How do I display the entire firewalld state?

Question

I'm trying to work out why a firewall is not behaving as I think I've asked it to behave, and thus trying to work out how to get firewalld to show its complete set of rules, in some format resembling an iptables configuration file. Or some other format – I don't much care – as long as it's as least as readable as an iptables or pf configuration (ie, this is a pretty low bar to clear!).

Commands like firewall-cmd --list-all ‘List everything added for or enabled in zone.’ But that just lists interfaces, services, and so on, with no further detail. I can't see a --list-all-no-really-everything option.
I thought I had found it when I read about the direct rules, but I see that that only applies to rules added as extra ‘direct’ rules, and isn't the trapdoor into the engine room that it first appeared.
I see the configuration files in /etc/firewalld and the defaults in /usr/lib/firewalld. But while this is promising at first glance, and beautifully commented, it doesn't seem to actually tell me much about the current state. Questions like this one are about exporting rules (for moving elsewhere), and suggests that this is all there is (I'm guessing that ports mentioned in services mentioned in the public zone are blocked for incoming...?).

My understanding (correct me if I'm wrong) is that firewalld has something iptables-like inside, which is doing all the actual work, and it has some sort of state which --reload can find and, well,... reload. That is the state which I'm hoping to find.

Perhaps I'm dim, but I find the overall level of indirection and helpfulness of firewall-cmd completely unintelligible. Yes, famously ‘every problem in computing science can be solved by adding another layer of indirection’, but sometimes this can be taken to extremes.

I may not have a firewall problem at all, but I can't work out enough about the firewall state to rule that out. Is there a case for switching to iptables (I wonder in desperation)? It's more fuss to set up, and easy to get things wrong, but at least I have some idea what's happening.

I'm very open to frame challenges, or to being told I'm barking up the wrong tree.

score 10 · Accepted Answer · edited Apr 16 '24 at 08:22

I would generally recommend to look at the actual firewall rule sets the Linux kernel is running, rather than trying to diagnose more complex firewall issues from "user-friendly" tools such as firewalld (or similarly UFW and others) and the abstraction layer such tools provide. Often once you understand the underlying issues you can easily resolve them in a matter supported by those tools.

Although some people like [sudo] iptables-save for me the command [sudo] iptables -L -v -n is better.
Often when discussing configurations it is useful to use the --line-numbers option as well to see line numbers. Mentioning rule #X makes a discussion somewhat easier. Remember though that by default iptables only displays the FILTER table and you need to specify other tables with the -t [ nat | mangle | raw] switch.

When the nftables backend is used by firewalld, use nft list ruleset instead.

(For me firewalld is effectively yet another front-end to create rulesets that will be loaded into the Linux netfilter kernel modules. You can still manipulate those backends with their native and more low level tools such as iptables or the more modern nftables successor tools. The picture below shows what other backends firewalld can use and bring together.)

score 8 · Answer 2 · answered Feb 10 '23 at 08:42

The accepted answer is correct, I'd just like to add for others coming for this answer that firewall-cmd --list-all-zones gives a very good overview of all the zones and their rules (same output as --list-all, but for all zones at once).

i.e.

[root@sso-staging-01 ~]# firewall-cmd --list-all-zones
[root@sso-staging-01 ~]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 172.18.16.0/20
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 172.15.232.0/23
  services: VRRP https
  ports: 6556/tcp 443/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
legacy (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 128.0.0.0/24
  services: https
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcp dns ssh
  ports:
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule priority="32767" reject
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: 
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources: 172.10.1.0/24 172.10.3.0/24
  services: http https ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
work (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 172.10.0.0/16
  services: http https
  ports: 80/tcp 443/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

How do I display the entire firewalld state?

2 Answers2