Table of Contents
What is FirewallD?
FirewallD (Firewall Daemon) is a nice alternative to
iptables. It’s simpler and easier to understand and configure than
iptables. If you’re running Virtualmin on either CentOS or Ubuntu, your system will also be configured to use FirewallD by default.
Here is a cheat sheet to assist with some common FirewallD actions.
How to Block an IP Address Using FirewallD
To block an IP address using FirewallD, do the following:
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.x.x.x reject' --permanent
Then reload the firewalld commands:
To check if the rule is there
How to remove a Rich Text Rule
firewall-cmd --remove-rich-rule='rule family=ipv4 source address=10.x.x.x reject' --permanent
How to remove all Rich Text Rules
Edit the file
Removing rich text rule not working
In some situation rules might have been dynamically added by Fail2ban, in which case you can’t just remove them with
--remove-rich-rule as the system doesn’t consider them permanent. In that case, use the command below:
fail2ban-client set sshd unbanip a.b.c.d
Block and Unblocking SSH on non-default Ports
If you’ve changed your default SSH port to something other than 22, Firewalld and Fail2ban might not be able to properly detect the change. You’ll notice multiple
already banned events in the Fail2ban log file. To get this working, you have to tell FirewallD that SSH is on a non-standard port. As of 24 September 2021 we haven’t found a reliable way of doing this, but if you have any tips please leave us a comment below.
For more in-depth information, follow the references.