Firewalld drop by default and allow the existing rules that are in place

Question

My question is how can i retain the existing configuration i have with firewalld and also drop all other connections if there is no specific rule for it.

I have the following firewall configuration:

[root@server ~]$ firewall-cmd --get-default-zone
public

[root@server ~]$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh dhcpv6-client
  ports: 123/udp 514/tcp 514/udp 5514/udp 5514/tcp 9200/tcp 9300/tcp 5044/tcp 53/udp 443/tcp 5000/tcp 55000/tcp 1516/tcp 1515/tcp 1514/tcp
  protocols:
  masquerade: yes
  forward-ports: port=514:proto=udp:toport=5514:toaddr=
        port=514:proto=tcp:toport=5514:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

How would i go about using the rules i have configured and still drop by default? Because if i do iptables -L i can see that the default policy is ACCEPT:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

You do nothing. It already rejects any connections not specified in the firewall configuration. — Michael Hampton, Feb 01 '19 at 14:44

score 0 · Answer 1 · answered Jun 15 '22 at 07:39

From the docs:

public

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

Which means, you are already dropping everything that is not explicitely allowed. You can get this also from the line:

target: default

The default target is REJECT, which is hardcoded in firewalld.

MattBianco · Answer 2 · 2022-07-29T07:36:31.887

When using firewalld/firewall-cmd, forget all about iptables if you're running a recent Enterprise Linux (8 and above)

The output from the iptables command is irrelevant and will confuse you, as it confused me in the beginning.

There are lots of docs about firewalld on the Internet, but most are not very helpful to someone that is used to a simple traditional firewall.

One answer that I found very helpful is this one: https://serverfault.com/a/680789/50874

Firewalld drop by default and allow the existing rules that are in place

2 Answers2