How can we help?


firewalld configuration

Dominic -


How do I use firewalld?


  • atmail suite
  • atmail mailserver

Configure firewalld for mail-server functionality.


The following document will be divided into the following sections:

Mailserver Configuration

Check if firewalld is installed:

# which firewalld
/usr/bin/which: no firewalld in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin

If not installed, install firewalld:

# yum install firewalld

Check if firewalld is enabled and started

# systemctl is-enabled firewalld
[root@a8 services]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/firewalld.service.
[root@a8 services]# systemctl start firewalld
[root@a8 services]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-06-27 16:53:32 AEST; 5s ago

Ensure that firewalld is running:

# systemctl start firewalld

List allowed services

# firewall-cmd --list-service
dhcpv6-client ssh

Add required services: HTTPS, SMTP, IMAP, POP3, DAV, DHCP(May be required in a testing environment).

# firewall-cmd --zone=public --add-service=smtp --add-service=smtps --add-service=imap --add-service=imaps --add-service=pop3 --add-service=pop3s --add-service=https --add-service=dhcp --permanent
# firewall-cmd --zone=public --add-port=587/tcp --add-port=8443/tcp --permanent

Reload firewalld

# firewall-cmd --reload

List allowed services and ports. Check for previously added additions. Please note, by default Exim does not have a service running on 587/tcp so this addition is optional.

# firewall-cmd --list-all | grep 'services\|ports' | head -n 2
services: dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
ports: 8443/tcp 587/tcp

A simple bash script containing the above default settings can be found here.

Getting familiar with firewalld

Firewalld is based around the concepts of zones. Each zone can be assigned a level of trust to allow for a dynamically changing firewall. Although server installations commonly reside in the same network for the duration of its life, understanding these core concepts eases configuration and administration of firewalld.

Before configuring any additional rules, its important to know:

  • default zone
  • active zone
  • summary of zone
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
  interfaces: enp0s3
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  services: dhcp dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
  ports: 8443/tcp 587/tcp
  masquerade: no
  rich rules:

Available services can be listed and added as demonstrated below. Remember you will need to pass the --permanent flag for the rule to remain consistent after restarting the service. Ports can also be added in the same fashion.

# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula ...
# firewall-cmd --add-service=telnet --permanent
# firewall-cmd --add-port=53 --permanent

Services and ports can be removed from zones using the following:

# firewall-cmd --zone=public --remove-service=telnet --permanent
# firewall-cmd --zone-public --remove-port=53 --permanent

Further Configuration

Firewalld also comes with a built in panic mode. When enabled, panic mode will prevent any incoming and outgoing packets as well as dropping all active connections. This may be useful if your service is under attack.

To query panic mode:

# firewall-cmd --query-panic

To turn ON panic mode:

# firewall-cmd --panic-on

To turn OFF panic mode:

# firewall-cmd --panic-off

ICMP blocks can be added to zones. To see available icmp types:

# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem ...

To query an ICMP block, add it and then confirm:

# firewall-cmd --zone=public --query-icmp-block=echo-reply
[root@a8 services]# firewall-cmd --zone=public --add-icmp-block=echo-reply --permanent
[root@a8 services]# firewall-cmd --list-all | grep "icmp-blocks"
  icmp-blocks: echo-reply

Access for IP addresses can be managed using rich-rule's. Below, we add the address, check its presence, then remove it.

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="" accept'
# firewall-cmd --zone=public --list-all | grep "rule"
  rich rules:
    rule family="ipv4" source address="" accept
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="" accept'

For troubleshooting, logs can be located in /var/log/firewalld.

For further information, the official documentation for firewalld can be found here.


Contact our support team

+61 (7) 5357 6605