System Initialization & Security Module Alignment
Before applying network policies, ensure underlying security modules align with you're operational requiremants. Disabling SELinux enforcement and halting the firewall daemon can be executed via the following sequence:
# Immediately disable SELinux enforcing state
setenforce 0 >/dev/null 2>&1
# Persist disabled status across reboots
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
# Stop and mask firewalld alongside NetworkManager
systemctl stop --now firewalld
systemctl disable --now firewalld
systemctl stop --now NetworkManager
systemctl disable --now NetworkManager
Ephemeral vs Persistent Policy Application
The firewalld daemon separates runtime configurations from persistent storage. Runtime adjustments are volatile and disappear upon service restart.
Temporary Access (Current Session Only)
sudo firewall-cmd --add-port=80/tcp
sudo firewall-cmd --add-port=22/tcp
Persistent Access (Survives Reboots)
# Define target ports for readability
TARGET_HTTP_PORT=80
TARGET_SSH_PORT=22
sudo firewall-cmd --permanent --add-port="${TARGET_HTTP_PORT}/tcp"
sudo firewall-cmd --permanent --add-port="${TARGET_SSH_PORT}/tcp"
# Synchronize persistent definitions with active runtime
sudo firewall-cmd --reload
Auditing Current Configuration
Verify applied policies using built-in inspection utilities:
# Display merged runtime and persistent configuration
sudo firewall-cmd --list-all
# Isolate purely persistent definitions
sudo firewall-cmd --permanent --list-all
Adjusting Existing Entries
firewalld does not support direct modification of open rules. Replacement requires explicit revocation followed by redefinition.
Relocating Administrative Ports (SSH 22 → 2222)
LEGACY_SSH=22
ALTERNATE_SSH=2222
sudo firewall-cmd --permanent --remove-port="${LEGACY_SSH}/tcp"
sudo firewall-cmd --permanent --add-port="${ALTERNATE_SSH}/tcp"
sudo firewall-cmd --reload
Switching Protocol Services (HTTP → HTTPS)
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Revoking Access
Eliminate previously granted permissions using targeted removal commands:
sudo firewall-cmd --permanent --remove-port=80/tcp
sudo firewall-cmd --permanent --remove-port=22/tcp
sudo firewall-cmd --reload
Service-Centric Management & Diagnostics
Managing policies by service abstraction prevents port-drift and simplifies maintenance:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
List all natively supported service definitions:
sudo firewall-cmd --get-services
Cross-reference listening ports with active processes:
sudo lsof -i :80 -P -n | head -n 5
sudo lsof -i :22 -P -n | head -n 5
Legacy netfilter Reference
For environments operating outside firewalld, direct iptables manipulation remains applicable:
# Reset chain policies and flush existing rules
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
# Inspect raw table state
iptables -L -n -v
Operational Constraints & Security Baselines
- Runtime modifications demand
--permanentflag inclusion, followed immediately by--reloadto propagate state. - Avoid broad administrative exposure. Constrain SSH ingress to verified CIDR ranges using rich rule syntax:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.10.0/24" port protocol="tcp" port="22" accept'
- Post-modification validatino is mandatory. Confirm rule injection via audit output:
sudo firewall-cmd --list-all