====== Firewall: Firewall-Cmd ======
**General Information**
firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall.
**Checklist**
* Distro(s): Enterprise Linux 7
----
====== Firewalld Components ======
* firewall-config => GUI Frontend for firewalld
* firewall-cmd => Cmd line frontend for firewalld
* firewalld => Daemon that interacts with the Linux kernel's packet filter, Netfilter
* cannot be used at the same time as iptables
* iptables => Interacts with the Linux kernel's packet filter, Netfilter
* cannot be used at the same time as firewalld
----
===== Install Firewalld =====
Install and start firewall packages (included by default on base, not minimum install)
yum install firewalld firewall-config
systemctl start firewalld
systemctl enable firewalld
----
===== Firewall-Cmd Commands =====
==== Status ====
* firewall-cmd methodfirewall-cmd --state
* systemctl methods
* check statussystemctl status firewalld
* is active?systemctl is-active firewalld
* is enabled?systemctl is-enabled firewalld
----
==== Zones ====
View zone names
firewall-cmd --get-zones
View default zone
firewall-cmd --get-default-zone
* Zone "public" applies to all interfaces (the catch all) by default.
View only active zones and what interfaces are assigned to them
firewall-cmd --get-active-zones
Change default zone that is used when no zone is specified
firewall-cmd --set-default-zone=home
----
==== Interfaces ====
**An interface can only be bound to 1 zone at a time.**
List interfaces that are bound to the default zone
firewall-cmd --list-interfaces
Bind an interface to the specified zone
firewall-cmd --add-interface=eth0 --zone=home
* There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead.
Change the zone that an interface is bound to the specified zone
firewall-cmd --change-interface=eth0 --zone=home
* If you are changing an interfaces zone, chances are, you might also want to change the default zone displayed. See the Zones section above to do this.
----
==== List Rules ====
List all rules of the default zone (since no zone is specified)
firewall-cmd --list-all
List rules, specify zone
firewall-cmd --zone=home --list-all
List all zone's rules
firewall-cmd --list-all-zones
* By default: Only the public zone will show as active and have an interface assigned to it.
----
==== Add Rules ====
=== Types of Rule Changes ===
* Runtime changes: Firewall-cmd commands in which "--permanent" is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd --reload' command or system reboot.
* Permanent changes: Firewall-cmd commands in which "--permanent" is included.
* These changes do not take effect until a 'firewall-cmd --reload' command is issued.
* Runtime changes are lost
* Upon '--reload', active connections will not be interrupted, unless they are being allowed via a runtime rule.
=== Source IPs/Networks ===
Allow source IP network for home zone (Runtime change)
firewall-cmd --zone=home --add-source=192.168.1.0/24
Allow source IP network for home zone (Permanent change)
firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24
firewall-cmd --reload
=== Ports ===
Allow port on default zone
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
=== Services ===
List predefined services
firewall-cmd --get-services
Add HTTPS service to default zone
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
----
==== Remove Rules ====
=== Source IPs/Networks ===
Remove source IP network on "home" zone
firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24
firewall-cmd --reload
=== Ports ===
Remove port on default zone
firewall-cmd --permanent --remove-port=80/tcp
firewall-cmd --reload
=== Services ===
Remove a service on default zone
firewall-cmd --permanent --remove-service=https
firewall-cmd --reload
----
==== GUI: firewall-config ====
Launch GUI, firewall-config
firewall-config
----
====== iptables notes ======
You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service.
----