Skip to content

Firewalld on fedora

wordpress meta

title: 'FirewallD on Fedora'
date: '2014-03-24T06:32:03-05:00'
status: publish
permalink: /firewalld-on-fedora
author: admin
excerpt: ''
type: post
id: 568
category:
    - FirewallD
tag: []
post_format: []

Somewhere between Fedora 18 and 20 the default firewall switched to FirewallD. FirewallD is a replacement to the default iptables firewall. Lots more detail at the links referenced below but in my mind the big advantages are zones and the fact that changes can be made to the running firewall without restart, load, unload and therefore becomes stateful.

This is just a quick reminder for myself to what I did to add a port to the public zone. I was setting up SPICE for accessing a Windows 7 KVM guest and needed the firewall to allow port 5901.

I will play with the other zones at some point. Ideally I don't want to allow 5901 to the public zone just the internal zone.

Get some information on the FirewallD service.

# systemctl | grep firewall
firewalld.service                                                                                          loaded active running   firewalld - dynamic firewall daemon

# firewall-cmd --state
running

#  firewall-cmd --get-zones
block dmz drop external home internal public trusted work

#  firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

#  firewall-cmd --get-default-zone
public

Add the vnc-server service that covers the ports I am interested in. Add rules also to the permanent profile not just running profile.

# firewall-cmd --zone=public --add-service=vnc-server
success

# firewall-cmd --permanent --zone=public --add-service=vnc-server
success

# firewall-cmd --reload
success

Hints:
You can also use firewall-config which is a native firewall GUI.
Using nmap to verify the open ports.

More detail here:
https://fedoraproject.org/wiki/Features/firewalld-default
https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/