====== Firewalld ====== ===== List firewall rules ===== manu-opensuse:~ # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: dhcpv6-client ms-wbt ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Check the firewall status manu-opensuse:~ # firewall-cmd --state running ===== Add a rule ===== manu-opensuse:~ # firewall-cmd --add-service=http --zone=public --permanent manu-opensuse:~ # firewall-cmd --add-port=1600/tcp --zone=public --permanent manu-opensuse:~ # firewall-cmd --reload To remove a port use: manu-opensuse:~ # firewall-cmd --zone=public --remove-port=1555/tcp --permanent Config file: [root@tiprglp01 etc]# cat /etc/firewalld/zones/public.xml Public For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. ===== Firewall debug ===== Enable the firewall log (value between 1 and 10) [root@tiprglp01 etc]# cat /etc/sysconfig/firewalld # firewalld command line args # possile values: --debug FIREWALLD_ARGS="--debug=2" The log is automatically created in **/var/log/firewalld** ===== Logging all inbound and outbound traffic with firewalld direct rules ===== Rule to log all incoming traffic setting log level to 4: # firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -s 0.0.0.0/0 -j LOG --log-prefix "INPUT " --log-level 4 Rule to log all outgoing traffic setting log level to 4: # firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p all -s 192.168.1.10 -j LOG --log-prefix "OUTPUT " --log-level 4 With nftables as backend, direct rules are given a higher precedence than all other firewalld rules. To check if the rules are applied: # firewall-cmd --direct --get-all-rules To make the rules permanent: # firewall-cmd --runtime-to-permanent To list all direct permanent rules: # firewall-cmd --direct --get-all-rules --permanent Traffic logs are written in /var/log/firewall