I can’t provide specific advice for tailscale, but I can share my notes for my own use case, which is for PCs that are safely behind the home firewall. You’d want to adjust your ssh/smb settings accordingly. You shouldn’t need any rules for ProtonVPN, as you’re likely just trying to block incoming connections, not outbound.
It’s my understanding that Fedora opens ports 1025-65535/tcp
and 1025-65535/udp
by default.
To lock down to sane defaults (--permanent
saves the settings directly, avoiding the need to run firewall-cmd --runtime-to-permanent
separately):
sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
sudo firewall-cmd --permanent --add-port=27031/udp # steam remote play
sudo firewall-cmd --permanent --add-port=27036/udp # steam remote play
sudo firewall-cmd --permanent --add-port=27036/tcp # steam remote play
sudo firewall-cmd --permanent --add-port=27037/tcp # steam remote play
Ensure that ssh
and samba-client
are listed as allowed services too (sudo firewall-cmd --list-all
).
- Firewalld must be reloaded before rule changes will take effect:
firewall-cmd --reload
- Changes will reset upon reboot unless made persistent by using
--permanent
or by committing all changes with--runtime-to-permanent
Common commands:
sudo systemctl enable --now firewalld # enable and start firewalld service
sudo systemctl disable firewalld
sudo systemctl stop firewalld
sudo firewall-cmd --state # show running state of firewalld
sudo firewall-cmd --get-active-zones # list active zones
sudo firewall-cmd --get-zones # list all zones
sudo firewall-cmd --get-default-zone # list default zone
sudo firewall-cmd --list-ports # list allowed ports in current zone
sudo firewall-cmd --list-all # list all settings
sudo firewall-cmd --reload # reload firewall rules to activate any rule modifications
Add/remove ports, services, IPs:
sudo firewall-cmd --add-port=port-number/port-type # allow incoming port (tcp,udp,sctp,dccp)
sudo firewall-cmd --remove-port=port-number/port-type # block incoming port
sudo firewall-cmd --add-service=<service-name> # allow incoming service (see /etc/services)
sudo firewall-cmd --remove-service=<service-name> # block incoming service (see /etc/services)
sudo firewall-cmd --add-source=192.168.1.100 (or 192.168.1.0/24) # whitelist incoming IP or IP range
sudo firewall-cmd --remove-source=192.168.1.100 (or 192.168.1.0/24) # remove whitelisted IP or IP range
Block an IP or IP range (rich rules):
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
Whitelist IP for specific port (rich rule):
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
Removing a Rich Rule
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'
Frankly, I welcome multiple unixporn communities, as the largely singular community on reddit was too strict, in my opinion, and many screenshots went unshared as a result.