firewalld

Table of Content

Installation

On Debian (and Debian based systems) you can install it with apt/apt-get/nala/…

$ apt install firewalld

Default Zones

Zone NameDescription
dropAny incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
blockAny incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
publicFor use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
externalFor use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmzFor computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
workFor use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
homeFor use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internalFor use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trustedAll network connections are accepted.

Commands and Descriptions

CommandDescription
firewall-cmd --get-active-zoneDisplays the used zones for each active connection + default zone if not in use
firewall-cmd --get-servicesDisplays all avilable services known by firewalld to interact with
firewall-cmd --zone=[zone_name] --list-allDisplays current config of zone [zone_name]
firewall-cmd --zone=[zone_name] --list-servicesShows enabled servies for the zone [zone_name]
firewall-cmd --zone=[zone_name] --list-portsShows open ports for the zone [zone_name]
firewall-cmd --zone=[zone_name] --add-service=[service_name]Adds service [service_name] to give permission to have inbound traffic for it
firewall-cmd --zone=[zone_name] --remove-service=[service_name]Removes service [service_name] to deny network traffic for it
firewall-cmd --zone=[zone_name] --add-interface=[interface_name]Adds interface [interface_name] to zone [zone_name]
firewall-cmd --zone=[zone_name] --remove-interface=[interface_name]Removes interface [interface_name] from zone [zone_name]
firewall-cmd --zone=[zone_name] --add-port=[port]/[protocol]Adds port to zone [zone_name]
firewall-cmd --zone=[zone_name] --remove-port=[port]/[protocol]Removes port from zone [zone_name]
firewall-cmd --reloadReloads firewalld to load config changes from the filesystem
firewall-cmd --permanent [rest_of_command]Applys change + writes it to the filesystem
firewall-cmd --runtime-to-permanentWrites current running config to the filesystem (/etc/firewalld)

If you don’t specify --zone=[zone_name] the default zone will be used (which is per default public)

Adding firewalld zone to NetworkManager connection

Why would you add a zone from firewalld to a NetworkManager connection. This makes a lot of sense if you are for example doing that on clients where they switch between connections (e.g. a laptop)

First we have to check if there is alrey a zone defined for the connection where we want to apply a zone to.

If it looks like the below sample, it will use the default zone as no specific one got assigned.

$ nmcli -p connection show [connection_name] | grep connection.zone
connection.zone:                        --

Have a look at the zone which are provided by firewalld and decide which one is best fitting.

If you want to create a new one, e.g. based on the zone public, just copy the file /usr/lib/filewalld/zones/public.xml to /etc/firewalld/zones with a new name and reload firewalld. After you are done modifying it (dont forget to use --permanent or --runtime-to-permanent) you can add the zone to the connection like so:

$ nmcli connection modify [connection_name] connection.zone [zone_name]

And if you rerun the command from above (nmcli -p connection show...) you will get this:

$ nmcli -p connection show [connection_name] | grep connection.zone
connection.zone:                        [zone_name]

Behind the sceens

To see what is going on in nftables you can use the commands:

$ nft list ruleset inet

Of course you could change in the config that it should uses iptables by adding FirewallBackend and set it to iptables, but keep in mind, iptables is deprecated and will be removed in future releases.

If you still use it, with iptables -nvL you could see the applied rules.