firewalld rules list

Voc Authors

2 min read

·

23-11-2024

44

0

Share

Understanding and Managing Firewalld Rules Lists

Firewalld, the dynamic firewall manager in many Linux distributions, uses "zones" to define security contexts and "rules" within those zones to control network traffic. Understanding how to list and manage these rules is crucial for network security administration. This article will guide you through listing Firewalld rules and interpreting the output.

Accessing Firewalld's Rules:

The primary command for viewing Firewalld's rules is firewall-cmd --list-all. This command provides a comprehensive overview of all active zones and their associated rules. Let's break down the output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

This output shows the public zone is active. Let's examine the key elements:

• target: default: This indicates the default target for packets that don't match any specific rules. default usually means ACCEPT or DROP, depending on the zone's configuration.

• icmp-block-inversion: no: This specifies whether ICMP (ping) requests are blocked by default (no) or allowed (yes).

• interfaces: eth0: This lists the network interfaces associated with the zone.

• services: ssh dhcpv6-client: This shows services explicitly allowed through the firewall. ssh allows secure shell connections, and dhcpv6-client allows the system to obtain an IPv6 address.

• ports:: This section would list any specific ports allowed or blocked (e.g., port: 80/tcp). If empty, no specific ports are defined.

• masquerade: no: This indicates whether network address translation (NAT) is enabled.

• forward-ports:, source-ports:, icmp-blocks:, rich rules:: These sections display advanced configurations. rich rules allows for complex rule sets using XML.

Listing Rules for Specific Zones:

You can list rules for a specific zone using the following command:

firewall-cmd --zone=ZONE --list-all

Replace ZONE with the zone name (e.g., public, internal, external, dmz). This is useful for focusing on a particular zone's configuration.

Listing Only Active Services:

To see only the active services allowed in a zone, use:

firewall-cmd --zone=ZONE --list-services

Listing Only Open Ports:

Similarly, to see only the open ports in a zone:

firewall-cmd --zone=ZONE --list-ports

Interpreting the Output and Troubleshooting:

The output from these commands provides a snapshot of your firewall configuration. If you're troubleshooting network connectivity issues, examine the listed services, ports, and interfaces to identify potential bottlenecks. Ensure the services you need are explicitly allowed, and that interfaces are correctly associated with the zones.

Beyond Listing: Managing Firewalld Rules:

While this article focuses on listing rules, remember that Firewalld provides commands for adding, removing, and modifying rules. Refer to the firewall-cmd man page (man firewall-cmd) for detailed information on managing your firewall's rules effectively and securely.

By mastering the art of listing and understanding Firewalld rules, you gain valuable control over your system's network security. Regularly reviewing your firewall configuration is a crucial step in maintaining a secure network environment.