no iptables no more – some things change faster than you can say „beneune„…

check if it is up and running:

systemctl list-unit-files|grep firewall
firewalld.service enabled
# if not start it
systemctl start firewalld

check what ports are used on your system:

nmap localhost; # quick

Starting Nmap 6.40 ( http://nmap.org ) at 2018-08-23 08:42 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000029s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: dwaves.org
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
443/tcp  open  https
587/tcp  open  submission
...
nmap -v -A  localhost; # slow

lsof -i -P -n
COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd     564   chrony    1u  IPv4  14365      0t0  UDP 127.0.0.1:323 
chronyd     564   chrony    2u  IPv6  14366      0t0  UDP [::1]:323 
dhclient    804     root    6u  IPv4  14940      0t0  UDP *:68 
sshd        983     root    3u  IPv4  15912      0t0  TCP *:22 (LISTEN)
sshd        983     root    4u  IPv6  15914      0t0  TCP *:22 (LISTEN)

netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      983/sshd            
tcp        0    232 yy.yyy.yyy.yyy:22       xx.xxx.xx.xx:58344      ESTABLISHED 14973/sshd: user 

# check what program is using a specific port
netstat -pantu|grep 587
tcp6       0      0 :::587                  :::*                    LISTEN      3851/docker-proxy-c 
lsof -i -P -n|grep 587
docker-pr  3851     root    4u  IPv6 195557      0t0  TCP *:587 (LISTEN)
  • IMAP uses port
    143

    , but implicit SSL/TLS encrypted IMAP uses port

    993

    .

  • POP uses port
    110

    , but implicit SSL/TLS encrypted POP uses port

    995

    .

  • SMTP uses port
    25

    , but implicit SSL/TLS encrypted SMTP uses port

    465

    .

open a port, permanently:

# http webserver unencrypted
firewall-cmd --zone=public --add-port=80/tcp --permanent
# https webserver encrypted (Let's Encrypt SSL)
firewall-cmd --zone=public --add-port=443/tcp --permanent
# ssh
firewall-cmd --zone=public --add-port=22/tcp --permanent

# SMTP (Simple Mail Transfer Protocol)
firewall-cmd --zone=public --add-port=25/tcp --permanent

# IMAP (Internet Message Access Protocol)
firewall-cmd --zone=public --add-port=25/tcp --permanent

# imap over STARTLS/SSL
firewall-cmd --zone=public --add-port=143/tcp --permanent
# when done activate the rules by reload
firewall-cmd --reload

„The former firewall model with system-config-firewall/lokkit was static and every change required a complete firewall restart. This included also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules was breaking stateful firewalling and established connections.

The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip\*tables and ebtables command line tools.

The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods.“

official homepage http://firewalld.org

src: https://fedoraproject.org/wiki/Firewalld?rd=FirewallD

How to block/ban a certain ip:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='xx.xxx.xx.xx' reject"
firewall-cmd --reload

admin