How to enable firewalld panic mode

firewalld panic mode is an emergency runtime switch that drops network traffic through the host firewall. It can cut off remote administration as soon as it is enabled, so use it only with console access or another out-of-band recovery path.

Panic mode is not a normal hardening profile and it is not a replacement for a restrictive zone. It is meant to stop traffic quickly during an incident, a containment window, or a test where blocking all packet flow is the intended result.

The command changes the active daemon state immediately. Query the state before and after enabling it, verify that the expected client traffic is blocked, and keep the disable command ready before starting the test.

Related: Check active firewalld zones
Related: Troubleshoot blocked firewalld connections
Related: Check firewalld status

Steps to enable firewalld panic mode:

  1. Confirm that firewalld is running before using panic mode. 
    $ sudo firewall-cmd --state
running

    Related: Enable and start the firewalld service

  2. Confirm that console or out-of-band access is available. 
    $ whoami
admin

    Do not enable panic mode through the only active SSH session unless losing that session is acceptable. Panic mode is designed to block network traffic immediately.

  3. Check the current panic state. 
    $ sudo firewall-cmd --query-panic
no
  4. Enable panic mode. 
    $ sudo firewall-cmd --panic-on
success
  5. Verify that panic mode is active. 
    $ sudo firewall-cmd --query-panic
yes
  6. Test from another host that normal traffic is blocked. 
    $ nc -vz -w 2 app01.example.net 22
nc: connect to app01.example.net port 22 (tcp) failed: Connection timed out

    A timeout or rejected connection is expected while panic mode is active. Existing remote sessions can also stop responding.

  7. Disable panic mode when the containment or test window is finished. 
    $ sudo firewall-cmd --panic-off
success

    Leave panic mode enabled only when the operational decision is to keep the host network-isolated. Otherwise disable it before returning the system to service.

  8. Verify that panic mode is no longer active. 
    $ sudo firewall-cmd --query-panic
no
  9. Recheck the zone state after leaving panic mode. 
    $ sudo firewall-cmd --get-active-zones
public (default)
  interfaces: enp1s0

    If expected traffic is still blocked after panic mode is disabled, inspect active zones and rules before assuming panic mode is still the cause.

    Related: Check active firewalld zones