= Linux and PF firewalls commands cheat sheet :homepage: https://yurisk.info :toc: Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/ == Firewalld daemon management (Red Hat based distributions) === Enable, disable, reload the daemon [cols=2, options="header"] |=== |Command |Description |*systemctl disable/enable firewalld* |Disable/enable firewalld, survives reboot. |*systemctl stop firewalld* |Stop firewalld until started manually or reboot. |*firewall-cmd --reload* |Reload firewall rules to make your changes active, keeping the state table. Active sessions do not disconnect. On finishing reload will output `success`. |*systemctl restart firewalld* |Restart the daemon, without resetting the active connections. Use in case of problems with the daemon. |*firewall-cmd --complete-reload* |Reload firewall completely, disconnecting the active connections. When nothing else helps. |=== === List rules, status, additional info [cols=2, options="header"] |=== |Command |Description |*firewall-cmd --state* |Show firewall daemon status |*firewall-cmd --list-all* |List currently active rules |*firewall-cmd --get-default-zone* | Show the default zone for interfaces. |*firewall-cmd --get-zones* |List all available zones |*firewall-cmd --get-active-zones* | Show active zones, including to which zone each interface belongs. |*firewall-cmd --list-all-zones* |List all zones with their rules and associated interfaces. |*firewall-cmd --add-service * |Add predefined service by name to the default zone, with action ACCEPT, e.g. `firewall-cmd -add-service ftp` . |=== === Open, close ports [cols=2, options="header"] |=== |Command |Description |*firewall-cmd --add-port=_port-number_/_protocol_* |Open in incoming _port-number_ of the _protocol_. E.g. open incoming to TCP port 5900 from any: `firewall-cmd --add-port=5900/tcp` |*firewall-cmd --remove-port=_port-number_/_protocol_* |Close the open _port-number_. E.g. close the open port 5900/tcp: `firewall-cmd --remove-port=5900/tcp` |*firewall-cmd --runtime-to-permanent* |Make the changed rules permanent to survive reboot. |=== == Ubuntu Uncomplicated Firewall (ufw) .ufw management commands [cols=2, options="header"] |=== |Command |Description |*ufw status* |Show whether the firewall is on and if on, list the active rules. |*ufw enable* |Enable firewall. |*ufw disable* |Disable firewall |*ufw reload* |Reload firewall and rules. |*ufw allow * | Allow some service in any direction from/to any IP address using so called `simple` rule syntax. The service names are as per `/etc/services`. E.g. to allow ssh from any: `ufw allow ssh`. |*/etc/ufw/before.rules* |Some rules are pre-allowed by default, to change them edit this file and reload the firewall. |=== == PF (Packet Filter) management for FreeBSD & OpenBSD [cols=2, options="header"] |=== |Command |Description |*pfct -d* |Disable PF in place, does not survive reboot. |*pfctl -ef /etc/pf.conf* |Enable PF and load the rule set from file `/etc/pf.conf` in one go. |*pfctl -nf /etc/pf.conf* |Parse security rules stored in a file without installing them (dry run). |*pass in quick on egress from 62.13.77.141 to any* | 'Quick' rule (means allows this traffic on all interfaces, otherwise we would need 2nd rule allowing this traffic in _outgoing_ direction on egress interface) to allow incoming ANY port/protocol with the source being `62.13.77.141` and destination being ANY IP address behind the PF firewall. NOTE: here, `egress` is not a direction, but a group name to which the interface in question (`em0`) belongs to. In OpenBSD you set it in a file `/etc/hostname.em0: group egress` or in real-time with the command: `ifconfig em0 group egress`. |===