I can’t provide specific advice for tailscale, but I can share my notes for my own use case, which is for PCs that are safely behind the home firewall. You’d want to adjust your ssh/smb settings accordingly. You shouldn’t need any rules for ProtonVPN, as you’re likely just trying to block incoming connections, not outbound.
It’s my understanding that Fedora opens ports 1025-65535/tcp and 1025-65535/udp by default.
To lock down to sane defaults (–permanent saves the settings directly, avoiding the need to run firewall-cmd --runtime-to-permanent separately):
Ensure that ssh and samba-client are listed as allowed services too (sudo firewall-cmd --list-all).
Firewalld must be reloaded before rule changes will take effect: firewall-cmd --reload
Changes will reset upon reboot unless made persistent by using –permanent or by committing all changes with –runtime-to-permanent
Common commands:
<span style="color:#323232;">sudo systemctl enable --now firewalld # enable and start firewalld service
</span><span style="color:#323232;">sudo systemctl disable firewalld
</span><span style="color:#323232;">sudo systemctl stop firewalld
</span><span style="color:#323232;">
</span><span style="color:#323232;">sudo firewall-cmd --state # show running state of firewalld
</span><span style="color:#323232;">sudo firewall-cmd --get-active-zones # list active zones
</span><span style="color:#323232;">sudo firewall-cmd --get-zones # list all zones
</span><span style="color:#323232;">sudo firewall-cmd --get-default-zone # list default zone
</span><span style="color:#323232;">sudo firewall-cmd --list-ports # list allowed ports in current zone
</span><span style="color:#323232;">sudo firewall-cmd --list-all # list all settings
</span><span style="color:#323232;">sudo firewall-cmd --reload # reload firewall rules to activate any rule modifications
</span>
Add/remove ports, services, IPs:
<span style="color:#323232;">sudo firewall-cmd --add-port=port-number/port-type # allow incoming port (tcp,udp,sctp,dccp)
</span><span style="color:#323232;">sudo firewall-cmd --remove-port=port-number/port-type # block incoming port
</span><span style="color:#323232;">sudo firewall-cmd --add-service=<service-name> # allow incoming service (see /etc/services)
</span><span style="color:#323232;">sudo firewall-cmd --remove-service=<service-name> # block incoming service (see /etc/services)
</span><span style="color:#323232;">sudo firewall-cmd --add-source=192.168.1.100 (or 192.168.1.0/24) # whitelist incoming IP or IP range
</span><span style="color:#323232;">sudo firewall-cmd --remove-source=192.168.1.100 (or 192.168.1.0/24) # remove whitelisted IP or IP range
</span>