How to block an IP address using FirewallD

What is FirewallD?

FirewallD (Firewall Daemon) is a nice alternative to iptables. It’s simpler and easier to understand and configure than iptables. If you’re running Virtualmin on either CentOS or Ubuntu, your system will also be configured to use FirewallD by default.

Here is a cheat sheet to assist with some common FirewallD actions.

How to Block an IP Address Using FirewallD

To block an IP address using FirewallD, do the following:

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.x.x.x reject' --permanent

Then reload the firewalld commands:

firewall-cmd --reload

To check if the rule is there

firewall-cmd --list-all

How to remove a Rich Text Rule

firewall-cmd --remove-rich-rule='rule family=ipv4 source address=10.x.x.x reject' --permanent

How to remove all Rich Text Rules

Edit the file /etc/firewalld/zones/public.xml

Reference: https://serverfault.com/questions/733896/is-there-a-way-to-flush-a-whole-zones-rich-rules-on-firewalld

Caveats

Removing rich text rule not working

In some situation rules might have been dynamically added by Fail2ban, in which case you can’t just remove them with --remove-rich-rule as the system doesn’t consider them permanent. In that case, use the command below:

fail2ban-client set sshd unbanip a.b.c.d

Block and Unblocking SSH on non-default Ports

If you’ve changed your default SSH port to something other than 22, Firewalld and Fail2ban might not be able to properly detect the change. You’ll notice multiple already banned events in the Fail2ban log file. To get this working, you have to tell FirewallD that SSH is on a non-standard port. As of 24 September 2021 we haven’t found a reliable way of doing this, but if you have any tips please leave us a comment below.

For more in-depth information, follow the references.

See Also

How to check and remove IPs from fail2ban

References

Share this article

Leave a Reply

Your email address will not be published.

Scroll to Top