Introduction
Firewalld is a replacement for iptables. It is not as difficult as I initially thought. All of the actual files are in /etc/firewalld/.
Purpose
Firewalld keeps the bad guys from attacking you from the network or the internet.
Firewall-cmd show commands
firewall-cmd --list-all
firewall-cmd --list-all --zone=public
firewall-cmd --list-all --zone=internal
firewall-cmd --zone=external --list-services
firewall-cmd --get-zones
firewall-cmd --get-active-zones
Change interface zone
firewall-cmd --permanent --zone=work --add-interface=ens224
firewall-cmd --permanent --zone=work --change-interface=ens224
firewall-cmd --permanent --zone=public --remove-interface=ens224
firewall-cmd --get-active-zones
Which interface is the default zone for this device.
firewall-cmd --get-default-zone
Adding ssh by port and protocol or by name.
firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-service=ssh
Allow a network complete access to this server.
firewall-cmd --permanent --add-source=192.168.1.0/24
Remove the same network.
firewall-cmd --permanent --remove-source=192.168.1.0/24
Reject everything from the network. This is not advisable, you should drop these packets.
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
Accept MySQL packets from 192.168.1.0/24 on port 3306/tcp.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="3306" accept'
Remove the same rule as above.
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="3306" accept'
Setting default zone.
firewall-cmd --set-default=external
Add samba to the external zone.
firewall-cmd --permanent --zone=external --add-service=samba
Add web service to the work zone.
firewall-cmd --permanent --zone=work --add-service=http
Add a rich rule to open port 10000 from the network 192.51.100.0/24 and log this packet with the prefix “test-firewalld-log”.
firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="198.51.100.0/24" port protocol="tcp" port="10000" log prefix="test-firewalld-log" level="info" accept"