====== Firewall: Firewall-Cmd ======

**General Information**

firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall.

**Checklist**
  * Distro(s): Enterprise Linux 7

----

====== Firewalld Components ======

  * firewall-config => GUI Frontend for firewalld
  * firewall-cmd => Cmd line frontend for firewalld
  * firewalld => Daemon that interacts with the Linux kernel's packet filter, Netfilter
    * cannot be used at the same time as iptables
  * iptables => Interacts with the Linux kernel's packet filter, Netfilter
    * cannot be used at the same time as firewalld

----

===== Install Firewalld =====

Install and start firewall packages (included by default on base, not minimum install)
<code bash>
yum install firewalld firewall-config
systemctl start firewalld
systemctl enable firewalld
</code>

----

===== Firewall-Cmd Commands =====

==== Status ====

  * firewall-cmd method<code bash>firewall-cmd --state</code>
  * systemctl methods
    * check status<code bash>systemctl status firewalld</code>
    * is active?<code bash>systemctl is-active firewalld</code>
    * is enabled?<code bash>systemctl is-enabled firewalld</code>

----

==== Zones ====

View zone names
<code bash>
firewall-cmd --get-zones
</code>

View default zone
<code bash>
firewall-cmd --get-default-zone
</code>
  * Zone "public" applies to all interfaces (the catch all) by default.

View only active zones and what interfaces are assigned to them
<code bash>
firewall-cmd --get-active-zones
</code>

Change default zone that is used when no zone is specified
<code bash>
firewall-cmd --set-default-zone=home
</code>

----

==== Interfaces ====

**An interface can only be bound to 1 zone at a time.**

List interfaces that are bound to the default zone
<code bash>
firewall-cmd --list-interfaces
</code>

Bind an interface to the specified zone
<code bash>
firewall-cmd --add-interface=eth0 --zone=home
</code>
  * There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead.

Change the zone that an interface is bound to the specified zone
<code bash>
firewall-cmd --change-interface=eth0 --zone=home
</code>
  * If you are changing an interfaces zone, chances are, you might also want to change the default zone displayed. See the Zones section above to do this.

----

==== List Rules ====

List all rules of the default zone (since no zone is specified)
<code bash>
firewall-cmd --list-all
</code>

List rules, specify zone
<code bash>
firewall-cmd --zone=home --list-all
</code>

List all zone's rules
<code bash>
firewall-cmd --list-all-zones
</code>
  * By default: Only the public zone will show as active and have an interface assigned to it.

----

==== Add Rules ====

=== Types of Rule Changes ===

  * Runtime changes: Firewall-cmd commands in which "--permanent" is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd --reload' command or system reboot.
  * Permanent changes: Firewall-cmd commands in which "--permanent" is included.
    * These changes do not take effect until a 'firewall-cmd --reload' command is issued.
    * Runtime changes are lost
    * Upon '--reload', active connections will not be interrupted, unless they are being allowed via a runtime rule.

=== Source IPs/Networks ===

Allow source IP network for home zone (Runtime change)
<code bash>
firewall-cmd --zone=home --add-source=192.168.1.0/24
</code>

Allow source IP network for home zone (Permanent change)
<code bash>
firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24
firewall-cmd --reload
</code>

=== Ports ===

Allow port on default zone
<code bash>
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
</code>

=== Services ===

List predefined services
<code bash>
firewall-cmd --get-services
</code>

Add HTTPS service to default zone
<code bash>
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
</code>

----

==== Remove Rules ====

=== Source IPs/Networks ===
Remove source IP network on "home" zone
<code bash>
firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24
firewall-cmd --reload
</code>

=== Ports ===

Remove port on default zone
<code bash>
firewall-cmd --permanent --remove-port=80/tcp
firewall-cmd --reload
</code>

=== Services ===

Remove a service on default zone
<code bash>
firewall-cmd --permanent --remove-service=https
firewall-cmd --reload
</code>

----

==== GUI: firewall-config ====

Launch GUI, firewall-config
<code bash>
firewall-config
</code>

----

====== iptables notes ======

You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service.

----