General Information

firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall.

Checklist

• Distro(s): Enterprise Linux 7

• firewall-config ⇒ GUI Frontend for firewalld
• firewall-cmd ⇒ Cmd line frontend for firewalld
• firewalld ⇒ Daemon that interacts with the Linux kernel's packet filter, Netfilter
  • cannot be used at the same time as iptables
• iptables ⇒ Interacts with the Linux kernel's packet filter, Netfilter
  • cannot be used at the same time as firewalld

Install and start firewall packages (included by default on base, not minimum install)

yum install firewalld firewall-config
systemctl start firewalld
systemctl enable firewalld

• firewall-cmd method

  firewall-cmd --state

• systemctl methods
  • check status

    systemctl status firewalld

  • is active?

    systemctl is-active firewalld

  • is enabled?

    systemctl is-enabled firewalld

View zone names

firewall-cmd --get-zones

View default zone

firewall-cmd --get-default-zone

• Zone “public” applies to all interfaces (the catch all) by default.

View only active zones and what interfaces are assigned to them

firewall-cmd --get-active-zones

Change default zone that is used when no zone is specified

firewall-cmd --set-default-zone=home

An interface can only be bound to 1 zone at a time.

List interfaces that are bound to the default zone

firewall-cmd --list-interfaces

Bind an interface to the specified zone

firewall-cmd --add-interface=eth0 --zone=home

• There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead.

Change the zone that an interface is bound to the specified zone

firewall-cmd --change-interface=eth0 --zone=home

• If you are changing an interfaces zone, chances are, you might also want to change the default zone displayed. See the Zones section above to do this.

List all rules of the default zone (since no zone is specified)

firewall-cmd --list-all

List rules, specify zone

firewall-cmd --zone=home --list-all

List all zone's rules

firewall-cmd --list-all-zones

• By default: Only the public zone will show as active and have an interface assigned to it.

• Runtime changes: Firewall-cmd commands in which “–permanent” is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd –reload' command or system reboot.
• Permanent changes: Firewall-cmd commands in which “–permanent” is included.
  • These changes do not take effect until a 'firewall-cmd –reload' command is issued.
  • Runtime changes are lost
  • Upon '–reload', active connections will not be interrupted, unless they are being allowed via a runtime rule.

Allow source IP network for home zone (Runtime change)

firewall-cmd --zone=home --add-source=192.168.1.0/24

Allow source IP network for home zone (Permanent change)

firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24
firewall-cmd --reload

Allow port on default zone

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

List predefined services

firewall-cmd --get-services

Add HTTPS service to default zone

firewall-cmd --add-service=https --permanent
firewall-cmd --reload

Remove source IP network on “home” zone

firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24
firewall-cmd --reload

Remove port on default zone

firewall-cmd --permanent --remove-port=80/tcp
firewall-cmd --reload

Remove a service on default zone

firewall-cmd --permanent --remove-service=https
firewall-cmd --reload

Launch GUI, firewall-config

firewall-config

You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service.