RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1531545 - [RFE] Flush all the rules of firewalld using a single command.
Summary: [RFE] Flush all the rules of firewalld using a single command.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: firewalld
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.1
Assignee: Eric Garver
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-05 13:17 UTC by Akhil John
Modified: 2022-07-27 20:19 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-08 07:26:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Akhil John 2018-01-05 13:17:09 UTC 
Description of problem:
Firewalld doesn't have a single command to flush all the rules like that we have with #iptables -F so that the firewalld will be back to the default state.

Version-Release number of selected component (if applicable):
All firewalld versions

How reproducible:
Always.
Comment 3 Tomas Dolezal 2018-03-21 13:50:45 UTC 
Indeed there's no possibility to apply default configuration without unloading modules, that's when the default is applied by restarting the whole service.
and `--complete-reload` leaves e.g. direct rules in place
Comment 4 Eric Garver 2018-04-23 15:33:37 UTC 
I think you're looking for a command line:

  $ firewalld --permanent --reset-to-defaults

Is that true?
Comment 5 Akhil John 2018-04-25 10:07:52 UTC 
Yes
Comment 6 morgan read 2018-10-19 12:31:23 UTC 
Copying relevant files from /usr/lib/firewalld/zones to /etc/firewalld/zones seemed to do the trick for me.  Hope I'm correct...
Comment 7 Eric Garver 2018-10-19 13:15:43 UTC 
(In reply to morgan read from comment #6)
> Copying relevant files from /usr/lib/firewalld/zones to /etc/firewalld/zones
> seemed to do the trick for me.  Hope I'm correct...

If items in /etc/firewalld don't exist the defaults from /usr/lib/firewalld will be used. Copying them is okay. You could have simply removed the zones in /etc/firewalld/zones instead.
Comment 8 Eric Garver 2019-03-01 20:28:11 UTC 
Bumping to RHEL-8. It can be done manually in RHEL-7 an indicated in comment 6 and comment 7.
Comment 9 jnikolak 2019-09-24 02:40:35 UTC 
This solution definitely does work and I've tested it.

@localhost /]# rm -rf  /etc/firewalld/zones/
@localhost /]# cp -r /usr/lib/firewalld/zones  /etc/firewalld/zones
@localhost /]# firewall-cmd --reload
@localhost /]# firewall-cmd --zone=public --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s25
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

@localhost /]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-09-24 12:30:08 AEST; 5min ago
     Docs: man:firewalld(1)
 Main PID: 30469 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─30469 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Sep 24 12:30:08 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 24 12:30:08 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.


RFE could perhaps attach a firewall-cmd command that would run the commands below. It could be with a backup-directory option, which is less crude.

#!/usr/bin/bash
rm -rf  /etc/firewalld/zones/
cp -r /usr/lib/firewalld/zones  /etc/firewalld/zones
firewall-cmd --reload
echo "Default Firewalld has been applied"
systemctl status firewalld
Comment 10 Eric Garver 2019-09-24 12:36:55 UTC 
(In reply to jnikolak from comment #9)
> This solution definitely does work and I've tested it.
[..]
> RFE could perhaps attach a firewall-cmd command that would run the commands
> below. It could be with a backup-directory option, which is less crude.
> 
> #!/usr/bin/bash
> rm -rf  /etc/firewalld/zones/
> cp -r /usr/lib/firewalld/zones  /etc/firewalld/zones

The copy is not necessary. Firewalld will do the copy itself when the user modifies one of the built-in zones.
But the directory /etc/firewalld/zones should remain. The first line should be

  rm -rf  /etc/firewalld/zones/*

> firewall-cmd --reload
> echo "Default Firewalld has been applied"
> systemctl status firewalld

There are also other user configs for services, helpers, etc under /etc/firewalld. But those only have an effect if referenced from a zone.
Comment 11 Eric Garver 2019-09-24 13:17:18 UTC 
(In reply to Eric Garver from comment #10)
> There are also other user configs for services, helpers, etc under
> /etc/firewalld. But those only have an effect if referenced from a zone.

There is also /etc/firewalld/firewalld.conf. It _should_ be possible to also delete firewalld.conf and firewalld will use the defaults. Although I've not verified this.
Comment 15 RHEL Program Management 2021-01-08 07:26:20 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 16 Herb Goldman 2022-07-27 20:19:26 UTC 
Since it's not a built-in feature, this simple script works for me.  YMMV

# cat clear-all-fw-rules 
firewall-cmd --list-all --permanent | grep family | tr '\011' ' ' | \
 while read -r LINE
  do
    echo -n "${LINE}":
    firewall-cmd --remove-rich-rule="${LINE}" --permanent
 done


# ./clear-all-fw-rules 
rule family="ipv4" source address="221.150.141.252/24" log level="warning" drop:success
rule family="ipv4" source address="139.162.205.145/24" log level="warning" drop:success
rule family="ipv4" source address="185.162.235.162/24" log level="warning" drop:success
..



Description of problem:
Firewalld doesn't have a single command to flush all the rules like that we have with #iptables -F so that the firewalld will be back to the default state.

       -F, --flush [chain]
              Flush the selected chain (all the chains in the table if none is given).  This is equivalent to deleting all the rules one by one.
Note You need to log in before you can comment on or make changes to this bug.