with FirewallD
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
Opening ports with FirewallD can be executed from the command-line without the need to edit configuration files.
Ports can be opened using either the service name, or the port number.
For example, to allow access to the SSH service, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --add-service ssh
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
If allowing access by the port number, it needs to be followed by the protocol whether it is TCP or UDP.
To open SSH by its port, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --add-port=22/tcp
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
This will open the SSH port in runtime mode.
Runtime mode means it will run the change temporarily and will revert back to its original state after reloading the FirewallD service, or after a system reboot.
To keep the SSH port opened after a FirewallD service restart, or system reboot, include the `--permanent` option, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --permanent --add-service ssh
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
or by port number:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --permanent --add-port=22/tcp
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
To save the changes:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --reload
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
To block access to the SSH service:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --remove-service ssh
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
To block access by port number:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --remove-port=22/tcp
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
Again, add the `--permanent` option to make it persistent, and don't forget to do `firewall-cmd --reload` to save the changes.
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[[sect-how-can-i-see-the-services-recognized-by-firewalld]]
== How can I see the services recognized by FirewallD?
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
To see a list of all the services recognized by FirewallD, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --get-services
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
To view a list of services "turned-on" in FirewallD, type:
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[source,bash]
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
sudo firewall-cmd --list-services
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
----
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
[[sect-additional-resources]]
== Additional Resources
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
For more information about configuring FirewallD, such as how to list and change zones, port forwarding, and other system administrative tasks, refer to the FirewallD documentation at link:++http://www.firewalld.org/++[firewalld.org], the link:++https://fedoraproject.org/wiki/Firewalld++[Fedora Wiki: FirewallD].
2017-10-26 21:20:01 +00:00
2018-03-27 03:55:23 +00:00
You can also find local documentation by using `firewall-cmd --help` or the man pages: `man firewalld`
