When managing multiple Linux servers, maintaining consistent firewall policies can be challenging. firewalld provides several built-in methods to export and import configurations, which we'll explore with practical examples.
The simplest approach is using firewalld's built-in backup functionality:
# On source server
sudo firewall-cmd --runtime-to-permanent
sudo cp -r /etc/firewalld/ ~/firewalld_backup
# On destination server
sudo systemctl stop firewalld
sudo cp -r ~/firewalld_backup/* /etc/firewalld/
sudo systemctl start firewalld
sudo firewall-cmd --reload
For more selective transfers, export specific components:
# Export zones
sudo firewall-cmd --permanent --zone=public --list-all > public_zone.xml
sudo firewall-cmd --permanent --zone=customzone --list-all > custom_zone.xml
# Export services
sudo firewall-cmd --permanent --get-services > services_list.txt
# Export direct rules
sudo firewall-cmd --permanent --direct --get-all-rules > direct_rules.txt
Create a bash script for automated deployment:
#!/bin/bash
# firewalld_deploy.sh
SOURCE_HOST="192.168.1.100"
TARGET_HOSTS=("192.168.1.101" "192.168.1.102" "192.168.1.103")
# Fetch configuration from source
ssh root@$SOURCE_HOST "firewall-cmd --runtime-to-permanent && tar czf /tmp/firewalld_conf.tar.gz /etc/firewalld/"
# Transfer to each target
for host in "${TARGET_HOSTS[@]}"
do
scp root@$SOURCE_HOST:/tmp/firewalld_conf.tar.gz /tmp/
ssh root@$host "systemctl stop firewalld && tar xzf /tmp/firewalld_conf.tar.gz -C /etc/ && systemctl start firewalld && firewall-cmd --reload"
done
For environments with custom modules or complex rules:
# Export rich rules
sudo firewall-cmd --permanent --list-rich-rules > rich_rules.txt
# Export icmptypes
sudo firewall-cmd --permanent --get-icmptypes > icmptypes.txt
# Export ipsets
sudo firewall-cmd --permanent --get-ipsets > ipsets.txt
Always validate the transferred configuration:
# Compare configurations
sudo firewall-cmd --list-all-zones > current_config.txt
diff ~/firewalld_backup/zones/ current_config.txt
# Test critical services
nc -zv hostname 22
nc -zv hostname 80
When managing multiple Linux servers, maintaining consistent firewall policies becomes critical. Firewalld's rich feature set (zones, services, direct rules) creates a replication challenge across environments. Here's how to properly transfer complete configurations.
# On source server:
sudo firewall-cmd --runtime-to-permanent
sudo cp -r /etc/firewalld/ ~/firewalld_backup/
# On target server:
sudo systemctl stop firewalld
sudo rm -rf /etc/firewalld/
sudo cp -r ~/firewalld_backup/ /etc/firewalld/
sudo systemctl start firewalld
sudo firewall-cmd --reloadThis handles zones, services, and rich rules but has limitations with direct rules.
For full configuration including direct iptables rules:
# Export on source:
sudo firewall-cmd --list-all-zones > firewall_zones.conf
sudo iptables-save > direct_rules.v4
sudo ip6tables-save > direct_rules.v6
# Import on target:
sudo firewall-cmd --new-zone=custom_zone --permanent
sudo firewall-cmd --reload
cat firewall_zones.conf | xargs -I {} sudo firewall-cmd --zone={} --add-service={}
sudo iptables-restore < direct_rules.v4
sudo ip6tables-restore < direct_rules.v6For large-scale deployments, consider this Ansible playbook snippet:
- name: Deploy firewalld config
hosts: all_servers
tasks:
- name: Transfer firewalld configs
copy:
src: /path/to/backup/
dest: /etc/firewalld/
notify: reload firewalld
handlers:
- name: reload firewalld
systemd:
name: firewalld
state: reloadedStore configurations in Git with proper directory structure:
firewalld_config/
├── zones/
│ ├── public.xml
│ └── custom_zone.xml
├── services/
│ └── customservice.xml
└── scripts/
├── export_firewall.sh
└── import_firewall.shRemember to test imports in a staging environment and verify with firewall-cmd --list-all-zones before production deployment.