Table of Contents

Firewalld

List firewall rules

manu-opensuse:~ # firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 wlan0
  sources: 
  services: dhcpv6-client ms-wbt
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Check the firewall status 

manu-opensuse:~ # firewall-cmd --state
running

Add a rule

manu-opensuse:~ # firewall-cmd --add-service=http --zone=public --permanent
manu-opensuse:~ # firewall-cmd --add-port=1600/tcp --zone=public --permanent
manu-opensuse:~ # firewall-cmd --reload

To remove a port use: 

manu-opensuse:~ # firewall-cmd --zone=public --remove-port=1555/tcp --permanent

Config file: 

[root@tiprglp01 etc]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="1500"/>
  <port protocol="tcp" port="11090"/>
  <port protocol="tcp" port="1550"/>
  <port protocol="tcp" port="1600"/>
  <port protocol="tcp" port="1650"/>
  <port protocol="tcp" port="1501"/>
  <port protocol="tcp" port="1581"/>
  <port protocol="tcp" port="1555"/>
  <port protocol="tcp" port="10050"/>
  <port protocol="udp" port="10050"/>
</zone>

Firewall debug

Enable the firewall log (value between 1 and 10) 

[root@tiprglp01 etc]# cat /etc/sysconfig/firewalld 
# firewalld command line args
# possile values: --debug
FIREWALLD_ARGS="--debug=2"

The log is automatically created in /var/log/firewalld

Logging all inbound and outbound traffic with firewalld direct rules

Rule to log all incoming traffic setting log level to 4: 

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -s 0.0.0.0/0 -j LOG --log-prefix "INPUT " --log-level 4

Rule to log all outgoing traffic setting log level to 4: 

# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p all -s 192.168.1.10 -j LOG --log-prefix "OUTPUT " --log-level 4

With nftables as backend, direct rules are given a higher precedence than all other firewalld rules.

To check if the rules are applied: 

# firewall-cmd --direct --get-all-rules

To make the rules permanent: 

# firewall-cmd --runtime-to-permanent

To list all direct permanent rules: 

# firewall-cmd --direct --get-all-rules --permanent

Traffic logs are written in /var/log/firewall