Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Firewall: Firewall-Cmd ====== **General Information** firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall. **Checklist** * Distro(s): Enterprise Linux 7 ---- ====== Firewalld Components ====== * firewall-config => GUI Frontend for firewalld * firewall-cmd => Cmd line frontend for firewalld * firewalld => Daemon that interacts with the Linux kernel's packet filter, Netfilter * cannot be used at the same time as iptables * iptables => Interacts with the Linux kernel's packet filter, Netfilter * cannot be used at the same time as firewalld ---- ===== Install Firewalld ===== Install and start firewall packages (included by default on base, not minimum install) <code bash> yum install firewalld firewall-config systemctl start firewalld systemctl enable firewalld </code> ---- ===== Firewall-Cmd Commands ===== ==== Status ==== * firewall-cmd method<code bash>firewall-cmd --state</code> * systemctl methods * check status<code bash>systemctl status firewalld</code> * is active?<code bash>systemctl is-active firewalld</code> * is enabled?<code bash>systemctl is-enabled firewalld</code> ---- ==== Zones ==== View zone names <code bash> firewall-cmd --get-zones </code> View default zone <code bash> firewall-cmd --get-default-zone </code> * Zone "public" applies to all interfaces (the catch all) by default. View only active zones and what interfaces are assigned to them <code bash> firewall-cmd --get-active-zones </code> Change default zone that is used when no zone is specified <code bash> firewall-cmd --set-default-zone=home </code> ---- ==== Interfaces ==== **An interface can only be bound to 1 zone at a time.** List interfaces that are bound to the default zone <code bash> firewall-cmd --list-interfaces </code> Bind an interface to the specified zone <code bash> firewall-cmd --add-interface=eth0 --zone=home </code> * There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead. Change the zone that an interface is bound to the specified zone <code bash> firewall-cmd --change-interface=eth0 --zone=home </code> * If you are changing an interfaces zone, chances are, you might also want to change the default zone displayed. See the Zones section above to do this. ---- ==== List Rules ==== List all rules of the default zone (since no zone is specified) <code bash> firewall-cmd --list-all </code> List rules, specify zone <code bash> firewall-cmd --zone=home --list-all </code> List all zone's rules <code bash> firewall-cmd --list-all-zones </code> * By default: Only the public zone will show as active and have an interface assigned to it. ---- ==== Add Rules ==== === Types of Rule Changes === * Runtime changes: Firewall-cmd commands in which "--permanent" is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd --reload' command or system reboot. * Permanent changes: Firewall-cmd commands in which "--permanent" is included. * These changes do not take effect until a 'firewall-cmd --reload' command is issued. * Runtime changes are lost * Upon '--reload', active connections will not be interrupted, unless they are being allowed via a runtime rule. === Source IPs/Networks === Allow source IP network for home zone (Runtime change) <code bash> firewall-cmd --zone=home --add-source=192.168.1.0/24 </code> Allow source IP network for home zone (Permanent change) <code bash> firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24 firewall-cmd --reload </code> === Ports === Allow port on default zone <code bash> firewall-cmd --permanent --add-port=80/tcp firewall-cmd --reload </code> === Services === List predefined services <code bash> firewall-cmd --get-services </code> Add HTTPS service to default zone <code bash> firewall-cmd --add-service=https --permanent firewall-cmd --reload </code> ---- ==== Remove Rules ==== === Source IPs/Networks === Remove source IP network on "home" zone <code bash> firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24 firewall-cmd --reload </code> === Ports === Remove port on default zone <code bash> firewall-cmd --permanent --remove-port=80/tcp firewall-cmd --reload </code> === Services === Remove a service on default zone <code bash> firewall-cmd --permanent --remove-service=https firewall-cmd --reload </code> ---- ==== GUI: firewall-config ==== Launch GUI, firewall-config <code bash> firewall-config </code> ---- ====== iptables notes ====== You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service. ---- linux_wiki/firewall_firewall-cmd.txt Last modified: 2019/05/25 23:50(external edit)