Questions tagged [firewalld]
Firewalld is an open source firewall solution available on several linux distributions. Firewalld uses D-BUS for monitoring and dynamic management.
68
questions
15
votes
3
answers
92k
views
Getting firewalld to allow ping requests
On CentOS 7, I have installed and setup firewalld as follows:
Add ssh service to drop zone permanently (sudo firewall-cmd --zone=drop --permanent --add-service=ssh)
Make drop zone the default zone so ...
- 311
11
votes
1
answer
10k
views
Opening a port with firewalld doesn't seem to work
I have configured sshd to live on a different port. I have opened that port using firewalld:
$ sudo firewall-cmd --zone=public --add-port=22000/tcp --permanent
Listing rules shows port 22000 is ...
- 490
9
votes
1
answer
24k
views
Configure FirewallD to allow bridged virtual machine network access
I have a Windows guest running on a virt-manager QEMU/KVM virtual machine.
My primary NIC eno1 is in a bridge br1 which is configured with my host IP address configuration. This VM is connected to ...
- 3,424
8
votes
1
answer
18k
views
How can I configure firewalld to block all outgoing traffic except for specific ports while allowing localhost to access any of its own local ports?
I'll confess at the start that I'm asking this question only after finding the answer and wanting to share it with everyone else. If this is bad form, then my sincere apologies and I'm open to the ...
- 321
7
votes
1
answer
12k
views
firewall-cmd - add-forward-port don't work
I have a KVM server (host) with multiple virtual machines (guests).
My goal is my host forward port 222 to port 22 of a guest running an ssh service.
This works...
iptables -I OUTPUT -d 0.0.0.0/0 -...
- 1,254
7
votes
1
answer
4k
views
How to block docker-mapped ports with a firewall from outside the host without messing up docker routing inside the host?
I have a docker container running on a host with some port mapped to a port on the host.
docker run -d -p 9009:9009 someserver
I want this machine firewalled off from the internet except for 80, ...
- 261
3
votes
1
answer
2k
views
Setting up rules in firewalld to allow clients in the same VPN subnet to communicate
I am trying to setup a Wireguard VPN on a Fedora server. I have it up and running and can connect with multiple clients, browse through it, ssh into the server etc. In general it just works. Except ...
- 51
3
votes
1
answer
2k
views
firewalld rich rules don't drop incoming traffic (CentOS 8 behind a NAT)
Post-Solving Edit
The reason this was so hard to solve at the firewall level was that it wasn't a firewall problem. Something @tom-yan said in chat made me revisit the script which pulls out the IP ...
- 113
3
votes
0
answers
2k
views
Docker container can't make DNS queries with FirewallD running
While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me
21:27:02.683342 IP 172.17.0.2.35118 &...
- 83
3
votes
1
answer
9k
views
using firewalld and firewall-cmd how to add-rule to primary INPUT chain not INPUT_direct
so after reading the firewalld man page and fedora documentation, I have come to the understanding that to add a custom rule to firewall with specific arguements i need to use the structure
firewall-...
- 141
3
votes
1
answer
379
views
Configure firewalld to distinguish home and public ethernet connection
I connect my notebook via ethernet at home and outside. I want to open some ports for services like samba only at home and not somewhere else.
How can i let firewalld automatically detect where i am, ...
- 31
2
votes
1
answer
12k
views
How to open a UDP port in the Centos 7 firewall, firewalld, using firewall-cmd?
Centos 7 server. Trying to open port 3000 for UDP, nodejs ws websockets. Any ideas? I'm stuck! I've checked a few other SO posts to no avail. Thx, Keith =)
If is stop the firewall, the udp unicast ...
- 229
2
votes
1
answer
2k
views
firewalld: forward traffic as a wireguard VPN gateway
I have setup a pi running Pi OS 11 as a VPN gateway for my local network using Wireguard & Nftables, that all works fine.
However, I wish to switch over to firewalld to be compatible with docker ...
- 123
2
votes
1
answer
3k
views
Whitelist websites for specific user on linux?
Due to a child protection and safeguarding issue, I want to set up a restricted or limited account for a tech-savvy teenager to use. I would like to whitelist only specific websites (e.g. iPlayer and ...
- 223
2
votes
2
answers
4k
views
Firewalld block / drop and allow by IP
We have a linux root server which primarily just is a docker server.
Hosting containers and a CI runner.
To protect this server the basic idea for now is to
block all traffic
except for one (or more)...
2
votes
1
answer
13k
views
firewall-cmd configure destination NAT
I am trying to configure destiation NAT on a RHEL 7.4 server. I want any traffic generated for 10.10.10.10:443 to go to 10.20.20.20:443.
After some Googling I used following direct rule:
firewall-...
- 33
2
votes
0
answers
45
views
firewalld Zone "trusted" Drops about 15% of Frames that are Passed by Zone "public"
Background
I have two lab machines, which I'll refer to as A and B, running RHEL 8.0.
I SSH into A and B from my Windows desktop over a 1 GbE link, whose network interface I'll refer to as eth0.
A and ...
- 1,029
2
votes
0
answers
207
views
Fedora unable to mount nfs due to firewalld
I am trying to create a nfs to share between my host and guest VM (run with qemu-kvm).
I followed this guide ad this is the situation:
host:
cat /etc/exports
/mnt/nfsshare 192.168.122.76/24(rw,sync,...
- 21
2
votes
0
answers
197
views
Fedora 33 as wireless router to the internet: stations are always isolated, cannot ping/connect between devices on the wireless lan
Wifi adapter : Asus PCE-AC88
Running on the router : Fedora 33, firewalld, hostapd (built from master), dnsmasq
Routing to the internet works great, all stations are routed to the WAN provided by my ...
2
votes
2
answers
2k
views
How to get an IP address blocked with firewall-cmd with immediate effect?
To replicate the problem have two different servers with their own IP addresses. Now start pinging one of them from the second one, and while still pinging block the first server's IP on the second ...
- 21
1
vote
1
answer
1k
views
How can I fix IPv6 not forwarding traffic correctly between interfaces?
I have two OpenSUSE servers, one with IPv6 and IPv4 while the other only has IPv4 capablities. The two of them are connected with OpenVPN and can communicate using IPv6 through the tunnel just fine.
...
- 163
1
vote
1
answer
921
views
Blacklist list of IPs from File Centos 7.5
I've to deny access from set of IP set from specific country and downloaded the list from http://www.ipdeny.com/ site.
I tried to block this set using
firewall-cmd --permanent --ipset=blacklist --...
- 111
1
vote
2
answers
2k
views
Can I block internet access of a single app with firewalld?
Is it possible to prevent a single app to access the internet with firewalld?
To be precise, i have an application packaged as an AppImage, currently installed in my Home directory, and I want it to ...
- 9,516
1
vote
1
answer
2k
views
firewall-cmd blocking snmp
I inherited a system that has rules implemented with firewall-cmd, it has the below rules. Another system is trying to connect to snmp port (UDP/161) but is not able (my server is responding with ICMP ...
- 125
1
vote
1
answer
6k
views
I can't configure firewalld with my custom rule xml
Centos7:
I dropped my xml in /etc/firewalld/services
when running
firewall-cmd --permanent --zone=public --add-service=rules.xml
all i get is "Error: INVALID_SERVICE: rules"
When running firewall-...
- 445
1
vote
1
answer
681
views
Firewalld: allow only certain source and destination port pairs
I am using firewalld to configure my firewall. I tried to create a service that allows a specific pair of source and destination ports:
<?xml version="1.0" encoding="utf-8"?>
<service>
&...
- 465
1
vote
1
answer
827
views
firewalld and localhost address translation
I have a server with red hat 7.1 which has two ip addresses, a public one available on internet on interface bond1 and a private one on the corporate lan on interface bond0.
I have apache 2.4 ...
- 121
1
vote
1
answer
3k
views
Port forwarding to VM using firewalld
I have been looking and not able to find anything about how to solve this problem. I am trying to set up port forwarding to a VM (qemu) on a CentOS 7 Server.
Tying to forward anything incoming on ...
- 11
1
vote
1
answer
30
views
Firewalld port redirect to rootless podman container
I'm having a podman container running rootless on port 8080 and 8443. But I want to have access to them on port 80 and 443.
This is working quite well with firewalld and this command:
firewall-cmd \
...
- 11
1
vote
1
answer
58
views
How can I setup FIREWALLD with IPSEC (StrongSwan) Site-to-Site to make PING work on Debian 12?
I have 3 nodes with public and local IP address, each:
Node A: edge router #1 (10.41.1.0/24)
Node B: edge router #2 (10.48.2.0/24)
Node C: VMS with Debian 12, docker containers and firewalld (ex. 172....
- 13
1
vote
0
answers
665
views
How can I create a firewalld rule that allow SSH connection only from a specific IP address?
I am not a system engineer or a network expert (I am more a software developer) and I have the following problem that I have to solve related IPTABLES firewall.
I have n Linux machines that must ...
- 7,201
1
vote
0
answers
412
views
Stuck on converting firewalld direct rule syntax to rich rule syntax
I've been googling around to try to translate an iptables script I use for some wireguard rules into native firewalld rules, since all the docs I've been reading about iptables indicate that:
...
- 21
1
vote
1
answer
533
views
Firewalld DNAT Subnet translation
I want to translate subnets using firewalld.
I have a ethernet interface, that should translate incomming packets targeting
192.168.1.0/24 to 192.168.178.0/24.
My home network is 192.168.8.0/24
I ...
- 11
1
vote
0
answers
663
views
Firewalld open all ports except one
With firewalld, I am trying to allow all ports except one for everyone, as that port must be enabled for a specific host, and I have tried the following:
firewall-cmd --permanent --zone=public --add-...
- 11
1
vote
0
answers
42
views
Is it possible to use iptables ipset together with firewalld?
Currently, I am using firewalld and now I need to use iptables ipset so I was wondering if I can use iptables ipset alongside firewalld and if I can how I should be doing that
- 643
1
vote
0
answers
492
views
how to configure firewalld, port-forward to specific VM:port and permit VM to external
I have KVM/libvirt env as follows.
em1(external)
|
bridge0
/ | \
VM1 VM2 VM3
I hope to access to VM1(192.168.122.103) with 9091 port from external with following.
# firewall-cmd -...
- 11
1
vote
0
answers
346
views
Routing Issue Between Interfaces under CentOS7/Firewalld
I use a Linux PC as my Internet gateway; it's running a fresh installation of CentOS 7 x64. I have one subnet (192.168.2.0/24) which is my regular Home network, and I have a second, separate subnet (...
- 11
1
vote
1
answer
690
views
Ho to route one subnet to another using firewalld CentOS 7
I have a CentOS 7 system, with a VPN host and one physical network interface.
I have my physical network interface assigned to public zone, while my VPN requests are going through trusted. Also, I ...
1
vote
1
answer
408
views
Per client firewall settings
I've successfully set up an OpenVPN-Server and can connect to it from the internet. Now I'm trying to implement per-client firewall rules so different clients can only connect to certain addresses in ...
- 343
1
vote
0
answers
3k
views
TFTP Server With Red Hat 7
How do I set up a TFTP Server w/ Red Hat 7? This is a fresh VM install of RHEL 7.3. I'm using the RHEL 7 Installation Guide instructions at https://access.redhat.com/documentation/en-US/...
1
vote
0
answers
206
views
Linux Fedora run Firefox via pkexec sound issue
I would like to setup my Fedora Linux install so that I have control over outgoing traffic on a per application basis. In order to achieve this I have setup an firewall policy to drop everything from ...
- 13
0
votes
1
answer
101
views
Firewalld forwarding whole subnet
I have a network that looks like this:
MyPC:
eth0 10.208.65.80/18
Machine A (Linux, Running a WebServer)
eth0 10.208.65.101/18
eth1 192.168.2.1/24
firwalld zones:
sudo firewall-cmd --list-all-zones
...
- 103
0
votes
1
answer
817
views
How does firewalld "ingress" and "egress" work compared to the 'classic' way of masquerading IPs?
I'm currently on the second iteration of a home router I built myself.
On the 'original' build, I essentially wrapped the 'standard' commands in firewalld rich rules
On V1
firewall-cmd --direct --add-...
- 130k
0
votes
1
answer
836
views
Adding a firewalld service closes the required port instead of opening it
I have a fresh install of Rocky Linux 9 on a Linode Shared CPU instance. I just installed firewalld to get it setup. By default it has the http and ssh services enabled.
Doing an nmap scan at this ...
0
votes
1
answer
569
views
How can I block (ssh) traffic from source ports other than a pre-defined one?
A VPS get lots of ssh attacks. Those attacks are various source ports:
sshd[76661]: Invalid user ts3server from 76.103.161.19 port 33062
sshd[76661]: Received disconnect from 76.103.161.19 port 33062:...
- 465
0
votes
1
answer
465
views
CentOS 7 - Load settings for iptables at OS startup
I would like to load the settings below for iptables on CentOS 7 at OS startup using a bash script.
How can I do this?
#!/bin/bash
iptables -I OUTPUT -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD -d 0....
- 1,254
0
votes
1
answer
2k
views
Linux - FirewallD - Why is ping blocked?
I know that the drop zone (my default zone) in FirewallD blocks all incoming traffic, including icmp, so also ping.
The FedoraWorkstation zone, does not block icmp.
But where can I see this? If apply ...
- 89
0
votes
1
answer
1k
views
How to make UFW work with firewalld on CentOS 7?
I've installed UFW on a fresh CentOS 7 installation, but it doesn't open the ports. I'm configuring UFW as I would on a Debian system:
sudo ufw default deny incoming
sudo ufw default allow outgoing
...
- 103
0
votes
1
answer
159
views
How to create a firewall rule, to block a website for a particular user? [closed]
can anybody helps me to make a firewall rule to block a particular website for a particular user. i have a Linux operating system am trying to make that OS like a firewall.
- 11
0
votes
1
answer
7k
views
firewalld, only allowing SSH from specific IP which is part of a different zone
My goal is to serve ldap to every client on 172.26.143.0/24 but SSH must only be available to 172.26.143.3. I have tried with the following:
# This is where eth0 is and no services/ports are assigned ...
- 1