no iptables no more – some things change faster than you can say „beneune„…

check if it is up and running:

systemctl list-unit-files|grep firewall
firewalld.service enabled
# if not start it
systemctl start firewalld

check what ports are used on your system:

nmap localhost; # quick

Starting Nmap 6.40 ( ) at 2018-08-23 08:42 CEST
Nmap scan report for localhost (
Host is up (0.000029s latency).
Other addresses for localhost (not scanned):
rDNS record for
Not shown: 993 closed ports
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
443/tcp  open  https
587/tcp  open  submission
nmap -v -A  localhost; # slow

lsof -i -P -n
chronyd     564   chrony    1u  IPv4  14365      0t0  UDP 
chronyd     564   chrony    2u  IPv6  14366      0t0  UDP [::1]:323 
dhclient    804     root    6u  IPv4  14940      0t0  UDP *:68 
sshd        983     root    3u  IPv4  15912      0t0  TCP *:22 (LISTEN)
sshd        983     root    4u  IPv6  15914      0t0  TCP *:22 (LISTEN)

netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0    *               LISTEN      983/sshd            
tcp        0    232 yy.yyy.yyy.yyy:22      ESTABLISHED 14973/sshd: user 

# check what program is using a specific port
netstat -pantu|grep 587
tcp6       0      0 :::587                  :::*                    LISTEN      3851/docker-proxy-c 
lsof -i -P -n|grep 587
docker-pr  3851     root    4u  IPv6 195557      0t0  TCP *:587 (LISTEN)
  • IMAP uses port

    , but implicit SSL/TLS encrypted IMAP uses port



  • POP uses port

    , but implicit SSL/TLS encrypted POP uses port



  • SMTP uses port

    , but implicit SSL/TLS encrypted SMTP uses port



open a port, permanently:

# http webserver unencrypted
firewall-cmd --zone=public --add-port=80/tcp --permanent
# https webserver encrypted (Let's Encrypt SSL)
firewall-cmd --zone=public --add-port=443/tcp --permanent
# ssh
firewall-cmd --zone=public --add-port=22/tcp --permanent

# SMTP (Simple Mail Transfer Protocol)
firewall-cmd --zone=public --add-port=25/tcp --permanent

# IMAP (Internet Message Access Protocol)
firewall-cmd --zone=public --add-port=25/tcp --permanent

# imap over STARTLS/SSL
firewall-cmd --zone=public --add-port=143/tcp --permanent
# when done activate the rules by reload
firewall-cmd --reload

„The former firewall model with system-config-firewall/lokkit was static and every change required a complete firewall restart. This included also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules was breaking stateful firewalling and established connections.

The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip\*tables and ebtables command line tools.

The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods.“

official homepage


How to block/ban a certain ip:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject"
firewall-cmd --reload