= Linux and PF firewalls commands cheat sheet Yuri Slobodyanyuk v1.0, 2020-09-01 :homepage: https://yurisk.info Author: Yuri Slobodyanyuk, admin@yurisk.info == Firewalld daemon management (Red Hat based distributions) .firewall-cmd commands [cols=2, options="header"] |=== |Command |Description |*firewall-cmd --state* |Show firewall daemon status |*firewall-cmd --list-all* |List currently active rules |*firewall-cmd --reload* |Reload firewall keeping the state table. Active sessions do not disconnect. On finishing reload will output `success`. |*firewall-cmd --get-default-zone* | Show the default zone for interfaces. |*firewall-cmd --get-zones* |List all available zones |*firewall-cmd --get-active-zones* | Show active zones, including to which zone each interface belongs. |*firewall-cmd --list-all-zones* |List all zones with their rules and associated interfaces. |*firewall-cmd -add-service * |Add predefined service by name to the default zone, with action ACCEPT, e.g. `firewall-cmd -add-service ftp` . |=== == Ubuntu Uncomplicated Firewall (ufw) .ufw management commands [cols=2, options="header"] |=== |Command |Description |*ufw status* |Show whether the firewall is on and if on, list the active rules. |*ufw enable* |Enable firewall. |*ufw disable* |Disable firewall |*ufw reload* |Reload firewall and rules. |*ufw allow * | Allow some service in any direction from/to any IP address using so called `simple` rule syntax. The service names are as per `/etc/services`. E.g. to allow ssh from any: `ufw allow ssh`. |*/etc/ufw/before.rules* |Some rules are pre-allowed by default, to change them edit this file and reload the firewall. |=== == PF (Packet Filter) management for FreeBSD & OpenBSD [cols=2, options="header"] |=== |Command |Description |*pfct -d* |Disable PF in place, does not survive reboot. |*pfctl -ef /etc/pf.conf* |Enable PF and load the rule set from file `/etc/pf.conf` in one go. |*pfctl -nf /etc/pf.conf* |Parse security rules stored in a file without installing them (dry run). |*pass in quick on egress from 62.13.77.141 to any* | 'Quick' rule (means allows this traffic on all interfaces, otherwise we would need 2nd rule allowing this traffic in _outgoing_ direction on egress interface) to allow incoming ANY port/protocol with the source being `62.13.77.141` and destination being ANY IP address behind the PF firewall. NOTE: here, `egress` is not a direction, but a group name to which the interface in question (`em0`) belongs to. In OpenBSD you set it in a file `/etc/hostname.em0: group egress` or in real-time with the command: `ifconfig em0 group egress`. |===